Overview
overview
10Static
static
3337f603c8b...18.exe
windows7-x64
10337f603c8b...18.exe
windows10-2004-x64
10$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$TEMP/setup.exe
windows7-x64
10$TEMP/setup.exe
windows10-2004-x64
10$TEMP/sys.exe
windows7-x64
7$TEMP/sys.exe
windows10-2004-x64
7$PLUGINSDIR/Math.dll
windows7-x64
3$PLUGINSDIR/Math.dll
windows10-2004-x64
3$PLUGINSDI...es.dll
windows7-x64
3$PLUGINSDI...es.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$R1.dll
windows7-x64
6$R1.dll
windows10-2004-x64
6$TEMP/tcpsrvc.exe
windows7-x64
7$TEMP/tcpsrvc.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$SYSDIR/$S...1_.exe
windows7-x64
7$SYSDIR/$S...1_.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$SYSDIR/$_5_.dll
windows7-x64
6$SYSDIR/$_5_.dll
windows10-2004-x64
6Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-10-2024 05:43
Static task
static1
Behavioral task
behavioral1
Sample
337f603c8b740238d363cca78e8687d5_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
337f603c8b740238d363cca78e8687d5_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$TEMP/setup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$TEMP/setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$TEMP/sys.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$TEMP/sys.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/Math.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/Math.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/Processes.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/Processes.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$R1.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
$R1.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$TEMP/tcpsrvc.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
$TEMP/tcpsrvc.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$SYSDIR/$SYSDIR/$_1_.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
$SYSDIR/$SYSDIR/$_1_.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$SYSDIR/$_5_.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
$SYSDIR/$_5_.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$TEMP/setup.exe
-
Size
2.4MB
-
MD5
b774d568aaf090164ec32291370cb341
-
SHA1
f5a55bcd898ff2848df1bb067e5012951dfbc266
-
SHA256
56e96195f7c806eb74503977eb61fd681b99ac14fcdb9f852d89ee46b0edc5ef
-
SHA512
0ffe18d77b13e5a94be4575984982d4d583450821865821be9c7dcffcb2fb03a744b4ca530516ba8917eb2d130bf8767416259563ecefe511ccbf34254f52691
-
SSDEEP
49152:QT1/JEQtPdZoRTrfDgHGRvrDZg5aa1ChFpqKiv+9:QTRtfoNDvlZ8aa1CMKx
Malware Config
Signatures
-
Panda Stealer payload 2 IoCs
resource yara_rule behavioral5/files/0x0008000000016d6d-16.dat family_pandastealer behavioral5/files/0x000200000000f869-141.dat family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Executes dropped EXE 2 IoCs
pid Process 1900 setup.exe 2236 SlimDrivers.exe -
Loads dropped DLL 18 IoCs
pid Process 2520 setup.exe 2520 setup.exe 2520 setup.exe 1112 Process not Found 1112 Process not Found 1112 Process not Found 1112 Process not Found 1112 Process not Found 1112 Process not Found 1112 Process not Found 1112 Process not Found 844 Process not Found 844 Process not Found 844 Process not Found 844 Process not Found 1496 MsiExec.exe 1496 MsiExec.exe 1112 Process not Found -
Blocklisted process makes network request 5 IoCs
flow pid Process 3 2772 msiexec.exe 5 2772 msiexec.exe 7 2772 msiexec.exe 9 2772 msiexec.exe 16 2296 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\SlimDrivers\SlimDrivers.exe msiexec.exe File created C:\Program Files (x86)\SlimDrivers\SlimDrivers.url msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f77314d.msi msiexec.exe File created C:\Windows\Installer\f77314e.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI33DE.tmp msiexec.exe File created C:\Windows\Installer\{240D57C0-234A-4CAD-B6E7-DFDE6B0B1272}\Icon.exe msiexec.exe File opened for modification C:\Windows\Installer\{240D57C0-234A-4CAD-B6E7-DFDE6B0B1272}\Icon.exe msiexec.exe File created C:\Windows\Installer\f773150.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f77314e.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f77314d.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SlimDrivers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
Modifies registry class 23 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\Version = "33558522" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0C75D042A432DAC46B7EFDEDB6B02127\Application msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0C75D042A432DAC46B7EFDEDB6B02127 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\PackageCode = "628DDF39A23AFE540BC23165E3FDFFFF" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\ProductIcon = "C:\\Windows\\Installer\\{240D57C0-234A-4CAD-B6E7-DFDE6B0B1272}\\Icon.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\94F306592838061408E06E374A3C5C1F\0C75D042A432DAC46B7EFDEDB6B02127 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\SourceList\PackageName = "setup.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\SourceList\Net\1 = "C:\\Program Files (x86)\\Downloaded Installers\\{240D57C0-234A-4CAD-B6E7-DFDE6B0B1272}\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\SourceList\LastUsedSource = "n;1;C:\\Program Files (x86)\\Downloaded Installers\\{240D57C0-234A-4CAD-B6E7-DFDE6B0B1272}\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\ProductName = "SlimDrivers" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\94F306592838061408E06E374A3C5C1F msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\Clients = 3a0000000000 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2296 msiexec.exe 2296 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2772 msiexec.exe Token: SeIncreaseQuotaPrivilege 2772 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeSecurityPrivilege 2296 msiexec.exe Token: SeCreateTokenPrivilege 2772 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2772 msiexec.exe Token: SeLockMemoryPrivilege 2772 msiexec.exe Token: SeIncreaseQuotaPrivilege 2772 msiexec.exe Token: SeMachineAccountPrivilege 2772 msiexec.exe Token: SeTcbPrivilege 2772 msiexec.exe Token: SeSecurityPrivilege 2772 msiexec.exe Token: SeTakeOwnershipPrivilege 2772 msiexec.exe Token: SeLoadDriverPrivilege 2772 msiexec.exe Token: SeSystemProfilePrivilege 2772 msiexec.exe Token: SeSystemtimePrivilege 2772 msiexec.exe Token: SeProfSingleProcessPrivilege 2772 msiexec.exe Token: SeIncBasePriorityPrivilege 2772 msiexec.exe Token: SeCreatePagefilePrivilege 2772 msiexec.exe Token: SeCreatePermanentPrivilege 2772 msiexec.exe Token: SeBackupPrivilege 2772 msiexec.exe Token: SeRestorePrivilege 2772 msiexec.exe Token: SeShutdownPrivilege 2772 msiexec.exe Token: SeDebugPrivilege 2772 msiexec.exe Token: SeAuditPrivilege 2772 msiexec.exe Token: SeSystemEnvironmentPrivilege 2772 msiexec.exe Token: SeChangeNotifyPrivilege 2772 msiexec.exe Token: SeRemoteShutdownPrivilege 2772 msiexec.exe Token: SeUndockPrivilege 2772 msiexec.exe Token: SeSyncAgentPrivilege 2772 msiexec.exe Token: SeEnableDelegationPrivilege 2772 msiexec.exe Token: SeManageVolumePrivilege 2772 msiexec.exe Token: SeImpersonatePrivilege 2772 msiexec.exe Token: SeCreateGlobalPrivilege 2772 msiexec.exe Token: SeBackupPrivilege 1196 vssvc.exe Token: SeRestorePrivilege 1196 vssvc.exe Token: SeAuditPrivilege 1196 vssvc.exe Token: SeBackupPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2076 DrvInst.exe Token: SeRestorePrivilege 2076 DrvInst.exe Token: SeRestorePrivilege 2076 DrvInst.exe Token: SeRestorePrivilege 2076 DrvInst.exe Token: SeRestorePrivilege 2076 DrvInst.exe Token: SeRestorePrivilege 2076 DrvInst.exe Token: SeRestorePrivilege 2076 DrvInst.exe Token: SeLoadDriverPrivilege 2076 DrvInst.exe Token: SeLoadDriverPrivilege 2076 DrvInst.exe Token: SeLoadDriverPrivilege 2076 DrvInst.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2772 msiexec.exe 2772 msiexec.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2520 wrote to memory of 1900 2520 setup.exe 30 PID 2520 wrote to memory of 1900 2520 setup.exe 30 PID 2520 wrote to memory of 1900 2520 setup.exe 30 PID 2520 wrote to memory of 1900 2520 setup.exe 30 PID 2520 wrote to memory of 1900 2520 setup.exe 30 PID 2520 wrote to memory of 1900 2520 setup.exe 30 PID 2520 wrote to memory of 1900 2520 setup.exe 30 PID 1900 wrote to memory of 2772 1900 setup.exe 31 PID 1900 wrote to memory of 2772 1900 setup.exe 31 PID 1900 wrote to memory of 2772 1900 setup.exe 31 PID 1900 wrote to memory of 2772 1900 setup.exe 31 PID 1900 wrote to memory of 2772 1900 setup.exe 31 PID 1900 wrote to memory of 2772 1900 setup.exe 31 PID 1900 wrote to memory of 2772 1900 setup.exe 31 PID 2296 wrote to memory of 1496 2296 msiexec.exe 38 PID 2296 wrote to memory of 1496 2296 msiexec.exe 38 PID 2296 wrote to memory of 1496 2296 msiexec.exe 38 PID 2296 wrote to memory of 1496 2296 msiexec.exe 38 PID 2296 wrote to memory of 1496 2296 msiexec.exe 38 PID 2296 wrote to memory of 1496 2296 msiexec.exe 38 PID 2296 wrote to memory of 1496 2296 msiexec.exe 38 PID 1496 wrote to memory of 2236 1496 MsiExec.exe 39 PID 1496 wrote to memory of 2236 1496 MsiExec.exe 39 PID 1496 wrote to memory of 2236 1496 MsiExec.exe 39 PID 1496 wrote to memory of 2236 1496 MsiExec.exe 39 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\setup.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\setup.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Local\Temp\7zSB26E.tmp\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zSB26E.tmp\setup.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\msiexec.exe"msiexec" /i "C:\Program Files (x86)\Downloaded Installers\{240D57C0-234A-4CAD-B6E7-DFDE6B0B1272}\setup.msi"3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2772
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2471ADF3C4DC2086C0FC91DF6EADCF0F C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Program Files (x86)\SlimDrivers\SlimDrivers.exe"C:\Program Files (x86)\SlimDrivers\SlimDrivers.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003BC" "00000000000003B8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5d33377bc6053ab2d9b1b49b4739c5299
SHA17285227fce2ff822e20fa717142cd5f79644f92a
SHA25668610178b8282134a28518a876551bb2e909e673266a0b3f3380b05898f7e2a7
SHA5123c5011b6a968ad246787752edc61d9a9814c2ce4475c26a5911da2b30632afe13b6e8ba77b7289319b2f249843e0112d705ee6d78078df54adf44368b529f412
-
Filesize
75KB
MD584fb59541357ebbac17a5dd906b3957e
SHA1ef72d52c513b97a066a4922609862559645a6f7a
SHA25644e527b61336921190fca1222af6ced398b67b36a7803c05525eb5dc9a18a93a
SHA5128547ae3ebcf38b9c46b18ad0264222a93520bf55fd2fbbcbe757b61b5fd18d209817dae5dc432f12c65fae6be769da6f71c1b24afe03ef473854e1b00baeec01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_0AEA4C6D6CCC81E7AABA17FA25994227
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
834B
MD5543ff9c4bb3fd6f4d35c0a80ba5533fc
SHA1e318b6209faeffe8cde2dba71f226d2b161729af
SHA25640c04d540c3d7d80564f34af3a512036bdd8e17b4ca74ba3b7e45d6d93466bcd
SHA5126257994ac1ec8b99edcf0d666838a9874031a500adac9383d9b4242edc6c6ffec48f230740d443c1088aa911a36de26e7ce3b97313e3d36b00aede5352a8cf5a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6
Filesize212B
MD5f1ef9e1765862e2732746f33c516ae55
SHA1486eba33647222aee05f84b1d4a1a9339309278c
SHA256f8528a90bc4f0638ebb86b21a25c50371d508840c01a9f6b3cf6b108342f3ef0
SHA512dd23fc968b3200126bb626778545bab7e7bc54552b45f87ea072e6f26c9f9cd6dcf8815e264f83ff1ba3f72b1a5121b4f4b3a8f28ab2c9c98df9edf752f63398
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_0AEA4C6D6CCC81E7AABA17FA25994227
Filesize404B
MD554f7034b41718722feebf79ebfdadfa8
SHA1b0c7d2cfab3ae681af2b88098f8c4b4092fd3139
SHA256529f5aecfbe1fa12992aa0dfbfbf90ea52297b1dc4570ca7d68c7c22b6c028b2
SHA5127df29e9fd2c7b1ad82547f7e99370956314c95d448a537f5dfe8d3a88484c9f6503950adc089b8c4c5895f89b6e2a402ee88455bc4b4a93a9230109f51fdec9f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
Filesize404B
MD5d644ab5f6cf60163bca4b0788b167d44
SHA19d7c94f408bb7ff4301ca2ebc3923b7196c1c8bb
SHA256c221ac68030972b2750fcabc556ba02a3177837e413874861337c505c7332daa
SHA512b50386572b5b207bea9840401021ef8aba23876c89e0f30ba06b717c461095c1944609f00b507f3fa9665bc0bbc8057675739c65f698266718f20e5691bab861
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F
Filesize188B
MD5c0965056f1499911958493408ce7b756
SHA17b14b9b6d3aa7259de6026ba5f07959c1f9e2f4f
SHA256ae2d85fc595ac5dd37807addae929819c9150b80a0ba2710dc405ab6356b268f
SHA5127489d174907b3aa9454808ff44dc20e053320e63cdede7d22028e45190daa65ca0757551f1e444c1300ea917db38b7fb72f96f645d505ae0f37f47ce4f941efb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a43a27de3d159c18a1b59747de7ac026
SHA1235c103edfc7e1a4dfc2f19afaac81d2da331d05
SHA2560a950d560e9b62b3e86d05f6ca43e0391da2f2d6be8d669cab759e34eb209ab4
SHA512cf264f80ffdad6440e7e1971657cc553e06e268827cbda1337de588940e7e608e8304c9063e355e6974339e94882227273fbb7d7e0ff02cdb24da1e371af26a3
-
Filesize
23.6MB
MD566105820fc90d4728885dc0a497b8213
SHA14575ee17d6c1ee5ff114ca1be6b5ae547d6df965
SHA256eb34cd95f9da684b1d680bc5d7d710fbd14318d341711a9e53b43578ad7d9310
SHA512a865fa5fb01509ca9a18d51f4d173b4fbf6ee61c8cb1a13ccde2bb99f134085355325240a598eec5c9bb5138ba8c00ad577a17611ae9d0844baa34e74aaa72d3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
22.5MB
MD51698d9ac0c1167d6cf7b8a32ebff81b3
SHA131241974219fcba442fe61937df9a891fcf829ac
SHA256796ca26fc493a66153fc1129acc989bddef7fccf7ca3cbfac409088be8437378
SHA51240e416467ac416c87efd8e7876a86c9f618684ddd0b107108345d7ac67c0db7ed72f395844ac1dc8f5039683593015bf61ab84bf5ba5f22797d8419aacb9e16f
-
Filesize
73KB
MD5ca6be57a4f75e216f320f97ae1098ff6
SHA13d8824b17c5a4c4afb887182a9af68c981b4b859
SHA2567061f18bc963a9452432458cbffba4607ab55c360cfda38dda2fb913adb7a3ed
SHA5128ff5f86a03d70bbe5cc34c0ce3586d49edccf557ed3f6565cebd07fb9218cb6ebf80f536f93ea0401373e309127bfe9dea83f66325623a5bc66ce677be886804
-
Filesize
148KB
MD514c01c848d8452005734858a64b6784b
SHA1d3d81fcd1267095880218ef09b92220248905ea8
SHA256fa9b83479f1b955790325dc557624185a8c72df3e31870dae075437146858185
SHA5128334c467c470c13b0245425d3bc1ba9676a04e1e015bec56122504d622e7e3858d5ad7950d09c155f3666a90b7d3c7b40f324d0786553d6e81711b7f38cf1d57
-
Filesize
128KB
MD570d9701d954dee05eb8a89d50b496bff
SHA115f775be9e3e7eaad93bb63dd246c5fd7a098e89
SHA25671f324531ed89aead63e1cf05ea06715e86f017bfd873b7efb38d4b80a8c8d8e
SHA512f1cd0ac56dc24908b2ab81b9691b01ca0e74b49d9f8772b84f1fd4188e94938c30b26253b546999338b00197b22b23e0b838abf747df19e89b11fe4e260a4c50