Overview
overview
10Static
static
3337f603c8b...18.exe
windows7-x64
10337f603c8b...18.exe
windows10-2004-x64
10$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$TEMP/setup.exe
windows7-x64
10$TEMP/setup.exe
windows10-2004-x64
10$TEMP/sys.exe
windows7-x64
7$TEMP/sys.exe
windows10-2004-x64
7$PLUGINSDIR/Math.dll
windows7-x64
3$PLUGINSDIR/Math.dll
windows10-2004-x64
3$PLUGINSDI...es.dll
windows7-x64
3$PLUGINSDI...es.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$R1.dll
windows7-x64
6$R1.dll
windows10-2004-x64
6$TEMP/tcpsrvc.exe
windows7-x64
7$TEMP/tcpsrvc.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$SYSDIR/$S...1_.exe
windows7-x64
7$SYSDIR/$S...1_.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$SYSDIR/$_5_.dll
windows7-x64
6$SYSDIR/$_5_.dll
windows10-2004-x64
6Analysis
-
max time kernel
146s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2024 05:43
Static task
static1
Behavioral task
behavioral1
Sample
337f603c8b740238d363cca78e8687d5_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral2
Sample
337f603c8b740238d363cca78e8687d5_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$TEMP/setup.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$TEMP/setup.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$TEMP/sys.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$TEMP/sys.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/Math.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/Math.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/Processes.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/Processes.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$R1.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
$R1.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$TEMP/tcpsrvc.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
$TEMP/tcpsrvc.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$SYSDIR/$SYSDIR/$_1_.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
$SYSDIR/$SYSDIR/$_1_.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$SYSDIR/$_5_.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
$SYSDIR/$_5_.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$TEMP/setup.exe
-
Size
2.4MB
-
MD5
b774d568aaf090164ec32291370cb341
-
SHA1
f5a55bcd898ff2848df1bb067e5012951dfbc266
-
SHA256
56e96195f7c806eb74503977eb61fd681b99ac14fcdb9f852d89ee46b0edc5ef
-
SHA512
0ffe18d77b13e5a94be4575984982d4d583450821865821be9c7dcffcb2fb03a744b4ca530516ba8917eb2d130bf8767416259563ecefe511ccbf34254f52691
-
SSDEEP
49152:QT1/JEQtPdZoRTrfDgHGRvrDZg5aa1ChFpqKiv+9:QTRtfoNDvlZ8aa1CMKx
Malware Config
Signatures
-
Panda Stealer payload 2 IoCs
resource yara_rule behavioral6/files/0x0008000000023c93-11.dat family_pandastealer behavioral6/files/0x0007000000023cbd-57.dat family_pandastealer -
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SET5A6F.tmp SlimDrivers.exe File created C:\Windows\system32\DRIVERS\SET5A6F.tmp SlimDrivers.exe File opened for modification C:\Windows\system32\DRIVERS\SWDUMon.sys SlimDrivers.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation setup.exe -
Executes dropped EXE 2 IoCs
pid Process 2428 setup.exe 4432 SlimDrivers.exe -
Loads dropped DLL 1 IoCs
pid Process 368 MsiExec.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 15 5092 msiexec.exe 17 5092 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\SlimDrivers\SlimDrivers.exe msiexec.exe File created C:\Program Files (x86)\SlimDrivers\SlimDrivers.url msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI3F27.tmp msiexec.exe File created C:\Windows\Installer\e583da2.msi msiexec.exe File opened for modification C:\Windows\Tasks\SlimDrivers Startup.job SlimDrivers.exe File created C:\Windows\Installer\e583da0.msi msiexec.exe File opened for modification C:\Windows\Installer\e583da0.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\{240D57C0-234A-4CAD-B6E7-DFDE6B0B1272}\Icon.exe msiexec.exe File created C:\Windows\Tasks\SlimDrivers Startup.job SlimDrivers.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{240D57C0-234A-4CAD-B6E7-DFDE6B0B1272} msiexec.exe File created C:\Windows\Installer\{240D57C0-234A-4CAD-B6E7-DFDE6B0B1272}\Icon.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SlimDrivers.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe -
Modifies registry class 23 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\SourceList\PackageName = "setup.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0C75D042A432DAC46B7EFDEDB6B02127\Application msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\94F306592838061408E06E374A3C5C1F msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\94F306592838061408E06E374A3C5C1F\0C75D042A432DAC46B7EFDEDB6B02127 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\SourceList\Net\1 = "C:\\Program Files (x86)\\Downloaded Installers\\{240D57C0-234A-4CAD-B6E7-DFDE6B0B1272}\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0C75D042A432DAC46B7EFDEDB6B02127 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\ProductIcon = "C:\\Windows\\Installer\\{240D57C0-234A-4CAD-B6E7-DFDE6B0B1272}\\Icon.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\PackageCode = "628DDF39A23AFE540BC23165E3FDFFFF" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\ProductName = "SlimDrivers" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\Version = "33558522" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\AuthorizedLUAApp = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C75D042A432DAC46B7EFDEDB6B02127\SourceList\LastUsedSource = "n;1;C:\\Program Files (x86)\\Downloaded Installers\\{240D57C0-234A-4CAD-B6E7-DFDE6B0B1272}\\" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 640 msiexec.exe 640 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5092 msiexec.exe Token: SeIncreaseQuotaPrivilege 5092 msiexec.exe Token: SeSecurityPrivilege 640 msiexec.exe Token: SeCreateTokenPrivilege 5092 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5092 msiexec.exe Token: SeLockMemoryPrivilege 5092 msiexec.exe Token: SeIncreaseQuotaPrivilege 5092 msiexec.exe Token: SeMachineAccountPrivilege 5092 msiexec.exe Token: SeTcbPrivilege 5092 msiexec.exe Token: SeSecurityPrivilege 5092 msiexec.exe Token: SeTakeOwnershipPrivilege 5092 msiexec.exe Token: SeLoadDriverPrivilege 5092 msiexec.exe Token: SeSystemProfilePrivilege 5092 msiexec.exe Token: SeSystemtimePrivilege 5092 msiexec.exe Token: SeProfSingleProcessPrivilege 5092 msiexec.exe Token: SeIncBasePriorityPrivilege 5092 msiexec.exe Token: SeCreatePagefilePrivilege 5092 msiexec.exe Token: SeCreatePermanentPrivilege 5092 msiexec.exe Token: SeBackupPrivilege 5092 msiexec.exe Token: SeRestorePrivilege 5092 msiexec.exe Token: SeShutdownPrivilege 5092 msiexec.exe Token: SeDebugPrivilege 5092 msiexec.exe Token: SeAuditPrivilege 5092 msiexec.exe Token: SeSystemEnvironmentPrivilege 5092 msiexec.exe Token: SeChangeNotifyPrivilege 5092 msiexec.exe Token: SeRemoteShutdownPrivilege 5092 msiexec.exe Token: SeUndockPrivilege 5092 msiexec.exe Token: SeSyncAgentPrivilege 5092 msiexec.exe Token: SeEnableDelegationPrivilege 5092 msiexec.exe Token: SeManageVolumePrivilege 5092 msiexec.exe Token: SeImpersonatePrivilege 5092 msiexec.exe Token: SeCreateGlobalPrivilege 5092 msiexec.exe Token: SeBackupPrivilege 3440 vssvc.exe Token: SeRestorePrivilege 3440 vssvc.exe Token: SeAuditPrivilege 3440 vssvc.exe Token: SeBackupPrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeTakeOwnershipPrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeTakeOwnershipPrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeTakeOwnershipPrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeTakeOwnershipPrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeTakeOwnershipPrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeTakeOwnershipPrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeTakeOwnershipPrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeTakeOwnershipPrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeTakeOwnershipPrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeTakeOwnershipPrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeTakeOwnershipPrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeTakeOwnershipPrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe Token: SeTakeOwnershipPrivilege 640 msiexec.exe Token: SeRestorePrivilege 640 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 5092 msiexec.exe 5092 msiexec.exe 4432 SlimDrivers.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4432 SlimDrivers.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2428 setup.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe 4432 SlimDrivers.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2428 2636 setup.exe 86 PID 2636 wrote to memory of 2428 2636 setup.exe 86 PID 2636 wrote to memory of 2428 2636 setup.exe 86 PID 2428 wrote to memory of 5092 2428 setup.exe 88 PID 2428 wrote to memory of 5092 2428 setup.exe 88 PID 2428 wrote to memory of 5092 2428 setup.exe 88 PID 640 wrote to memory of 1304 640 msiexec.exe 99 PID 640 wrote to memory of 1304 640 msiexec.exe 99 PID 640 wrote to memory of 368 640 msiexec.exe 103 PID 640 wrote to memory of 368 640 msiexec.exe 103 PID 640 wrote to memory of 368 640 msiexec.exe 103 PID 368 wrote to memory of 4432 368 MsiExec.exe 104 PID 368 wrote to memory of 4432 368 MsiExec.exe 104 PID 368 wrote to memory of 4432 368 MsiExec.exe 104 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\setup.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\setup.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Local\Temp\7zSAC6C.tmp\setup.exe"C:\Users\Admin\AppData\Local\Temp\7zSAC6C.tmp\setup.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\msiexec.exe"msiexec" /i "C:\Program Files (x86)\Downloaded Installers\{240D57C0-234A-4CAD-B6E7-DFDE6B0B1272}\setup.msi"3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5092
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1304
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 59F1A3BDCA07B429EBB0EEC4BD3FD7A9 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Program Files (x86)\SlimDrivers\SlimDrivers.exe"C:\Program Files (x86)\SlimDrivers\SlimDrivers.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4432
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5135cfce276eac0da591b1c3f6b8ed731
SHA11cba497ed2ed21d74dc953f3924e639a52f7fd9e
SHA2561fd2bcc1dccd514b6d71640735a012a9f9e877b063cc10d5061cb371c6b74f0c
SHA5125e952b407fe429460c63c20ab9a7a137c26d8d413e6e5e5008c071408994860cbc10533e8cd72163d2e841b7cca7bbee50d4ca5c1d69b9ba8e60c88aa02598be
-
Filesize
22.5MB
MD51698d9ac0c1167d6cf7b8a32ebff81b3
SHA131241974219fcba442fe61937df9a891fcf829ac
SHA256796ca26fc493a66153fc1129acc989bddef7fccf7ca3cbfac409088be8437378
SHA51240e416467ac416c87efd8e7876a86c9f618684ddd0b107108345d7ac67c0db7ed72f395844ac1dc8f5039683593015bf61ab84bf5ba5f22797d8419aacb9e16f
-
Filesize
75KB
MD584fb59541357ebbac17a5dd906b3957e
SHA1ef72d52c513b97a066a4922609862559645a6f7a
SHA25644e527b61336921190fca1222af6ced398b67b36a7803c05525eb5dc9a18a93a
SHA5128547ae3ebcf38b9c46b18ad0264222a93520bf55fd2fbbcbe757b61b5fd18d209817dae5dc432f12c65fae6be769da6f71c1b24afe03ef473854e1b00baeec01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_0AEA4C6D6CCC81E7AABA17FA25994227
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6
Filesize212B
MD5b169461f3e15c925d68c20944422b2a9
SHA1261ba7c06ae4cb15527333b6ada2e82aed68df3d
SHA2564ab611635e17db883b686bde73f855d8ac00d18ef8033e60ab20e7ca7826bc2f
SHA51269f2f4ee9291e5df1b56215865ebbac76f145a28eb11e7dc941d3baefd063cf8511e794ad0fbb746cc12d9a21daf377482f346bda61e213f06727108a0acee19
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_0AEA4C6D6CCC81E7AABA17FA25994227
Filesize404B
MD5333636fce121c2978a5739021e2b797c
SHA17ab76a22da00e8c26e0e4d0d4edb89e05fe07b2c
SHA256650c0c900ae1e27caec55b7ac569189a60751bd65ca81c2c7c262cb101afbf46
SHA5123483b4e4b63b29cdeefa455e27ee69149d2d23b67c10c7072bc66cfb452e7dc70c55bf7f6e984f97379bb5ff911c81f09d3af6ed52fcd7565978754dea3f3793
-
Filesize
15KB
MD5a3a548c9b02b9cb91721da152bc34f04
SHA1147daf95f1417a9f2ba6e6cea47c631a0b5992f1
SHA256944cf2dd7c284d006dc87c3768bbace5469f8f6d8b3e1df7fbf3e751b7583451
SHA51254e0742685862c39b989319d1858f965011073b8998b72bb5e08573c51b6d486e77ee4354110089a9e20929f517441bc1b26e2cd4eb934cffb306d5d007a31fb
-
Filesize
73KB
MD5ca6be57a4f75e216f320f97ae1098ff6
SHA13d8824b17c5a4c4afb887182a9af68c981b4b859
SHA2567061f18bc963a9452432458cbffba4607ab55c360cfda38dda2fb913adb7a3ed
SHA5128ff5f86a03d70bbe5cc34c0ce3586d49edccf557ed3f6565cebd07fb9218cb6ebf80f536f93ea0401373e309127bfe9dea83f66325623a5bc66ce677be886804
-
Filesize
23.6MB
MD566105820fc90d4728885dc0a497b8213
SHA14575ee17d6c1ee5ff114ca1be6b5ae547d6df965
SHA256eb34cd95f9da684b1d680bc5d7d710fbd14318d341711a9e53b43578ad7d9310
SHA512a865fa5fb01509ca9a18d51f4d173b4fbf6ee61c8cb1a13ccde2bb99f134085355325240a598eec5c9bb5138ba8c00ad577a17611ae9d0844baa34e74aaa72d3
-
Filesize
148KB
MD514c01c848d8452005734858a64b6784b
SHA1d3d81fcd1267095880218ef09b92220248905ea8
SHA256fa9b83479f1b955790325dc557624185a8c72df3e31870dae075437146858185
SHA5128334c467c470c13b0245425d3bc1ba9676a04e1e015bec56122504d622e7e3858d5ad7950d09c155f3666a90b7d3c7b40f324d0786553d6e81711b7f38cf1d57
-
Filesize
428B
MD5fdf88ca705e1a899d4a91fe6c8e40599
SHA135f04651a8fd95aadeca1e5f48102f29cac860c1
SHA2561e723a7c5326ea52789477010a62e2fc03db75d72a1490c1045f34190c93b39a
SHA5128d0312c5f47b0c11e3c9396e2f66bb344fe316286513a7f262f023d0958686a3340667d68d656d4a1dc2d3f5d60dcfb50953b2833253b67f1088a34648323000
-
Filesize
24.1MB
MD5364b06f01f3a03aaf0de948ceabb8d23
SHA15d9950869504d54cf35007b0f8ef2c5f7e3200e0
SHA2563da1696ade8014954e36afe3ea95882e3038c2a15f5d2f41c60e5cf1fd6b60c1
SHA51274fdc2015335a44b3dc4e1f176d9deb178b0f8c77541bcfb765825b3372b94ae9a16a738332029a03beae647a8279a225fed1346b28eafc311efee29f57fdc27
-
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{729122ff-2dbe-4599-b174-1de76be55a9b}_OnDiskSnapshotProp
Filesize6KB
MD51deea66b68b0a009d1956648d9baa5f3
SHA18db166965e6769eccc83da411f0faed319d7f287
SHA256a56a721e6d930f989c0581b1ee255f2f3a5eb9df0b408e119d7ad2598ebfd344
SHA5121a694db2042c600525941f72ccd8bdff0b87e8c3a02d449a6c776aee33fc98f8cc44150ed873781dae7ed2dd440a85348848233b469d6b9261dcadd011d47b7b