f9e8de832dbf43733ea5f447aeb7ef232862e4a485ca86c5ce72307395b99ee0

Resubmissions

13-10-2024 12:02

241013-n7wrfazfnm 6

13-10-2024 11:47

241013-nxwzfszbrq 6

Analysis

max time kernel
152s
max time network
169s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YoudaoDict_fanyiweb_navigation.msi
Size

187.0MB
MD5

70aeba0286a77763521f8c06a1cebf60
SHA1

24af28f2b995668258e108dd44bc4c9111192c13
SHA256

04c09c1d4c7674a6a70fcc6aa742aa300bd78f724d6de610d3809b444326b12f
SHA512

4f2b9d38e8abdcb4bcc75b6445519a8ebec0c6770b4f5c0c2c0e8890c88bce47bfcfa0fc22b523304b155782151d32e7501cbd2d36af7cd9f5492360e8bbaee0
SSDEEP

3145728:rObtNwBblcqir6N2pdI5OExQPPc0Bi8NKIM5ZTs5+IVzqYqBMeutEsSQHXLY+gQe:Shdueq5dxQncq2RBs5XzqABtEqTjtxO

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
5	472	MsiExec.exe
7	472	MsiExec.exe
9	472	MsiExec.exe
12	472	MsiExec.exe
14	472	MsiExec.exe
17	472	MsiExec.exe
19	472	MsiExec.exe
21	472	MsiExec.exe
22	472	MsiExec.exe
24	472	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5397DCAFEECE58AC9B09792F4A49B8D5	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5397DCAFEECE58AC9B09792F4A49B8D5	MsiExec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI3A23.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI49B0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{5A38FD59-77DB-4C92-AF4C-E85131AB2E0E}\LeASHive.exe	msiexec.exe
File created	C:\Windows\Installer\f7837d2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F91.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A9B.tmp	msiexec.exe
File created	C:\Windows\Installer\{5A38FD59-77DB-4C92-AF4C-E85131AB2E0E}\LeASHive.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E0E.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f7837d5.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7837d2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI402E.tmp	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
2600	MsiExec.exe
2600	MsiExec.exe
2600	MsiExec.exe
2600	MsiExec.exe
472	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2200	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2868	msiexec.exe
2868	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2200	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2200	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2200	msiexec.exe
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeTakeOwnershipPrivilege	2868	msiexec.exe
Token: SeSecurityPrivilege	2868	msiexec.exe
Token: SeCreateTokenPrivilege	2200	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2200	msiexec.exe
Token: SeLockMemoryPrivilege	2200	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2200	msiexec.exe
Token: SeMachineAccountPrivilege	2200	msiexec.exe
Token: SeTcbPrivilege	2200	msiexec.exe
Token: SeSecurityPrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeLoadDriverPrivilege	2200	msiexec.exe
Token: SeSystemProfilePrivilege	2200	msiexec.exe
Token: SeSystemtimePrivilege	2200	msiexec.exe
Token: SeProfSingleProcessPrivilege	2200	msiexec.exe
Token: SeIncBasePriorityPrivilege	2200	msiexec.exe
Token: SeCreatePagefilePrivilege	2200	msiexec.exe
Token: SeCreatePermanentPrivilege	2200	msiexec.exe
Token: SeBackupPrivilege	2200	msiexec.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeShutdownPrivilege	2200	msiexec.exe
Token: SeDebugPrivilege	2200	msiexec.exe
Token: SeAuditPrivilege	2200	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2200	msiexec.exe
Token: SeChangeNotifyPrivilege	2200	msiexec.exe
Token: SeRemoteShutdownPrivilege	2200	msiexec.exe
Token: SeUndockPrivilege	2200	msiexec.exe
Token: SeSyncAgentPrivilege	2200	msiexec.exe
Token: SeEnableDelegationPrivilege	2200	msiexec.exe
Token: SeManageVolumePrivilege	2200	msiexec.exe
Token: SeImpersonatePrivilege	2200	msiexec.exe
Token: SeCreateGlobalPrivilege	2200	msiexec.exe
Token: SeBackupPrivilege	3024	vssvc.exe
Token: SeRestorePrivilege	3024	vssvc.exe
Token: SeAuditPrivilege	3024	vssvc.exe
Token: SeBackupPrivilege	2868	msiexec.exe
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeRestorePrivilege	2092	DrvInst.exe
Token: SeRestorePrivilege	2092	DrvInst.exe
Token: SeRestorePrivilege	2092	DrvInst.exe
Token: SeRestorePrivilege	2092	DrvInst.exe
Token: SeRestorePrivilege	2092	DrvInst.exe
Token: SeRestorePrivilege	2092	DrvInst.exe
Token: SeRestorePrivilege	2092	DrvInst.exe
Token: SeLoadDriverPrivilege	2092	DrvInst.exe
Token: SeLoadDriverPrivilege	2092	DrvInst.exe
Token: SeLoadDriverPrivilege	2092	DrvInst.exe
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeTakeOwnershipPrivilege	2868	msiexec.exe
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeTakeOwnershipPrivilege	2868	msiexec.exe
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeTakeOwnershipPrivilege	2868	msiexec.exe
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeTakeOwnershipPrivilege	2868	msiexec.exe
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeTakeOwnershipPrivilege	2868	msiexec.exe
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeTakeOwnershipPrivilege	2868	msiexec.exe
Token: SeRestorePrivilege	2868	msiexec.exe
Token: SeTakeOwnershipPrivilege	2868	msiexec.exe
Token: SeRestorePrivilege	2868	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2200	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2600	2868	msiexec.exe	34
PID 2868 wrote to memory of 2600	2868	msiexec.exe	34
PID 2868 wrote to memory of 2600	2868	msiexec.exe	34
PID 2868 wrote to memory of 2600	2868	msiexec.exe	34
PID 2868 wrote to memory of 2600	2868	msiexec.exe	34
PID 2868 wrote to memory of 2600	2868	msiexec.exe	34
PID 2868 wrote to memory of 2600	2868	msiexec.exe	34
PID 2868 wrote to memory of 472	2868	msiexec.exe	35
PID 2868 wrote to memory of 472	2868	msiexec.exe	35
PID 2868 wrote to memory of 472	2868	msiexec.exe	35
PID 2868 wrote to memory of 472	2868	msiexec.exe	35
PID 2868 wrote to memory of 472	2868	msiexec.exe	35
PID 2868 wrote to memory of 472	2868	msiexec.exe	35
PID 2868 wrote to memory of 472	2868	msiexec.exe	35

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2200

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86F3F8495E15B2A8DCAAFC1CC4C8275E
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B12403201B59C22787D0BA8CA7F19147 M Global\MSI0000
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "00000000000005D8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSI3A23.tmp

Filesize
904KB

MD5
421643ee7bb89e6df092bc4b18a40ff8

SHA1
e801582a6dd358060a699c9c5cde31cd07ee49ab

SHA256
d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da

SHA512
d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023

Download Submit
\Windows\Installer\MSI4A9B.tmp

Filesize
760KB

MD5
df6d353853f28e4c4c0464b83f5220f2

SHA1
d714c58314b018f6599c4ff0518d2867bb3eca44

SHA256
dc64604e2a5dd9f1c01fd583f847d871269d680f1241644db0828e3adaf7067b

SHA512
3cfd6150e69c3e1201c57a43ab31a8021703ebf03271d1f6eb9cd20b3283484364bad905041b4a1b5e7139e9ecbb60764be6cb4c975be73e3c9413d6cd6a22be

Download Submit