darkcomet | 217258eb9bcbf4c2ee3667e17a79327cfd33698335fccd94300c6789dbb47c54

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
Size

4.5MB
MD5

5853b884a32eb9e9503eac435ee36ecf
SHA1

191d500dbf1f089a0ad2c8f1221bffd4ca10ce76
SHA256

217258eb9bcbf4c2ee3667e17a79327cfd33698335fccd94300c6789dbb47c54
SHA512

076c51793de919f402fbe9345fbca2fb2b6a2ef2aff9d91242953df0e4bbcac5f85b290969ed81e941f1d0677a137eba7dd7406b225676adf939cdc264dbb57c
SSDEEP

98304:ayE+lPT8meQ3pv6kTcKCR88WurxVs5QXjyT+oriOs7w29:ayvlAhO7eRpW9Adolup9

Score

10^/10

darkcomet ventrilo discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Ventrilo

explom.no-ip.biz:1605

Mutex

DC_MUTEX-FERVLC3

Attributes

InstallPath
Microsoft\svchost.exe
gencode
rSCW9FFPzzcL
install
true
offline_keylogger
true
persistence
true
reg_key
Microsoft

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ventrilo-3.0.8.Windows-i386.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	ventrilo-3.0.8.Windows-i386.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exeventrilo-3.0.8-Windows-i386.exeventrilo-3.0.8.Windows-i386.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ventrilo-3.0.8-Windows-i386.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ventrilo-3.0.8.Windows-i386.exe

Executes dropped EXE 6 IoCs

Processes:

ventrilo-3.0.8-Windows-i386.exeventrilo-3.0.8.Windows-i386.exeMAP1.exeventrilo-3.0.8.Windows-i386.exesvchost.exesvchost.exe

pid	Process
3020	ventrilo-3.0.8-Windows-i386.exe
4788	ventrilo-3.0.8.Windows-i386.exe
2920	MAP1.exe
1900	ventrilo-3.0.8.Windows-i386.exe
3920	svchost.exe
4344	svchost.exe

Loads dropped DLL 7 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exe

pid	Process
2208	MsiExec.exe
2208	MsiExec.exe
2208	MsiExec.exe
756	MsiExec.exe
756	MsiExec.exe
1980	MsiExec.exe
756	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ventrilo-3.0.8.Windows-i386.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	ventrilo-3.0.8.Windows-i386.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	svchost.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

ventrilo-3.0.8.Windows-i386.exesvchost.exe

pid	Process
4788	ventrilo-3.0.8.Windows-i386.exe
3920	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ventrilo-3.0.8.Windows-i386.exesvchost.exe

description	pid	Process	procid_target
PID 4788 set thread context of 1900	4788	ventrilo-3.0.8.Windows-i386.exe	93
PID 3920 set thread context of 4344	3920	svchost.exe	97

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1900-41-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1900-43-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1900-44-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1900-45-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4344-79-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4344-81-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4344-82-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4344-78-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/1900-85-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4344-87-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4344-89-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4344-216-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4344-218-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4344-219-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4344-220-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4344-230-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4344-231-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4344-232-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral2/memory/4344-233-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exemsiexec.exeventrilo-3.0.8-Windows-i386.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\monitor.jpg	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\setupvoice.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo Setup\MAP1.exe	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ventrilo\UserDisconnect.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\channel.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\usereditor-display.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\device-overlay.htm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS789289CAF73A4A16A33154D498CE069F_3_0_8.MSI	ventrilo-3.0.8-Windows-i386.exe
File created	C:\Program Files (x86)\Ventrilo\Channel.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Ventrilo.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Ventrilo Setup\MAP1.exe	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ventrilo\Binds.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\setupoverlay.htm	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS789289CAF73A4A16A33154D498CE069F_3_0_8.MSI	ventrilo-3.0.8-Windows-i386.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\user.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\properties.gif	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\useroptions.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\MuteMic.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\MuteSound.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\UserConnect.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\srvprop.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\binds.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\usereditor-network.htm	msiexec.exe
File opened for modification	C:\Program Files (x86)\Ventrilo Setup	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\setupmisc.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\grptrgcmd.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\usereditor-admin.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\privchatopen.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\ChannelJoin.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\mainmenu.jpg	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\setupglobal.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\recordingcontrol.gif	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\usereditor-chanauth.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\ducking.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\missing.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\sfx.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\test.jpg	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\privchatmsg.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\device-logitech-g35.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\UserComment.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\playcontrol.gif	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\setupnetwork.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\main.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\usereditor-chanadmin.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\device-logitech-g15.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\SwitchBindings.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\logo_small.jpg	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\usereditor.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\grptrgvoice.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\monitorbegin.jpg	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\MicKeyDown.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\connect.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\setupevents.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\usereditor-transmit.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\default.vet	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\ChannelLeave.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\MicKeyUp.wav	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\setupspeech.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\main.jpg	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\monitorbadsource.jpg	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\server.htm	msiexec.exe
File created	C:\Program Files (x86)\Ventrilo\Doc\setup.htm	msiexec.exe

Drops file in Windows directory 15 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.exe

description	ioc	Process
File created	C:\Windows\Installer\e582611.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27A9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI272B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C8C.tmp	msiexec.exe
File opened for modification	C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini	MsiExec.exe
File created	C:\Windows\Installer\e582613.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2DF5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e582611.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI268E.tmp	msiexec.exe
File created	C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini	MsiExec.exe
File created	C:\Windows\Installer\SourceHash{789289CA-F73A-4A16-A331-54D498CE069F}	msiexec.exe
File opened for modification	C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MsiExec.exesvchost.exenotepad.exeMsiExec.exe5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exemsiexec.exenotepad.exeventrilo-3.0.8.Windows-i386.exesvchost.exeMsiExec.exeventrilo-3.0.8-Windows-i386.exeventrilo-3.0.8.Windows-i386.exeMAP1.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ventrilo-3.0.8.Windows-i386.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ventrilo-3.0.8-Windows-i386.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ventrilo-3.0.8.Windows-i386.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAP1.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001397c7f967de25740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001397c7f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001397c7f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1397c7f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001397c7f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 32 IoCs

Processes:

msiexec.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AC982987A37F61A43A13454D89EC60F9\Complete	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\150F4E94C1705794F9C644C2D300DDDB\AC982987A37F61A43A13454D89EC60F9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\150F4E94C1705794F9C644C2D300DDDB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ventrilo\URL Protocol	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ventrilo	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ventrilo\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AC982987A37F61A43A13454D89EC60F9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\SourceList\Media\1 = ";LABEL"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\SourceList\Net\1 = "C:\\Program Files (x86)\\Common Files\\Wise Installation Wizard\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\SourceList\LastUsedSource = "n;1;C:\\Program Files (x86)\\Common Files\\Wise Installation Wizard\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\ProductName = "Ventrilo Client"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\SourceList\PackageName = "WIS789289CAF73A4A16A33154D498CE069F_3_0_8.MSI"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\AuthorizedLUAApp = "1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Ventrilo\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ventrilo\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ventrilo\shell\open\command\ = " -l%1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\Version = "50331656"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Ventrilo	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ventrilo\ = "URL:Ventrilo Protocol"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\PackageCode = "92298F87C5FF9F24FA355069159532D8"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ventrilo\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AC982987A37F61A43A13454D89EC60F9\SourceList\Media\DiskPrompt = "[ProductName] [1]"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ventrilo-3.0.8.Windows-i386.exesvchost.exe

pid	Process
4788	ventrilo-3.0.8.Windows-i386.exe
4788	ventrilo-3.0.8.Windows-i386.exe
3920	svchost.exe
3920	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid	Process
4344	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exeventrilo-3.0.8.Windows-i386.exe

description	pid	Process
Token: SeShutdownPrivilege	1460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1460	msiexec.exe
Token: SeSecurityPrivilege	852	msiexec.exe
Token: SeCreateTokenPrivilege	1460	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1460	msiexec.exe
Token: SeLockMemoryPrivilege	1460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1460	msiexec.exe
Token: SeMachineAccountPrivilege	1460	msiexec.exe
Token: SeTcbPrivilege	1460	msiexec.exe
Token: SeSecurityPrivilege	1460	msiexec.exe
Token: SeTakeOwnershipPrivilege	1460	msiexec.exe
Token: SeLoadDriverPrivilege	1460	msiexec.exe
Token: SeSystemProfilePrivilege	1460	msiexec.exe
Token: SeSystemtimePrivilege	1460	msiexec.exe
Token: SeProfSingleProcessPrivilege	1460	msiexec.exe
Token: SeIncBasePriorityPrivilege	1460	msiexec.exe
Token: SeCreatePagefilePrivilege	1460	msiexec.exe
Token: SeCreatePermanentPrivilege	1460	msiexec.exe
Token: SeBackupPrivilege	1460	msiexec.exe
Token: SeRestorePrivilege	1460	msiexec.exe
Token: SeShutdownPrivilege	1460	msiexec.exe
Token: SeDebugPrivilege	1460	msiexec.exe
Token: SeAuditPrivilege	1460	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1460	msiexec.exe
Token: SeChangeNotifyPrivilege	1460	msiexec.exe
Token: SeRemoteShutdownPrivilege	1460	msiexec.exe
Token: SeUndockPrivilege	1460	msiexec.exe
Token: SeSyncAgentPrivilege	1460	msiexec.exe
Token: SeEnableDelegationPrivilege	1460	msiexec.exe
Token: SeManageVolumePrivilege	1460	msiexec.exe
Token: SeImpersonatePrivilege	1460	msiexec.exe
Token: SeCreateGlobalPrivilege	1460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeSecurityPrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeTakeOwnershipPrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeLoadDriverPrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeSystemProfilePrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeSystemtimePrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeProfSingleProcessPrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeIncBasePriorityPrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeCreatePagefilePrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeBackupPrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeRestorePrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeShutdownPrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeDebugPrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeSystemEnvironmentPrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeChangeNotifyPrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeRemoteShutdownPrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeUndockPrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeManageVolumePrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeImpersonatePrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeCreateGlobalPrivilege	1900	ventrilo-3.0.8.Windows-i386.exe
Token: 33	1900	ventrilo-3.0.8.Windows-i386.exe
Token: 34	1900	ventrilo-3.0.8.Windows-i386.exe
Token: 35	1900	ventrilo-3.0.8.Windows-i386.exe
Token: 36	1900	ventrilo-3.0.8.Windows-i386.exe
Token: SeCreateTokenPrivilege	1460	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1460	msiexec.exe
Token: SeLockMemoryPrivilege	1460	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1460	msiexec.exe
Token: SeMachineAccountPrivilege	1460	msiexec.exe
Token: SeTcbPrivilege	1460	msiexec.exe
Token: SeSecurityPrivilege	1460	msiexec.exe
Token: SeTakeOwnershipPrivilege	1460	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
1460	msiexec.exe
1460	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

ventrilo-3.0.8.Windows-i386.exesvchost.exesvchost.exe

pid	Process
4788	ventrilo-3.0.8.Windows-i386.exe
4788	ventrilo-3.0.8.Windows-i386.exe
3920	svchost.exe
3920	svchost.exe
4344	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exeventrilo-3.0.8-Windows-i386.exeventrilo-3.0.8.Windows-i386.exeventrilo-3.0.8.Windows-i386.exemsiexec.exesvchost.exesvchost.exe

description	pid	Process	procid_target
PID 4656 wrote to memory of 3020	4656	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	87
PID 4656 wrote to memory of 3020	4656	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	87
PID 4656 wrote to memory of 3020	4656	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	87
PID 4656 wrote to memory of 4788	4656	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	88
PID 4656 wrote to memory of 4788	4656	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	88
PID 4656 wrote to memory of 4788	4656	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	88
PID 4656 wrote to memory of 2920	4656	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	89
PID 4656 wrote to memory of 2920	4656	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	89
PID 4656 wrote to memory of 2920	4656	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	89
PID 3020 wrote to memory of 1460	3020	ventrilo-3.0.8-Windows-i386.exe	90
PID 3020 wrote to memory of 1460	3020	ventrilo-3.0.8-Windows-i386.exe	90
PID 3020 wrote to memory of 1460	3020	ventrilo-3.0.8-Windows-i386.exe	90
PID 4788 wrote to memory of 1900	4788	ventrilo-3.0.8.Windows-i386.exe	93
PID 4788 wrote to memory of 1900	4788	ventrilo-3.0.8.Windows-i386.exe	93
PID 4788 wrote to memory of 1900	4788	ventrilo-3.0.8.Windows-i386.exe	93
PID 4788 wrote to memory of 1900	4788	ventrilo-3.0.8.Windows-i386.exe	93
PID 4788 wrote to memory of 1900	4788	ventrilo-3.0.8.Windows-i386.exe	93
PID 4788 wrote to memory of 1900	4788	ventrilo-3.0.8.Windows-i386.exe	93
PID 4788 wrote to memory of 1900	4788	ventrilo-3.0.8.Windows-i386.exe	93
PID 4788 wrote to memory of 1900	4788	ventrilo-3.0.8.Windows-i386.exe	93
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 1900 wrote to memory of 3644	1900	ventrilo-3.0.8.Windows-i386.exe	94
PID 852 wrote to memory of 2208	852	msiexec.exe	95
PID 852 wrote to memory of 2208	852	msiexec.exe	95
PID 852 wrote to memory of 2208	852	msiexec.exe	95
PID 1900 wrote to memory of 3920	1900	ventrilo-3.0.8.Windows-i386.exe	96
PID 1900 wrote to memory of 3920	1900	ventrilo-3.0.8.Windows-i386.exe	96
PID 1900 wrote to memory of 3920	1900	ventrilo-3.0.8.Windows-i386.exe	96
PID 3920 wrote to memory of 4344	3920	svchost.exe	97
PID 3920 wrote to memory of 4344	3920	svchost.exe	97
PID 3920 wrote to memory of 4344	3920	svchost.exe	97
PID 3920 wrote to memory of 4344	3920	svchost.exe	97
PID 3920 wrote to memory of 4344	3920	svchost.exe	97
PID 3920 wrote to memory of 4344	3920	svchost.exe	97
PID 3920 wrote to memory of 4344	3920	svchost.exe	97
PID 3920 wrote to memory of 4344	3920	svchost.exe	97
PID 4344 wrote to memory of 3500	4344	svchost.exe	98
PID 4344 wrote to memory of 3500	4344	svchost.exe	98
PID 4344 wrote to memory of 3500	4344	svchost.exe	98
PID 4344 wrote to memory of 3500	4344	svchost.exe	98
PID 4344 wrote to memory of 3500	4344	svchost.exe	98
PID 4344 wrote to memory of 3500	4344	svchost.exe	98
PID 4344 wrote to memory of 3500	4344	svchost.exe	98
PID 4344 wrote to memory of 3500	4344	svchost.exe	98
PID 4344 wrote to memory of 3500	4344	svchost.exe	98
PID 4344 wrote to memory of 3500	4344	svchost.exe	98
PID 4344 wrote to memory of 3500	4344	svchost.exe	98
PID 4344 wrote to memory of 3500	4344	svchost.exe	98
PID 4344 wrote to memory of 3500	4344	svchost.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8-Windows-i386.exe
  "C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8-Windows-i386.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS789289CAF73A4A16A33154D498CE069F_3_0_8.MSI" WISE_SETUP_EXE_PATH="C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8-Windows-i386.exe"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1460
- C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe
  "C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe
    "C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:3644
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3920
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4344
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
- C:\Program Files (x86)\Ventrilo Setup\MAP1.exe
  "C:\Program Files (x86)\Ventrilo Setup\MAP1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2920

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C3E0B00F71CC63CF864109C9D484A7DF C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2208
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4024
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A691EB9E1DFECD6C16BDFA5D3928C90B
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:756
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DF5A16F0BD751E9656BD75578FC5D537 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582612.rbs

Filesize
12KB

MD5
4890da0b06d93660d80f25be51c3b5c7

SHA1
2270ef415a4d51341e2682ec5eed058d95a930fd

SHA256
b0fcbfb96c97754d59b382d8532930cec9452f0c5d285f85c3f3fa55e385f1f9

SHA512
f4f39c33ee2c2f7943ed8642249a003a2ad1677da524d036dd63c94cda06a755e6aa4dcd7f76f8e160700091672d4796e9a13c7fc3e03b2828b1281f3b8362f8

Download Submit
C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS789289CAF73A4A16A33154D498CE069F_3_0_8.MSI

Filesize
3.5MB

MD5
3e42e54d2c55142018961a747dc699b9

SHA1
1ad9e9802c7c260608e9a528cf75169ddde4855e

SHA256
80affd66d6a8aaace9c1ee5ca1ced8830da555f55c597f2c3f13263d6a7f96c4

SHA512
c3b6060316c11f045898aacdfba4d10baeb0f8498013d4cb6003bbb010d968c9b24904365e9f8494cde6e5975a3a6f816ad74075d4d0c04e83d1aa49e35c1cf8

Download Submit
C:\Program Files (x86)\Ventrilo Setup\MAP1.exe

Filesize
32KB

MD5
4d1ac64b7a55d850808755f029dbb419

SHA1
2618a2e1965db421acd331368818bab7fca6bec7

SHA256
548fbf0fab4a87d767249073d1f7446f67ab33db667695e4249122d52190fe8f

SHA512
ce0b1f33f9d3b7c3903e21e55e1f68e8fc864a58e68966e0a818662200698d2234576d1d1e6b4832bfd0b5def9202797aa1cfcfc841260bb50ee8b49100148a0

Download Submit
C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8-Windows-i386.exe

Filesize
3.6MB

MD5
0cd0a1eebefd190dbc43a5971aeb039b

SHA1
32364cd9237866d9b844768d191ef004c1433c79

SHA256
4006f4689aa26ba3a3ee884bbeefc9087dadf72e1061b4e882f3db8f3718dca4

SHA512
682faf34820929b9ae6b4adf0b0a0e2f4086171733156091aa844176dd1d1108996462e4f827b8086b8351395848182f7a60b774a85eb2bca25a27e7cbc25789

Download Submit
C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe

Filesize
1.3MB

MD5
8d49418ba2a035f7629cc8f6f2f3caff

SHA1
9725fff811057580dee552db0cb66e574fffd329

SHA256
daf6330d2c2df87edcafae8e8abfbe0dcd2429cd0be76986500b743fdfc268b1

SHA512
9411db8cd3984515ba26861c31fc67c2cac7954dee239b5846a2387767dd7442c570f613cff922c56c683d2ad6d4bb7b9012039c58a65ab1cb0d5f5b74ee08bf

Download Submit
C:\Program Files (x86)\Ventrilo\Ventrilo.exe

Filesize
2.7MB

MD5
32b24cbb45516f762dfff7e02889b186

SHA1
948b9dfd84abfbb743975ad38617636c81215271

SHA256
10c6bc85e200f5066990766510dab54ef31f5bea4e5ce21cbae144657c281cdc

SHA512
c88b124964a1b62f0a5b8169d527d98c7c2a858736140a812932c9d6c4ca2ed2dbd84cbf7a7d51fef13111f47598d355edaf48db60e505ed41e37b3f465a1e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI82EB.tmp

Filesize
160KB

MD5
d9d9718000704053e7325752829bd5c9

SHA1
b7096b33219a78752ad128aaacc468047ca7c5aa

SHA256
80caaefda1b2ceda08e27cdfa2a579a2ee9f225a3ed436447f402a67d9fa91c3

SHA512
6e48f7a7ab276e15ed8d9d0c1f20d68316fdd53030432fb32850387c0867e3876e712a3627129cd30fa1c64ea369b722694f2e4b8fc86fc8579355827603c691

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8435.tmp

Filesize
8KB

MD5
53bfc64d0c686ad04e92ca884bcfacf6

SHA1
354489a29bb5164c32a1cb567855723e15e957b8

SHA256
84fd0ecbe013c9af8649b8de36807ad2f37d33cd85fb9ebd1b01b59f295a8051

SHA512
3374ea30f69106db3da1e324fd7bd794d100e750984dc0bb160f16f3561d3a8d1e237a363d0f06d88efdfbaa41c9f9550016632470df52e1b41ec31c01ce57b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3227495264-2217614367-4027411560-1000\88603cb2913a7df3fbd16b5f958e6447_423fd5c7-8559-4b8c-bf1f-c9d05c9f0fd3

Filesize
51B

MD5
5fc2ac2a310f49c14d195230b91a8885

SHA1
90855cc11136ba31758fe33b5cf9571f9a104879

SHA256
374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092

SHA512
ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3

Download Submit
C:\Windows\Installer\MSI272B.tmp

Filesize
163KB

MD5
abe0764ff0decd7a47bfc5a675ec00ed

SHA1
a0455605fbe30e0a20ee86d9af21fc05f2a64a7e

SHA256
174a44b923505faaf569bfd19393325477358eacdcbc8600b741d838e344c113

SHA512
c156fa0f4cb6d67f72828e705aebffc54ed5470db5f632c32dab4a50617ab38b06de4c00f79676c38b581e3b8501292c5d0067366b38480dc9f793e9912e1365

Download Submit
C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

Filesize
176B

MD5
f47e2a9916c3135dad1c06ec36e56fc5

SHA1
c8fe9d0fc5ba077ddba2a5babb99ab31c69c42c1

SHA256
9bace7507ff37e3b873153883917d7beb9adfaca3a127ee729abf594e29e4d1f

SHA512
6b4aafcdc100d8a44d833c21ee16a0a1fa3a9deb7c0710f6009286a96b5727d2779b17318d54950a76abb586930b1a40741f3416d58b6a04f44cdc1842d9301f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
cbaf73658425e0f2ae2b6b0279ee4ed3

SHA1
a07a560ef7e3abc7ead4a86b25b4d55b4d1e3e98

SHA256
0ecab0ac0c09c57caf23ee7a03e869410e15319fef00ad4968260a5b179cf6ed

SHA512
a93dc1f72c0a462c0c5b6eb248489e7c2398123c34de0723032451dd7014a8f8ec53e3be758b8c697b4e27fd3eb8cbd522890f00ea62fd05b8e02fe0cff67f4c

Download Submit
\??\Volume{f9c79713-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fa01db3b-8aa1-4eb8-ae5c-6cb77e044742}_OnDiskSnapshotProp

Filesize
6KB

MD5
0a8dcf1391cc2558d14968465ea3ad09

SHA1
99f03523bde4d8df78235e3ea73e3423723835e8

SHA256
a7f75b4a596b4d5619bc1da2eed0d6fdddb8857641fb48c567b7d4f88cd8bc01

SHA512
4303a74f9fa2e4898a40a6802d5268cb4249a5b9619948c52b61e68da11863223e6125e15a745917161de346a75e643bf777f6b629d249b3fbdc8d886e986639

Download Submit
memory/1900-45-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1900-85-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1900-41-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1900-43-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1900-44-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3500-80-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3644-51-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/3920-60-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/3920-84-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/4344-78-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4344-216-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4344-89-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4344-82-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4344-81-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4344-79-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4344-233-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4344-232-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4344-231-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4344-87-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4344-218-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4344-219-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4344-220-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4344-230-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/4656-34-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4788-33-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/4788-52-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download