Analysis
-
max time kernel
92s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 22:11
Static task
static1
Behavioral task
behavioral1
Sample
3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe
Resource
win7-20240903-en
General
-
Target
3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe
-
Size
9.1MB
-
MD5
308c04f14ff0bff5e554d5975473f5b3
-
SHA1
3e52120b1a88ea5b6a958fa5605c80f3b6b36b19
-
SHA256
3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9
-
SHA512
4fe68d69be8db7185196445e5577e69fb3f7600212e3bad5a51d629a8d5dfd5847a8e3b15532b1cc34465ed27c2c005b1938bf6b9fc6119092910e96bad7a99e
-
SSDEEP
196608:9xNufAVuSI58ehsqy3QP0K5OuTf2EugphAV:9WfuI5qT3Q8YOub2QhAV
Malware Config
Signatures
-
Loads dropped DLL 16 IoCs
pid Process 4620 MsiExec.exe 4620 MsiExec.exe 4620 MsiExec.exe 4620 MsiExec.exe 2976 MsiExec.exe 2976 MsiExec.exe 2976 MsiExec.exe 2976 MsiExec.exe 2976 MsiExec.exe 2976 MsiExec.exe 2976 MsiExec.exe 3136 MsiExec.exe 3136 MsiExec.exe 3136 MsiExec.exe 3136 MsiExec.exe 3136 MsiExec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\N: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\Y: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\Z: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\T: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\I: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\K: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\R: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\U: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\V: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\L: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\H: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\Q: 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e583350.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI341C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI342C.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI36CE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3A1B.tmp msiexec.exe File created C:\Windows\Installer\e583350.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI33CD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3537.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{601C1884-2829-48C4-970E-C3FD2A252226} msiexec.exe -
pid Process 5020 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4324 msiexec.exe 4324 msiexec.exe 5020 powershell.exe 5020 powershell.exe 5020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 4324 msiexec.exe Token: SeCreateTokenPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeAssignPrimaryTokenPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeLockMemoryPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeIncreaseQuotaPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeMachineAccountPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeTcbPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSecurityPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeTakeOwnershipPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeLoadDriverPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSystemProfilePrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSystemtimePrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeProfSingleProcessPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeIncBasePriorityPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreatePagefilePrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreatePermanentPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeBackupPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeRestorePrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeShutdownPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeDebugPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeAuditPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSystemEnvironmentPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeChangeNotifyPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeRemoteShutdownPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeUndockPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSyncAgentPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeEnableDelegationPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeManageVolumePrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeImpersonatePrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreateGlobalPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreateTokenPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeAssignPrimaryTokenPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeLockMemoryPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeIncreaseQuotaPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeMachineAccountPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeTcbPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSecurityPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeTakeOwnershipPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeLoadDriverPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSystemProfilePrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSystemtimePrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeProfSingleProcessPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeIncBasePriorityPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreatePagefilePrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreatePermanentPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeBackupPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeRestorePrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeShutdownPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeDebugPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeAuditPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSystemEnvironmentPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeChangeNotifyPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeRemoteShutdownPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeUndockPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeSyncAgentPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeEnableDelegationPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeManageVolumePrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeImpersonatePrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreateGlobalPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeCreateTokenPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeAssignPrimaryTokenPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeLockMemoryPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeIncreaseQuotaPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe Token: SeMachineAccountPrivilege 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe 2272 msiexec.exe 2272 msiexec.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4324 wrote to memory of 4620 4324 msiexec.exe 90 PID 4324 wrote to memory of 4620 4324 msiexec.exe 90 PID 4324 wrote to memory of 4620 4324 msiexec.exe 90 PID 1080 wrote to memory of 2272 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe 91 PID 1080 wrote to memory of 2272 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe 91 PID 1080 wrote to memory of 2272 1080 3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe 91 PID 4324 wrote to memory of 2976 4324 msiexec.exe 92 PID 4324 wrote to memory of 2976 4324 msiexec.exe 92 PID 4324 wrote to memory of 2976 4324 msiexec.exe 92 PID 4324 wrote to memory of 1616 4324 msiexec.exe 105 PID 4324 wrote to memory of 1616 4324 msiexec.exe 105 PID 4324 wrote to memory of 3136 4324 msiexec.exe 107 PID 4324 wrote to memory of 3136 4324 msiexec.exe 107 PID 4324 wrote to memory of 3136 4324 msiexec.exe 107 PID 3136 wrote to memory of 5020 3136 MsiExec.exe 108 PID 3136 wrote to memory of 5020 3136 MsiExec.exe 108 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe"C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Tech Rider\BotMaster 9.6.0.2\install\BotMaster.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\3fc13d5937a16330fe4deeb829faaefa461d2a62382bf347d4f7ab81002fe9f9.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1730776862 "2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2272
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 02681DBC0707EC86E0D141F3CE8218E6 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4620
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D0D56101BF89E87F15F8356480548481 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1616
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A7D6F75C074FD859B9452EE3BF6338882⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss3A67.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi3A26.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr3A27.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr3A28.txt" -propSep " :<->: " -testPrefix "_testValue."3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5020
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:5076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD55f6253cff5a8b031bfb3b161079d0d86
SHA17645b13610583fb67247c74cf5af08ff848079e7
SHA25636d9bab35d1e4b50045bf902f5d42b6f865488c75f6e60fc00a6cd6f69034ab0
SHA512d1fdc364bedf931512000fbf05e854d5aceccb48abb9ec49e68476a5dc2907267490290d92acbb267ffb7bdba9b7a1c88f1eb77830cf953443f4624995dabdc3
-
Filesize
436KB
MD55788efa607d26332d6d7f5e6a1f6bd6f
SHA1e7749843cc3e89bc81649087de4ad44c93d48bc6
SHA2569fc2608c9e5ef5a88dd91c82660fa297144ba6bbf4602140d638de7233a4625d
SHA512ce472ca4f956da4160cfd9b9051455974e24dd8b23a0b7b197afd1f7552e37980809e523bedc0d4c2f4c9cb6ef300b221e6404e6e6a1b789b67756550ddd2104
-
Filesize
875KB
MD501ab8034f722cbac50b8bcfc36e5b2e8
SHA1b25868af5713e37c398b712f19692edd7db2d858
SHA256e5c41b1af4d865b1b4b09a9fcb99a1f6eb2b2a75b148f4390298aff1ea348689
SHA51225e24e4d691b1fecc6991997ace400682bb812d48374f95a14e21a9045d7905f4630f4672e88b41afd7933b11fb81c10935e49aba337b15924cfc7e814ca2558
-
Filesize
575KB
MD58c1a778e0754301c97a660dbf3e8303b
SHA1f489c45cde796de0d23ee862948f5e50379dee60
SHA256000b773a448b107cbf3268fea3a0eec388daa71c5f911979c5d21f0cd8d6da54
SHA512010e76ed659f73cc263ce9b2d2635d775b296c10e53ba133fba6aacde02ed409b19f4c4e2ba6df7730ddc8669c818e99773f25854a1916ccf8acf9e459482fea
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5KB
MD5fc1bb6c87fd1f08b534e52546561c53c
SHA1db402c5c1025cf8d3e79df7b868fd186243aa9d1
SHA256a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b
SHA5125495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86
-
Filesize
174B
MD5be3fd03e7358ce9870a780f4cbda6706
SHA104d928b64dd995eda2b4dfafabe5066fac218cef
SHA2565494436492efa6408565f0602abc17e496e35c80f133036dcc699580cf109914
SHA512b1d9fa9f6f1af0cc0cf0a837cec3c2b1b553f9d02c45dfd86f34ab92b53e21100753edc96267cbeb1b69b4cc83094ffe66cc48587ec6ff56eadaf534c12669a9
-
Filesize
2.8MB
MD5e91c8022c878fa58ae6eca30e6f49eda
SHA1f2daa2901f12893ef1d2623c1f066ad9252edc48
SHA256243236bb49beaa70cd4a8fba55941597213fc18ab444b8aa992c80f2d5ec05e6
SHA512abe25ba5c90a14c622773e257b0b330696985d0182090716ac1e2843dda20e9b19229fc45612e1eead708d17bd9b79615139a31cca072769d3dbd50f7389d55a
-
Filesize
3.4MB
MD52354875ac8ab4d961a17a6405252e046
SHA19dedcd3f475b19b12c5db109665aaa03c47816bf
SHA256b005f78df28e2acd32bdafce18631ca050384c0469b6621f5f9d16d21d4180da
SHA512574c0d02986e99401f4871b327309a0f31140b1f885f8a5278e5990ea1a2909ecb68060e7049856817e2d48b22c373973494d973af28dd06de0066db36b7efd4
-
Filesize
574KB
MD5637c0f8f44f26ef0c736b8bbd0222334
SHA181aea6f99d67ca19ae1e2a61e9e967ada53cd4c0
SHA25657dea716197079fad873b65ac02a6e002a43fe01202987541ab5295c0f69d28a
SHA51224a2a827221b920e7133da56a79a8576e8205c884fda87b67f2821c00ccc99d194f90905dab49bb55b5595ff44d39f7cd38ef975de140bfc6299bad61da6c4d7
-
Filesize
24.1MB
MD5114ba1374dad68eda69f64a2f23a4753
SHA174ce9f781aaa3b4c6569454648be012edd055020
SHA25652be254101020eadd1d68cf3a27f61744cace3885dabae60732f01be5d244b25
SHA5127133f57091ea0e35fdbc57cd4e364b311c5767df7640d226f4b5894140abcfee4336dd8a51bbb987ec9ee6031669bccfef97dcb4d4ee36d2f1f4c8439e5f7d51
-
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0be09f63-2769-4844-8542-0c3df0c7ca41}_OnDiskSnapshotProp
Filesize6KB
MD5fbfb989d2d227c14eb23174a825ca4e7
SHA1248dd5f1c13f0263f1a62549605c2429b590ff49
SHA256cb35d2d7e59a3fb5369712d4e0b693e3b2bd51f5ce8ba52bf71b6b3ce252eb2d
SHA5128abdb05e2d84e2d5ebd3c52036346cf63e1caeef4ccaa8c096767dcb8cd93d49ad8b611109ae4ef8db882b5edf5f3173bcfc49f269de0e857eed0fc930d5c75b