092ff5eeddfd265d8f37c5a9afbf7c3018ba65fcd0dd59c0237f7e04d1915060

General

Target

2345pic_x64.msi
Size

79.4MB
MD5

fe984489b63aa7cd7aee6c48fe69e08d
SHA1

b5cac8c66311b7601e0ef2a1d134bf06a8079497
SHA256

092ff5eeddfd265d8f37c5a9afbf7c3018ba65fcd0dd59c0237f7e04d1915060
SHA512

806872b46c843727d4a980e46fef0a662115a6429868e74c8889d9363323008797c5b11ad54bb524709cb26087a8bec42b0051f701af4766ee7227068a7a0e92
SSDEEP

1572864:NmsJ8LVVmCjLbWQVZq/5u3dOdYMBWkAhIo/qQXAbJqWOm9uUQerttNG2MZ7dE:ojyCjLLZq/5ukpBVMWchl5erttNXMZ7S

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1948 powershell.exe

pid	process
1948	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 13 IoCs

Processes:

msiexec.exewBtkOfXYmrXB.exeaAvapbvtIRjv.exe

description	ioc	process
File created	C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe	msiexec.exe
File created	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.xml	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe	wBtkOfXYmrXB.exe
File created	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.vbs	aAvapbvtIRjv.exe
File created	C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe	msiexec.exe
File created	C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg	msiexec.exe
File created	C:\Program Files\EnableMagneticOverseer\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe	wBtkOfXYmrXB.exe
File created	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe	wBtkOfXYmrXB.exe
File created	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.xml	wBtkOfXYmrXB.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f76ca23.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76ca22.msi	msiexec.exe
File created	C:\Windows\Installer\f76ca23.ipi	msiexec.exe
File created	C:\Windows\Installer\f76ca25.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB5A.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76ca22.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 3 IoCs

Processes:

wBtkOfXYmrXB.exeaAvapbvtIRjv.exe2345pic_x64.exe

pid process

1916 wBtkOfXYmrXB.exe
592 aAvapbvtIRjv.exe
1496 2345pic_x64.exe
Loads dropped DLL 5 IoCs

Processes:

2345pic_x64.exe

pid process

1496 2345pic_x64.exe
1496 2345pic_x64.exe
1496 2345pic_x64.exe
1496 2345pic_x64.exe
1496 2345pic_x64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

2380 msiexec.exe

pid	process
1916	wBtkOfXYmrXB.exe
592	aAvapbvtIRjv.exe
1496	2345pic_x64.exe

pid	process
1496	2345pic_x64.exe
1496	2345pic_x64.exe
1496	2345pic_x64.exe
1496	2345pic_x64.exe
1496	2345pic_x64.exe

pid	process
2380	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2345pic_x64.exewBtkOfXYmrXB.exeaAvapbvtIRjv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2345pic_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wBtkOfXYmrXB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aAvapbvtIRjv.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

DrvInst.exemsiexec.exe2345pic_x64.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GDIPlus\FontCachePath = "C:\\Users\\Admin\\AppData\\Local"	2345pic_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 70dd8fdfaa33db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	2345pic_x64.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\ProductName = "EnableMagneticOverseer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\PackageCode = "4FD2201DFC0C4BE40B0948F4609DD271"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1EC50D645954B34429904554B396BE7B\ED7404498CA2B5843B67AD2732E83349	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Version = "16973827"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1EC50D645954B34429904554B396BE7B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\PackageName = "2345pic_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ED7404498CA2B5843B67AD2732E83349\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ED7404498CA2B5843B67AD2732E83349	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Media\1 = ";"	msiexec.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

wBtkOfXYmrXB.exe

pid process

1916 wBtkOfXYmrXB.exe

pid	process
1916	wBtkOfXYmrXB.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

msiexec.exepowershell.exeaAvapbvtIRjv.exe2345pic_x64.exe

pid	process
2516	msiexec.exe
2516	msiexec.exe
1948	powershell.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
592	aAvapbvtIRjv.exe
1496	2345pic_x64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exepowershell.exewBtkOfXYmrXB.exe

description	pid	process
Token: SeShutdownPrivilege	2380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2516	msiexec.exe
Token: SeTakeOwnershipPrivilege	2516	msiexec.exe
Token: SeSecurityPrivilege	2516	msiexec.exe
Token: SeCreateTokenPrivilege	2380	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2380	msiexec.exe
Token: SeLockMemoryPrivilege	2380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2380	msiexec.exe
Token: SeMachineAccountPrivilege	2380	msiexec.exe
Token: SeTcbPrivilege	2380	msiexec.exe
Token: SeSecurityPrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeLoadDriverPrivilege	2380	msiexec.exe
Token: SeSystemProfilePrivilege	2380	msiexec.exe
Token: SeSystemtimePrivilege	2380	msiexec.exe
Token: SeProfSingleProcessPrivilege	2380	msiexec.exe
Token: SeIncBasePriorityPrivilege	2380	msiexec.exe
Token: SeCreatePagefilePrivilege	2380	msiexec.exe
Token: SeCreatePermanentPrivilege	2380	msiexec.exe
Token: SeBackupPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeShutdownPrivilege	2380	msiexec.exe
Token: SeDebugPrivilege	2380	msiexec.exe
Token: SeAuditPrivilege	2380	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2380	msiexec.exe
Token: SeChangeNotifyPrivilege	2380	msiexec.exe
Token: SeRemoteShutdownPrivilege	2380	msiexec.exe
Token: SeUndockPrivilege	2380	msiexec.exe
Token: SeSyncAgentPrivilege	2380	msiexec.exe
Token: SeEnableDelegationPrivilege	2380	msiexec.exe
Token: SeManageVolumePrivilege	2380	msiexec.exe
Token: SeImpersonatePrivilege	2380	msiexec.exe
Token: SeCreateGlobalPrivilege	2380	msiexec.exe
Token: SeBackupPrivilege	2360	vssvc.exe
Token: SeRestorePrivilege	2360	vssvc.exe
Token: SeAuditPrivilege	2360	vssvc.exe
Token: SeBackupPrivilege	2516	msiexec.exe
Token: SeRestorePrivilege	2516	msiexec.exe
Token: SeRestorePrivilege	2956	DrvInst.exe
Token: SeRestorePrivilege	2956	DrvInst.exe
Token: SeRestorePrivilege	2956	DrvInst.exe
Token: SeRestorePrivilege	2956	DrvInst.exe
Token: SeRestorePrivilege	2956	DrvInst.exe
Token: SeRestorePrivilege	2956	DrvInst.exe
Token: SeRestorePrivilege	2956	DrvInst.exe
Token: SeLoadDriverPrivilege	2956	DrvInst.exe
Token: SeLoadDriverPrivilege	2956	DrvInst.exe
Token: SeLoadDriverPrivilege	2956	DrvInst.exe
Token: SeRestorePrivilege	2516	msiexec.exe
Token: SeTakeOwnershipPrivilege	2516	msiexec.exe
Token: SeRestorePrivilege	2516	msiexec.exe
Token: SeTakeOwnershipPrivilege	2516	msiexec.exe
Token: SeRestorePrivilege	2516	msiexec.exe
Token: SeTakeOwnershipPrivilege	2516	msiexec.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeRestorePrivilege	1916	wBtkOfXYmrXB.exe
Token: 35	1916	wBtkOfXYmrXB.exe
Token: SeSecurityPrivilege	1916	wBtkOfXYmrXB.exe
Token: SeSecurityPrivilege	1916	wBtkOfXYmrXB.exe
Token: SeRestorePrivilege	2516	msiexec.exe
Token: SeTakeOwnershipPrivilege	2516	msiexec.exe
Token: SeRestorePrivilege	2516	msiexec.exe
Token: SeTakeOwnershipPrivilege	2516	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2380 msiexec.exe
2380 msiexec.exe

pid	process
2380	msiexec.exe
2380	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

msiexec.exeMsiExec.execmd.exe

description	pid	process	target process
PID 2516 wrote to memory of 2288	2516	msiexec.exe	MsiExec.exe
PID 2516 wrote to memory of 2288	2516	msiexec.exe	MsiExec.exe
PID 2516 wrote to memory of 2288	2516	msiexec.exe	MsiExec.exe
PID 2516 wrote to memory of 2288	2516	msiexec.exe	MsiExec.exe
PID 2516 wrote to memory of 2288	2516	msiexec.exe	MsiExec.exe
PID 2288 wrote to memory of 1948	2288	MsiExec.exe	powershell.exe
PID 2288 wrote to memory of 1948	2288	MsiExec.exe	powershell.exe
PID 2288 wrote to memory of 1948	2288	MsiExec.exe	powershell.exe
PID 2288 wrote to memory of 1676	2288	MsiExec.exe	cmd.exe
PID 2288 wrote to memory of 1676	2288	MsiExec.exe	cmd.exe
PID 2288 wrote to memory of 1676	2288	MsiExec.exe	cmd.exe
PID 1676 wrote to memory of 1916	1676	cmd.exe	wBtkOfXYmrXB.exe
PID 1676 wrote to memory of 1916	1676	cmd.exe	wBtkOfXYmrXB.exe
PID 1676 wrote to memory of 1916	1676	cmd.exe	wBtkOfXYmrXB.exe
PID 1676 wrote to memory of 1916	1676	cmd.exe	wBtkOfXYmrXB.exe
PID 2288 wrote to memory of 592	2288	MsiExec.exe	aAvapbvtIRjv.exe
PID 2288 wrote to memory of 592	2288	MsiExec.exe	aAvapbvtIRjv.exe
PID 2288 wrote to memory of 592	2288	MsiExec.exe	aAvapbvtIRjv.exe
PID 2288 wrote to memory of 592	2288	MsiExec.exe	aAvapbvtIRjv.exe
PID 2288 wrote to memory of 1496	2288	MsiExec.exe	2345pic_x64.exe
PID 2288 wrote to memory of 1496	2288	MsiExec.exe	2345pic_x64.exe
PID 2288 wrote to memory of 1496	2288	MsiExec.exe	2345pic_x64.exe
PID 2288 wrote to memory of 1496	2288	MsiExec.exe	2345pic_x64.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2345pic_x64.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2380

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding F8B2810EDC175D422430A8293CC181B6 M Global\MSI0000
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\EnableMagneticOverseer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start "" "C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe" x "C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg" -o"C:\Program Files\EnableMagneticOverseer\" -phZJcWScQuNgsiGBeBDtN -y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe
      "C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe" x "C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg" -o"C:\Program Files\EnableMagneticOverseer\" -phZJcWScQuNgsiGBeBDtN -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:1916
- - C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe
    "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe" -number 182 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:592
- - C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe
    "C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004C4" "0000000000000494"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Privilege Escalation

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Defense Evasion

System Binary Proxy Execution

1

T1218

Msiexec

1

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76ca24.rbs

Filesize
7KB

MD5
9b731d9ade910ba8bbe24aa9a1e61803

SHA1
f2fc32c9f835142db2a428c1020e8238fef22e50

SHA256
d849741a3b6292089b41a794d8cd1e089a06419241791b351e9a6161cd232b4d

SHA512
35c4de631dc53ec5c060a740f09423c4d546171fe4059f43e8b7b7faceb5a510f4da516cf6c401c4e758327ab0f2f3c8c5430f6ba748cf6296e9406e2423a2d2

Download Submit
C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe

Filesize
3.2MB

MD5
90a521d21169049fdf1a244fc2989377

SHA1
e9b0db47e89683444ba886fa8091167e160f6b30

SHA256
7dd65fb863051edda07d0f84c65c36cd7388aa28464eb3f6c541f73c9f195f41

SHA512
e20e25cf49489861dcb00cb4b38f9c96b26b016b55a9b92ab082ef422db98dad3936b6918b65f1874ba4fe1a0208e8bae701aaf3d7e3bdcca3f046eb0826f8dc

Download Submit
C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg

Filesize
2.4MB

MD5
5ac34b87f21ae7fedf4dc629181decf0

SHA1
3890201e28d44a46b6e810b5bc5eddfec78d92b9

SHA256
ffc5b747ee4183aa7b298e7e296981d19321c208ae40b0052f1965033da5ebb4

SHA512
fbfee20bf2795f2e67ef24a1add342d61c131226ab74638447c5be70f4acd0ad9e51db1f58e69e4785446e2af71208a729636c0a79db1415712e67ebad8c2eda

Download Submit
C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjF29B.tmp\FileInfo.dll

Filesize
624KB

MD5
cc7eab4f83339cca63f763114ca04c6c

SHA1
4da526e8b270dc16865813801dc5bcda8162c09d

SHA256
a1c9c3b3bc8e75aa91f639da10835210e81aeb7fb5db79ac0703e1594e516b5b

SHA512
d1df9bdb61dcc95e579adf4891c000feee83f9f4a3f82debca617fb62afff16707707681c2f2655aa02756873d5251db74d5b843ec56c3e12ab1120355360ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjF29B.tmp\RCWidgetPlugin.dll

Filesize
2.4MB

MD5
2f2ae26fd88c512ac0feb39fa42ee894

SHA1
ac50a5fd61933bdd2a54e6503e39438f05af3304

SHA256
9117cafe403e445a291141ee898845799a165c383d3dfcf76c1870f66782e6b1

SHA512
b919244cd08118a2258cb062e5ce3a4626d82ed0ca3600a018bdb97962b9f96d57d1a08d338fd41fbae4af72debf7840707f67d442e53ec8a15cb8002ee725e6

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF29B.tmp\System.dll

Filesize
27KB

MD5
a568feaa357f44dd50c5e447fa8ee1b2

SHA1
5c765fad342b756d5ea522087c6f7567b5f3ed57

SHA256
57947a15ad3215185c7e15a5f0da393570845a13ab7b184a07fcefbf97537e48

SHA512
7c8c36c0123de839e677beeba65c1af56c5e85d8f1ff2c94950aed33e026dff3fbda8c49859012862110117977c928b814c0d91c477583a2b8f83d73f3cdf174

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF29B.tmp\libcurl_x86.dll

Filesize
2.1MB

MD5
a26e75c0407c87786eea42febdb32532

SHA1
27e52fdca023cb8f031cd55ac37965d93f7f7da7

SHA256
635f988beb849c6510f54f681387bf810c2266bd27834c5a9c160cbfe6df44d4

SHA512
fdd9760442579ad2a3df4f31464f9e66bc19a4390fa1c81afb516cce817097b5324024f712d9c1bf1a11ad30324f5a8aa83c72a732e1197e8804ab806d3859e6

Download Submit
memory/592-61-0x0000000002160000-0x000000000218F000-memory.dmp

Filesize
188KB

Download
memory/1948-17-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/1948-18-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2288-12-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads