a7fbb8d1e5ae771f51d6c24137d6d8f8b59a4306f8124591c68b69f72c22c2ea

General

Target

2345pic_x64.msi
Size

79.4MB
MD5

fe984489b63aa7cd7aee6c48fe69e08d
SHA1

b5cac8c66311b7601e0ef2a1d134bf06a8079497
SHA256

092ff5eeddfd265d8f37c5a9afbf7c3018ba65fcd0dd59c0237f7e04d1915060
SHA512

806872b46c843727d4a980e46fef0a662115a6429868e74c8889d9363323008797c5b11ad54bb524709cb26087a8bec42b0051f701af4766ee7227068a7a0e92
SSDEEP

1572864:NmsJ8LVVmCjLbWQVZq/5u3dOdYMBWkAhIo/qQXAbJqWOm9uUQerttNG2MZ7dE:ojyCjLLZq/5ukpBVMWchl5erttNXMZ7S

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2828 powershell.exe

pid	process
2828	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 13 IoCs

Processes:

wBtkOfXYmrXB.exeaAvapbvtIRjv.exemsiexec.exe

description	ioc	process
File created	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe	wBtkOfXYmrXB.exe
File created	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe	wBtkOfXYmrXB.exe
File created	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.vbs	aAvapbvtIRjv.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.xml	wBtkOfXYmrXB.exe
File created	C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe	msiexec.exe
File created	C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg	msiexec.exe
File created	C:\Program Files\EnableMagneticOverseer\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe	msiexec.exe
File created	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv	wBtkOfXYmrXB.exe
File created	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.xml	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe	wBtkOfXYmrXB.exe

Drops file in Windows directory 10 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f77054e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI638.tmp	msiexec.exe
File created	C:\Windows\Installer\f770551.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f77054e.msi	msiexec.exe
File created	C:\Windows\Installer\f77054f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f77054f.ipi	msiexec.exe

Executes dropped EXE 3 IoCs

Processes:

wBtkOfXYmrXB.exeaAvapbvtIRjv.exe2345pic_x64.exe

pid process

2796 wBtkOfXYmrXB.exe
2864 aAvapbvtIRjv.exe
2288 2345pic_x64.exe
Loads dropped DLL 5 IoCs

Processes:

2345pic_x64.exe

pid process

2288 2345pic_x64.exe
2288 2345pic_x64.exe
2288 2345pic_x64.exe
2288 2345pic_x64.exe
2288 2345pic_x64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

2080 msiexec.exe

pid	process
2796	wBtkOfXYmrXB.exe
2864	aAvapbvtIRjv.exe
2288	2345pic_x64.exe

pid	process
2288	2345pic_x64.exe
2288	2345pic_x64.exe
2288	2345pic_x64.exe
2288	2345pic_x64.exe
2288	2345pic_x64.exe

pid	process
2080	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

wBtkOfXYmrXB.exe2345pic_x64.exeaAvapbvtIRjv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wBtkOfXYmrXB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2345pic_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aAvapbvtIRjv.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

DrvInst.exe2345pic_x64.exemsiexec.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	2345pic_x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0886570e433db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\GDIPlus\FontCachePath = "C:\\Users\\Admin\\AppData\\Local"	2345pic_x64.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\ProductName = "EnableMagneticOverseer"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1EC50D645954B34429904554B396BE7B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ED7404498CA2B5843B67AD2732E83349	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ED7404498CA2B5843B67AD2732E83349\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\PackageCode = "4FD2201DFC0C4BE40B0948F4609DD271"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Version = "16973827"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1EC50D645954B34429904554B396BE7B\ED7404498CA2B5843B67AD2732E83349	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\PackageName = "2345pic_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Assignment = "1"	msiexec.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

wBtkOfXYmrXB.exe

pid process

2796 wBtkOfXYmrXB.exe

pid	process
2796	wBtkOfXYmrXB.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

msiexec.exepowershell.exeaAvapbvtIRjv.exe2345pic_x64.exe

pid	process
2580	msiexec.exe
2580	msiexec.exe
2828	powershell.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2864	aAvapbvtIRjv.exe
2288	2345pic_x64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exepowershell.exewBtkOfXYmrXB.exe

description	pid	process
Token: SeShutdownPrivilege	2080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeSecurityPrivilege	2580	msiexec.exe
Token: SeCreateTokenPrivilege	2080	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2080	msiexec.exe
Token: SeLockMemoryPrivilege	2080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2080	msiexec.exe
Token: SeMachineAccountPrivilege	2080	msiexec.exe
Token: SeTcbPrivilege	2080	msiexec.exe
Token: SeSecurityPrivilege	2080	msiexec.exe
Token: SeTakeOwnershipPrivilege	2080	msiexec.exe
Token: SeLoadDriverPrivilege	2080	msiexec.exe
Token: SeSystemProfilePrivilege	2080	msiexec.exe
Token: SeSystemtimePrivilege	2080	msiexec.exe
Token: SeProfSingleProcessPrivilege	2080	msiexec.exe
Token: SeIncBasePriorityPrivilege	2080	msiexec.exe
Token: SeCreatePagefilePrivilege	2080	msiexec.exe
Token: SeCreatePermanentPrivilege	2080	msiexec.exe
Token: SeBackupPrivilege	2080	msiexec.exe
Token: SeRestorePrivilege	2080	msiexec.exe
Token: SeShutdownPrivilege	2080	msiexec.exe
Token: SeDebugPrivilege	2080	msiexec.exe
Token: SeAuditPrivilege	2080	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2080	msiexec.exe
Token: SeChangeNotifyPrivilege	2080	msiexec.exe
Token: SeRemoteShutdownPrivilege	2080	msiexec.exe
Token: SeUndockPrivilege	2080	msiexec.exe
Token: SeSyncAgentPrivilege	2080	msiexec.exe
Token: SeEnableDelegationPrivilege	2080	msiexec.exe
Token: SeManageVolumePrivilege	2080	msiexec.exe
Token: SeImpersonatePrivilege	2080	msiexec.exe
Token: SeCreateGlobalPrivilege	2080	msiexec.exe
Token: SeBackupPrivilege	1628	vssvc.exe
Token: SeRestorePrivilege	1628	vssvc.exe
Token: SeAuditPrivilege	1628	vssvc.exe
Token: SeBackupPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2316	DrvInst.exe
Token: SeRestorePrivilege	2316	DrvInst.exe
Token: SeRestorePrivilege	2316	DrvInst.exe
Token: SeRestorePrivilege	2316	DrvInst.exe
Token: SeRestorePrivilege	2316	DrvInst.exe
Token: SeRestorePrivilege	2316	DrvInst.exe
Token: SeRestorePrivilege	2316	DrvInst.exe
Token: SeLoadDriverPrivilege	2316	DrvInst.exe
Token: SeLoadDriverPrivilege	2316	DrvInst.exe
Token: SeLoadDriverPrivilege	2316	DrvInst.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeRestorePrivilege	2796	wBtkOfXYmrXB.exe
Token: 35	2796	wBtkOfXYmrXB.exe
Token: SeSecurityPrivilege	2796	wBtkOfXYmrXB.exe
Token: SeSecurityPrivilege	2796	wBtkOfXYmrXB.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe
Token: SeRestorePrivilege	2580	msiexec.exe
Token: SeTakeOwnershipPrivilege	2580	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2080 msiexec.exe
2080 msiexec.exe

pid	process
2080	msiexec.exe
2080	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

msiexec.exeMsiExec.execmd.exe

description	pid	process	target process
PID 2580 wrote to memory of 1744	2580	msiexec.exe	MsiExec.exe
PID 2580 wrote to memory of 1744	2580	msiexec.exe	MsiExec.exe
PID 2580 wrote to memory of 1744	2580	msiexec.exe	MsiExec.exe
PID 2580 wrote to memory of 1744	2580	msiexec.exe	MsiExec.exe
PID 2580 wrote to memory of 1744	2580	msiexec.exe	MsiExec.exe
PID 1744 wrote to memory of 2828	1744	MsiExec.exe	powershell.exe
PID 1744 wrote to memory of 2828	1744	MsiExec.exe	powershell.exe
PID 1744 wrote to memory of 2828	1744	MsiExec.exe	powershell.exe
PID 1744 wrote to memory of 2032	1744	MsiExec.exe	cmd.exe
PID 1744 wrote to memory of 2032	1744	MsiExec.exe	cmd.exe
PID 1744 wrote to memory of 2032	1744	MsiExec.exe	cmd.exe
PID 2032 wrote to memory of 2796	2032	cmd.exe	wBtkOfXYmrXB.exe
PID 2032 wrote to memory of 2796	2032	cmd.exe	wBtkOfXYmrXB.exe
PID 2032 wrote to memory of 2796	2032	cmd.exe	wBtkOfXYmrXB.exe
PID 2032 wrote to memory of 2796	2032	cmd.exe	wBtkOfXYmrXB.exe
PID 1744 wrote to memory of 2864	1744	MsiExec.exe	aAvapbvtIRjv.exe
PID 1744 wrote to memory of 2864	1744	MsiExec.exe	aAvapbvtIRjv.exe
PID 1744 wrote to memory of 2864	1744	MsiExec.exe	aAvapbvtIRjv.exe
PID 1744 wrote to memory of 2864	1744	MsiExec.exe	aAvapbvtIRjv.exe
PID 1744 wrote to memory of 2288	1744	MsiExec.exe	2345pic_x64.exe
PID 1744 wrote to memory of 2288	1744	MsiExec.exe	2345pic_x64.exe
PID 1744 wrote to memory of 2288	1744	MsiExec.exe	2345pic_x64.exe
PID 1744 wrote to memory of 2288	1744	MsiExec.exe	2345pic_x64.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2345pic_x64.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 99B61BFCB2BD8551339643A45FA71749 M Global\MSI0000
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\EnableMagneticOverseer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start "" "C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe" x "C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg" -o"C:\Program Files\EnableMagneticOverseer\" -phZJcWScQuNgsiGBeBDtN -y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe
      "C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe" x "C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg" -o"C:\Program Files\EnableMagneticOverseer\" -phZJcWScQuNgsiGBeBDtN -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:2796
- - C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe
    "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe" -number 182 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2864
- - C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe
    "C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000314" "00000000000004BC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Privilege Escalation

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Defense Evasion

System Binary Proxy Execution

1

T1218

Msiexec

1

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f770550.rbs

Filesize
7KB

MD5
1fc6b43b3a61ca6edeeb65f14e5f4641

SHA1
1351971b553e860f30370180f1305f11b330ce34

SHA256
d4f6d9602199a4280589f72d4b8fe92572a6798248cd5f3e1cc6d1e203c37ef7

SHA512
73b0884d8b4e6f95cb1ebe9a6b39355e0f6df9cd0ca994fa8a79849141df2af72774794e0f1f8412c7a1891ec518a7374701409e923fef8f81dd9dc9dad69e93

Download Submit
C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe

Filesize
3.2MB

MD5
90a521d21169049fdf1a244fc2989377

SHA1
e9b0db47e89683444ba886fa8091167e160f6b30

SHA256
7dd65fb863051edda07d0f84c65c36cd7388aa28464eb3f6c541f73c9f195f41

SHA512
e20e25cf49489861dcb00cb4b38f9c96b26b016b55a9b92ab082ef422db98dad3936b6918b65f1874ba4fe1a0208e8bae701aaf3d7e3bdcca3f046eb0826f8dc

Download Submit
C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg

Filesize
2.4MB

MD5
5ac34b87f21ae7fedf4dc629181decf0

SHA1
3890201e28d44a46b6e810b5bc5eddfec78d92b9

SHA256
ffc5b747ee4183aa7b298e7e296981d19321c208ae40b0052f1965033da5ebb4

SHA512
fbfee20bf2795f2e67ef24a1add342d61c131226ab74638447c5be70f4acd0ad9e51db1f58e69e4785446e2af71208a729636c0a79db1415712e67ebad8c2eda

Download Submit
C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst2C6F.tmp\FileInfo.dll

Filesize
624KB

MD5
cc7eab4f83339cca63f763114ca04c6c

SHA1
4da526e8b270dc16865813801dc5bcda8162c09d

SHA256
a1c9c3b3bc8e75aa91f639da10835210e81aeb7fb5db79ac0703e1594e516b5b

SHA512
d1df9bdb61dcc95e579adf4891c000feee83f9f4a3f82debca617fb62afff16707707681c2f2655aa02756873d5251db74d5b843ec56c3e12ab1120355360ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst2C6F.tmp\RCWidgetPlugin.dll

Filesize
2.4MB

MD5
2f2ae26fd88c512ac0feb39fa42ee894

SHA1
ac50a5fd61933bdd2a54e6503e39438f05af3304

SHA256
9117cafe403e445a291141ee898845799a165c383d3dfcf76c1870f66782e6b1

SHA512
b919244cd08118a2258cb062e5ce3a4626d82ed0ca3600a018bdb97962b9f96d57d1a08d338fd41fbae4af72debf7840707f67d442e53ec8a15cb8002ee725e6

Download Submit
\Users\Admin\AppData\Local\Temp\nst2C6F.tmp\System.dll

Filesize
27KB

MD5
a568feaa357f44dd50c5e447fa8ee1b2

SHA1
5c765fad342b756d5ea522087c6f7567b5f3ed57

SHA256
57947a15ad3215185c7e15a5f0da393570845a13ab7b184a07fcefbf97537e48

SHA512
7c8c36c0123de839e677beeba65c1af56c5e85d8f1ff2c94950aed33e026dff3fbda8c49859012862110117977c928b814c0d91c477583a2b8f83d73f3cdf174

Download Submit
\Users\Admin\AppData\Local\Temp\nst2C6F.tmp\libcurl_x86.dll

Filesize
2.1MB

MD5
a26e75c0407c87786eea42febdb32532

SHA1
27e52fdca023cb8f031cd55ac37965d93f7f7da7

SHA256
635f988beb849c6510f54f681387bf810c2266bd27834c5a9c160cbfe6df44d4

SHA512
fdd9760442579ad2a3df4f31464f9e66bc19a4390fa1c81afb516cce817097b5324024f712d9c1bf1a11ad30324f5a8aa83c72a732e1197e8804ab806d3859e6

Download Submit
memory/1744-12-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2828-17-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/2828-18-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/2864-63-0x00000000007F0000-0x000000000081F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads