Analysis
-
max time kernel
119s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240729-es -
resource tags
arch:x64arch:x86image:win7-20240729-eslocale:es-esos:windows7-x64systemwindows -
submitted
12/11/2024, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
1c1d333fe2bdbda247dccc97fdd46513e39d95c8393019360e1c1597f263fa69.msi
Resource
win7-20240729-es
Behavioral task
behavioral2
Sample
1c1d333fe2bdbda247dccc97fdd46513e39d95c8393019360e1c1597f263fa69.msi
Resource
win10v2004-20241007-es
General
-
Target
1c1d333fe2bdbda247dccc97fdd46513e39d95c8393019360e1c1597f263fa69.msi
-
Size
1.9MB
-
MD5
2e2febe11417e673b886abe428111b89
-
SHA1
4d11a766e023f22058971deebf93cead7bb0ae7a
-
SHA256
1c1d333fe2bdbda247dccc97fdd46513e39d95c8393019360e1c1597f263fa69
-
SHA512
cb7fcc2fa38d80acf9c8539efe1beaa401d0ef6a43acd0fcc95e3287fc7b25874d2219c4a4066703e3da6ba23d1b98eba87c4b0bc23ce8a02c84eec97585da36
-
SSDEEP
49152:xp21z0A+biU50unDN5GQKNkyRmopy4duG/8Wea/xwu:cK3KNkomky
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
flow pid Process 3 2112 msiexec.exe 5 2112 msiexec.exe 6 2708 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIE9A0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEABB.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIEC61.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76e84f.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIECC2.tmp msiexec.exe File created C:\Windows\Installer\f76e84c.msi msiexec.exe File opened for modification C:\Windows\Installer\f76e84c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIEA5C.tmp msiexec.exe File created C:\Windows\Installer\f76e84f.ipi msiexec.exe File created C:\Windows\Installer\f76e851.msi msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 268 MSIECC2.tmp -
Loads dropped DLL 3 IoCs
pid Process 1740 MsiExec.exe 1740 MsiExec.exe 1740 MsiExec.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MSIECC2.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2112 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIECC2.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a7b631fcc4cc0498235ffa3a3c9486b0000000002000000000010660000000100002000000013d10d417fd6a59062a95dd7579f149ddee40bcff818e1a7fd3c1f419a01901d000000000e8000000002000020000000321e94dc1ac2cf94a274e25337a5ee598349ea32a6bf01de352abfa121939f1520000000ee494af99373bcac91ac5d5712766b038fa5f0049f8b32e358d73051e51ccd7640000000e9f6d85915333afa94d4923714aeb222db993b33a6b7f3912bed981c5390e9ce182837307e484bd216f1e4335219f7f4785c13b21bf1ff2c266246cdf25db5e4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0AD21F11-A0EE-11EF-A933-DE44A4438D63} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a7b631fcc4cc0498235ffa3a3c9486b00000000020000000000106600000001000020000000c20e6d6164c47824711da3721dece301b5d9cbe0ed203898bcff798354ac94b0000000000e80000000020000200000009d38b3ae3bde312d62e5c93211b782ef8a24f1238741aa63e66457048147d5dc900000002fd14cecba8b72740fb1074ed916c1ec1de1eea5792b608d85efefd729d9e4ae92427c648276be958c0d2dfe0ec6aee68ba4fbbfaf1d80bdcddb3a50fffce16214811a1362b73f38d0ceeca1d50569ed5e423b9628a3208afe64bac2af971303429314a8ecd952a6501108beb32febdb5ab8700a35db2c408bd67192948fa5086bc5151af2d49deed4c36e65145c89db40000000af800c02eeb8bc5905319fbf951fabd0864c05f52746fb002b59f0781f278211823b3f5b9e89c53501b284e8178eeb29ef120df772f53c0a4e10f31bc1c2d704 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437574839" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0c6e1e1fa34db01 iexplore.exe -
Modifies data under HKEY_USERS 4 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E msiexec.exe -
Modifies registry class 20 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BF6C23D96287B4469EE5949572174D6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BF6C23D96287B4469EE5949572174D6\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\DeploymentFlags = "3" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\SourceList\PackageName = "1c1d333fe2bdbda247dccc97fdd46513e39d95c8393019360e1c1597f263fa69.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\ProductName = "Installer" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2DE54A9E1A28BD4F8F813FEAEBEF3BC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2DE54A9E1A28BD4F8F813FEAEBEF3BC\0BF6C23D96287B4469EE5949572174D6 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\PackageCode = "E9FBA36C72B752F4ABB4D937C39A088A" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\Version = "83886080" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2708 msiexec.exe 2708 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2112 msiexec.exe Token: SeIncreaseQuotaPrivilege 2112 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeSecurityPrivilege 2708 msiexec.exe Token: SeCreateTokenPrivilege 2112 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2112 msiexec.exe Token: SeLockMemoryPrivilege 2112 msiexec.exe Token: SeIncreaseQuotaPrivilege 2112 msiexec.exe Token: SeMachineAccountPrivilege 2112 msiexec.exe Token: SeTcbPrivilege 2112 msiexec.exe Token: SeSecurityPrivilege 2112 msiexec.exe Token: SeTakeOwnershipPrivilege 2112 msiexec.exe Token: SeLoadDriverPrivilege 2112 msiexec.exe Token: SeSystemProfilePrivilege 2112 msiexec.exe Token: SeSystemtimePrivilege 2112 msiexec.exe Token: SeProfSingleProcessPrivilege 2112 msiexec.exe Token: SeIncBasePriorityPrivilege 2112 msiexec.exe Token: SeCreatePagefilePrivilege 2112 msiexec.exe Token: SeCreatePermanentPrivilege 2112 msiexec.exe Token: SeBackupPrivilege 2112 msiexec.exe Token: SeRestorePrivilege 2112 msiexec.exe Token: SeShutdownPrivilege 2112 msiexec.exe Token: SeDebugPrivilege 2112 msiexec.exe Token: SeAuditPrivilege 2112 msiexec.exe Token: SeSystemEnvironmentPrivilege 2112 msiexec.exe Token: SeChangeNotifyPrivilege 2112 msiexec.exe Token: SeRemoteShutdownPrivilege 2112 msiexec.exe Token: SeUndockPrivilege 2112 msiexec.exe Token: SeSyncAgentPrivilege 2112 msiexec.exe Token: SeEnableDelegationPrivilege 2112 msiexec.exe Token: SeManageVolumePrivilege 2112 msiexec.exe Token: SeImpersonatePrivilege 2112 msiexec.exe Token: SeCreateGlobalPrivilege 2112 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe Token: SeRestorePrivilege 2708 msiexec.exe Token: SeTakeOwnershipPrivilege 2708 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2112 msiexec.exe 2592 iexplore.exe 2112 msiexec.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2592 iexplore.exe 2592 iexplore.exe 1296 IEXPLORE.EXE 1296 IEXPLORE.EXE 1296 IEXPLORE.EXE 1296 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2708 wrote to memory of 1740 2708 msiexec.exe 31 PID 2708 wrote to memory of 1740 2708 msiexec.exe 31 PID 2708 wrote to memory of 1740 2708 msiexec.exe 31 PID 2708 wrote to memory of 1740 2708 msiexec.exe 31 PID 2708 wrote to memory of 1740 2708 msiexec.exe 31 PID 2708 wrote to memory of 1740 2708 msiexec.exe 31 PID 2708 wrote to memory of 1740 2708 msiexec.exe 31 PID 2708 wrote to memory of 268 2708 msiexec.exe 32 PID 2708 wrote to memory of 268 2708 msiexec.exe 32 PID 2708 wrote to memory of 268 2708 msiexec.exe 32 PID 2708 wrote to memory of 268 2708 msiexec.exe 32 PID 2708 wrote to memory of 268 2708 msiexec.exe 32 PID 2708 wrote to memory of 268 2708 msiexec.exe 32 PID 2708 wrote to memory of 268 2708 msiexec.exe 32 PID 2592 wrote to memory of 1296 2592 iexplore.exe 34 PID 2592 wrote to memory of 1296 2592 iexplore.exe 34 PID 2592 wrote to memory of 1296 2592 iexplore.exe 34 PID 2592 wrote to memory of 1296 2592 iexplore.exe 34
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1c1d333fe2bdbda247dccc97fdd46513e39d95c8393019360e1c1597f263fa69.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2112
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F8B2AD4299AA1781E95E2EC1DBB61CB12⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1740
-
-
C:\Windows\Installer\MSIECC2.tmp"C:\Windows\Installer\MSIECC2.tmp" https://seekspot.io/tyy2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:268
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1296
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5c1e664013962f3258ae3251963727f9d
SHA11db1bc436fc84456590a7f4360c8ce335f49dac5
SHA256bcd354a0df33cc8ba8515cc4ec0fd7ff896b0a516e46bdcde3cb25609825e687
SHA512546c21d5f9681c220005dfc0ba604fc7e412cc20e907fbc3e4237f8d461642d1c3610889e3dcae40e2c2e58ff3d6df93e16403910e28c1fd226f7c072be25921
-
Filesize
1KB
MD5e11e31581aae545302f6176a117b4d95
SHA1743af0529bd032a0f44a83cdd4baa97b7c2ec49a
SHA2562e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c
SHA512c63aba6ca79c60a92b3bd26d784a5436e45a626022958bf6c194afc380c7bfb01fadf0b772513bbdbd7f1bb73691b0edb2f60b2f235ec9e0b81c427e04fbe451
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07298EE8EBA9732300AE62BDCA6B6898
Filesize312B
MD5dbffbdb5af81b1744cefd07066e7628a
SHA10eecaf146ce19dc504d03afb4bac9cfc7cdb3d8c
SHA25653d412d3a27913cd022df48bb1018b0c45910b3af4610864a6533df0b13c7725
SHA512e442aac51af3202b64256b2dddd9d09be719c05770b602b968b7ce075d05ca3bd9025e5bb1174f249f64fb5a60cf190b4f37001955712b2b8eef236246b60f03
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD5761921ba718b9e9b59807869fc4addcb
SHA16878c0197ed320c23f9cb770ac530cd055e43cf6
SHA2564e577e7aa56f3c0dd21c6c507f67f5f854a25e9c76d968b8583a426bd233a66d
SHA5128ee4544dd9e7693bcb867535f2daf17c1ddc5e45af59e0d027a7ebaeef1f4822c34f66ef51d1f8d34a6759c377c6960f6f2386a0909de44c170e02aa15406522
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5efffd7d74c0e97205b30408f9166b277
SHA11cbd2afc825aae5a040db800492d3758b27a70a0
SHA256d708d27a1581991636278c181c75e1e3897d72fe307666a0c1f1428af7186979
SHA512ac7fb9e125fec39394e908ba9b83cf30d03e0b5eda1a1e37c723371d6ade76e92a4fc3268295fab29857a408c88cf9ca83e9bb37a54b19a5b463f98ae51f91cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52659b2372478e3ea7bedb2e2e8c35f7b
SHA13ad0c39dc1f6289c9ec7b6bf18a4679ffb0ddf97
SHA256df3a8e612cd06903deecd9a5109e4b59ba775936e2be1830e3212e9a6d19b920
SHA51246bc7d40df0c8572a93484d8af79385183e04e43ad870c998c2d3fdf5af40b45b6ed867fa74c8f7d2de51471d44f55a444b4844c7ebfd2053bc4089306c2fcbd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD520130bfa6b6b7f60e7da7708a1e51a8a
SHA12b8e2f8aaa38be819903820e88978595932a818f
SHA2565e192b78c4a81c1a7f4f6aacaebc25c96dc9dc1aaab72ef2abcaa638cb5e465d
SHA51277d4975096e6e4316cbc758c59467827a85c512c66868107cd3dcb1dfb150f505f545609b42053cfb3d70579ec6bd0195cf6e8f1cafac99f9b3fb94c80b604c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cf75eb349d12f620795f0a86e1959eb4
SHA14bee3dadb34d994643b8b18be83c90ff030e6354
SHA25610374cf5b6fefeebb2f2ede11f8d4be35731022ca1967b6607ac731b6a847522
SHA51248260177378a5cdd93f86d66386220d9aa64c417e0716052641fe352b6762b255bec02340ed37771eb44a34f4bb363427e85e26f2d4b5e611381378d40357996
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5da3baebdad5b8f565c26f9d5c6f38ae8
SHA1b846f56e81c1c0309e12b10a8a73331b0d62c129
SHA256d3f8707141a7d0dc24db12d27758c5935fe5e782fb373c664cff38360566af95
SHA512d66da363635c0ff0155cfd5855b6dc070c2a4aeb5285d2fb738f9ed8769f151f623790903eb43d48cf55c197e31b79f66c8db40d1d2520bca667b88edcab15ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50920533fe184b2b4360fcd79d22b086f
SHA1b343d8930e0137575521bdd6f96b5d8ba4b470e5
SHA25673ab159ac913ed3ff9e2c086ecbdd0976424e1a76a620785daf47d1c6e493981
SHA512199f66f470030eefc957084eae6f9973e68f86339bbb263dada294c3317600d42a0476e38f9fda013a350248eb7653efbbb3ea3fd1a37257ae89684ec6c559a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a1172b659c43e9d01b662a37e3723b5d
SHA1b9f9ebb976af40996cd07a85ab4d25927c7e6638
SHA2564714dd7c702d2fde400b443b116e860449201d13bcea6bd4401db5fde37958d5
SHA5128cbda7a07802eb8559126c9a08231ec8a162ef5599c2b28004a62b3794404b457efecff842edfdcfd2ba9ab3a0787856af49c77644bd2609e69967040411463d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5955af944ad6d1d9dbdc3a252585b035d
SHA16131d1b6903866d00d3bc10365abd1f0d3f31ffc
SHA256e62919d977fdb3a7fd7d75a5f449c06001fc8125841a6521289267642238c0ea
SHA512861d15b81596bfbb7dd116ff9a74c897e72596538e6b57f6e5ab37a20f7f39887bac90a5bbc0a5e2bcbca5ac5a3751780eb96c9847cfbcf5af6e6edcc3fe016f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56c0f7170e81da860a2c9828b86640862
SHA1724e62e93fecd7f5995b10f9ecdd9a86d670c5ba
SHA256b721fa85c6094bb3d63a1aed9e6c662e1b0464ad9f51f4c9e90b2e6cf8a56829
SHA51281711aa22df3b2605a3038493cd2b59d9296d0832502e263b717e277d3de0bc66222623089ee845c8cd87235a471f8d41dd95cace51568ea6d7a2820277c05a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD563a74cf9235629120525c20fcf9feb26
SHA147cea0edf56631c7687b9952b840c4655f96a841
SHA2562292dd95b6e7d80f37c9c83a3ede73f0b2632d6322183988c2ec7a39fbd7088a
SHA5127edcaba7baeb48861df7177af307daee20985342957d514dbc392f412aeaa19fb43fd817ceb536bd834b2e458ea137b064acc410b8a571da5f99309df02de57b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD504a83091d65daad40ce33847710f0f13
SHA1b64fe94deaefa924d9c2c2318671069cd3f1198a
SHA256dcfbca60f9d1d2817855ffe89e550b48d4f6f03061227b01ffadd5e8f9856851
SHA512548e2bba656d0a1c4a05b7faa3b2fd647f27e44ee0a5eb64598be358768cb8fb4deae42b3bc26c4d5164a2e3da351000702dfa479b7de28413e62b45dbf669d6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d37e30a53b82bfd62dad2a359502d0ba
SHA1c5ffe3ba7cec2b4695ffcdab0e8ccd1fb9e5ba0f
SHA256e162e8a3236e4acdb12652abe0eefd02e346a97409722c237670b1d2e6bfc54a
SHA5129954605249e45d912376bfad713fb9b455792ee362e9eae6ca7056ced9bf745a9b133ff660cffddbf98cccc3e4f65099e9cf73c22ba910b3680aa750e9049a51
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c37b6ba1c8c327a162654448024fd2cd
SHA128459ba7adf7e152380a93cbfc4b6394b98b4f74
SHA256121d8d5501cbbf6ee809470208cc027ff57954d198c7e7074fa15436c0a55b17
SHA512dc7d8a4e3b67e1e5e30ed544afbf1387cf150d3adf78fd2efea77989ce5f2dfe9db64bcb7f1baa49ef6dadc8a89f0cc95e858c6c8fab32a2e22140db6f657f24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d8e734d9e2f628364f8022bc848a8f03
SHA152cd249e63c89f98196c0f388717d5919cfb011f
SHA25613807789b695ffd10362fb14ff47007b04dd77cb0fc5557d36af21fd5558b435
SHA5122834a0191d9f0cc842b0e58139228ede42103c7bb139219293a3ec3b3bfa96e10f85c7b3d678b3e5efd6b3dd89a290271cad9d94e8057a90e2cbd4cac846e39e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD562c78f73062fb4ee493e2d68fa3c16e4
SHA1376a2642f4b3ff3bb093f24966ab504041b85151
SHA256b5ac8826537908ef47ef7cca97f39f2b033e66c9f78cd6e5322bb7de512c8d4c
SHA512b7bd1b18662b24fa0588c9a75834068d9eac732fb4a49a3766ef69f84c8a06b982e98f654c3b2bdc9d41f6913d4ea324f67f5b751ff1cfd385aadcd206fdd930
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d141e06e59aa65cb7d4ff3969191901
SHA19b5098404094c7ecbf864d21597a41f5dc7167c7
SHA25667986fcddc53ebe8cb974923557da752e6cda8d43209c12959136b32eb04f303
SHA5120f616b83705c8bbd7304491f736829de54844caf2c8c2d537ee7d4b401529c8e050593ad6973374d349be1cea96d6a4a0f58de99c8fbcc552c9abd47a9fb93b7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59dbf7386c95ae4ac176f128ca3a8c9a1
SHA1cb574c92b206ac5e4d8a18a003dc13082f36c2a0
SHA2562da2ab95b856264bf56079bb290b0b40dbe9579a611f2ba20822062c1a58af0e
SHA51206831bc6d6d2be398b2feb27ba454c3a92b1a48938a68e5d937d5c92d54713da1f99455a4350a7d77ed4de7f294a44dbfea458a7467e7e52314e6b7931eb0edf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d9ca49f9c3401928417d5c485cae7877
SHA1781e1685e1b18f4c7d093147b71a477f95444c1a
SHA2560865e75735b0c9cbefef1c6e79d52d4842a5324bce6dda0a0a4aa463791ca41e
SHA51201c11a0864459c97109b65b02a7f91803b11b9fcefa83705a0a9828f3d2cb59b883dea6a2b70a4fc18ca6f6c364adaedcfb8930dd8ccb9e525c8f545f95f4288
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54149690b731346686cb1f3e2056320d8
SHA12c8ac92721c0e8a22c3055d022ef6d4c631246c2
SHA256e3f07458f02c0d7d7b9b2029bbad655736cd4a3d59132b41e4c0b17ec4082ed1
SHA5121687a6b9b930252c46f0af0e3d98cba4c913c9c57431de56c3fb94b530167bef1aebe900101cb83c59bc9f08831eb7823ecce1dbcf7ed6e8de3b0ca7c36c2480
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b9e169200bccc39d6a8f01488c89460d
SHA1158ed2e4ce1c9e31a1f9168f310830ef8ab4575b
SHA25689f8b13ec2ca40b8d0f3b69cf52acb93098b9f5498ba7c36ab7f64b86069f073
SHA5125f2a0321c5378489707ed7f995309c73bee043bdc2a1620a8b2bc966853e65e6452d13a8c748bd4e2af06dbd6d5814dcf9875ffb2099e8d72cbaedfaef4ef525
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50e90de452d4bb377842f234a113f9623
SHA1d14cf786b9ca6ad6635afbda8f82b3fab2651879
SHA25680792145297b49099b39baedbbe1ae7c5be1b6492b9fc967753d44f89667516a
SHA512fbc6c3d7910bc372ed09fe3cd72be6d28d5f7023417b7e58c6cd42a26a9d298f1a8b2832162da6e238cfcdb11db505ed1df5d84a8b1552a670fa802d3af8eccc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5c03a404648e66846f8270394caded4a9
SHA13f0879ca45f5216fa5531c3043643291d433d318
SHA2563915e5dd34ba926f3abde7e51e9c5ccca20edc65e04b0faa6e7a8a41cfe6510b
SHA5129b492d23a75b82d6d9646619f05da54da7d70a1de7781c24182bdbcbf097eedcd6db3b87c80df24030917364faa0147b7b3943d055a0090d63c6efc1d16595ea
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
49B
MD5d123fceb9cd9d24dda8642582d5b3e50
SHA135b07f8300e9b950f635329eab9b1f707bc1fbd1
SHA2566cca417b473ebdee60498efdb981ee339f899abccca09884d2c74d771bf47e8f
SHA512f92000dab680ff02b068d40642999657760a10e7cea31ef7dd87684ea415fcb950a1ae7fa8dcf3045af90154552fd6b8fe7ec830f9fb1a2d11393c7ec44e6333
-
Filesize
997KB
MD5ec6ebf65fe4f361a73e473f46730e05c
SHA101f946dfbf773f977af5ade7c27fffc7fe311149
SHA256d3614d7bece53e0d408e31da7d9b0ff2f7285a7dd544c778847ed0c5ded5d52f
SHA512e4d7aafa75d07a3071d2739d18b4c2b0a3798f754b339c349db9a6004d031bf02f3970b030cec4a5f55b4c19f03794b0ce186a303d936c222e7e6e8726fffff7
-
Filesize
420KB
MD5f6cd321fc3e815450c782c5b21e80da5
SHA189cc7dea0afbcde359b651c5cef6ab42afe7153a
SHA25649c552ae24c05e2f5c144379de648ec604005e1d5e30fc6caec4d53828183dc5
SHA51263e1626ad3a5640b94a7d7dfc09d68451f054cea628e103bdacdd806eea6f2f072e25bdb17809c5d9ff95c5611598aca17317392c3a1f5952a2be61dc43e9784