Analysis
-
max time kernel
114s -
max time network
114s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
12/11/2024, 12:12
Static task
static1
Behavioral task
behavioral1
Sample
7z2401.msi
Resource
win11-20241007-en
General
-
Target
7z2401.msi
-
Size
1.4MB
-
MD5
a141303fe3fd74208c1c8a1121a7f67d
-
SHA1
b55c286e80a9e128fbf615da63169162c08aef94
-
SHA256
1c3c3560906974161f25f5f81de4620787b55ca76002ac3c4fc846d57a06df99
-
SHA512
2323c292bfa7ea712d39a4d33cdd19563dd073fee6c684d02e7e931abe72af92f85e5bf8bff7c647e4fcdc522b148e9b8d1dd43a9d37c73c0ae86d5efb1885c8
-
SSDEEP
24576:S+xMHACSK47NXchb6OqTHHBniI4BqHsE4RKKKGE32/XlOA+gYy4isa444GuOlr3B:NMX747NXch+Oq7VsE44KPE3qlHyjwlrx
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\7-Zip\Lang\hi.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\ko.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\7zCon.sfx msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\cs.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\el.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\he.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\ku-ckb.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\mng2.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\sa.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\7z.dll msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\fur.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\si.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\sl.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\zh-cn.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\kaa.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\kab.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\ro.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\uk.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\7z.exe msiexec.exe File created C:\Program Files (x86)\7-Zip\readme.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\be.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\ka.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\mk.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\mr.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\7zG.exe msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\gl.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\cy.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\pa-in.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\ne.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\hy.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\ug.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\zh-tw.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\ja.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\7zFM.exe msiexec.exe File created C:\Program Files (x86)\7-Zip\History.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\en.ttt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\ga.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\it.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\ms.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\pl.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\7-zip.chm msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\bn.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\tt.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\uz.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\uz-cyrl.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\lij.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\ps.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\es.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\tg.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\nb.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\bg.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\eu.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\io.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\lv.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\ru.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\sr-spl.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\ta.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\tr.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\nl.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\ca.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\da.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\fr.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\sq.txt msiexec.exe File created C:\Program Files (x86)\7-Zip\Lang\sw.txt msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\Installer\e57f898.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DF93DDB199761912F7.TMP msiexec.exe File created C:\Windows\Installer\e57f89c.msi msiexec.exe File created C:\Windows\SystemTemp\~DF1D727252D7C72043.TMP msiexec.exe File opened for modification C:\Windows\Installer\e57f898.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF9A8B21FFEEE8378F.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{23170F69-40C1-2701-2401-000001000000} msiexec.exe File opened for modification C:\Windows\Installer\MSIF954.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF70EE675F0CA41614.TMP msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 536 7zFM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2296 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7zFM.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002fc80c284bade0450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002fc80c280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002fc80c28000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2fc80c28000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002fc80c2800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe -
Modifies registry class 42 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files (x86)\\7-Zip\\7-zip.dll" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Version = "402718720" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0410720000000040000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\Program = "Complete" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\Complete msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0410720000000040000000\96F071321C0410724210000010000000 msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Key created \REGISTRY\MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000\LanguageFiles = "Complete" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\ProductName = "7-Zip 24.01" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\PackageCode = "96F071321C0410724210000020000000" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Drive\shellex\DragDropHandlers\7-Zip msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\SourceList\PackageName = "7z2401.msi" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Directory\shellex\DragDropHandlers\7-Zip msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0410724210000010000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0410724210000010000000\InstanceType = "0" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4440 msiexec.exe 4440 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 536 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2296 msiexec.exe Token: SeIncreaseQuotaPrivilege 2296 msiexec.exe Token: SeSecurityPrivilege 4440 msiexec.exe Token: SeCreateTokenPrivilege 2296 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2296 msiexec.exe Token: SeLockMemoryPrivilege 2296 msiexec.exe Token: SeIncreaseQuotaPrivilege 2296 msiexec.exe Token: SeMachineAccountPrivilege 2296 msiexec.exe Token: SeTcbPrivilege 2296 msiexec.exe Token: SeSecurityPrivilege 2296 msiexec.exe Token: SeTakeOwnershipPrivilege 2296 msiexec.exe Token: SeLoadDriverPrivilege 2296 msiexec.exe Token: SeSystemProfilePrivilege 2296 msiexec.exe Token: SeSystemtimePrivilege 2296 msiexec.exe Token: SeProfSingleProcessPrivilege 2296 msiexec.exe Token: SeIncBasePriorityPrivilege 2296 msiexec.exe Token: SeCreatePagefilePrivilege 2296 msiexec.exe Token: SeCreatePermanentPrivilege 2296 msiexec.exe Token: SeBackupPrivilege 2296 msiexec.exe Token: SeRestorePrivilege 2296 msiexec.exe Token: SeShutdownPrivilege 2296 msiexec.exe Token: SeDebugPrivilege 2296 msiexec.exe Token: SeAuditPrivilege 2296 msiexec.exe Token: SeSystemEnvironmentPrivilege 2296 msiexec.exe Token: SeChangeNotifyPrivilege 2296 msiexec.exe Token: SeRemoteShutdownPrivilege 2296 msiexec.exe Token: SeUndockPrivilege 2296 msiexec.exe Token: SeSyncAgentPrivilege 2296 msiexec.exe Token: SeEnableDelegationPrivilege 2296 msiexec.exe Token: SeManageVolumePrivilege 2296 msiexec.exe Token: SeImpersonatePrivilege 2296 msiexec.exe Token: SeCreateGlobalPrivilege 2296 msiexec.exe Token: SeBackupPrivilege 3880 vssvc.exe Token: SeRestorePrivilege 3880 vssvc.exe Token: SeAuditPrivilege 3880 vssvc.exe Token: SeBackupPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2296 msiexec.exe 2296 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2312 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4440 wrote to memory of 3368 4440 msiexec.exe 86 PID 4440 wrote to memory of 3368 4440 msiexec.exe 86 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\7z2401.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2296
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3368
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3880
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2312
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4488
-
C:\Program Files (x86)\7-Zip\7zFM.exe"C:\Program Files (x86)\7-Zip\7zFM.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:536
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:1592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD5e86a3b8f658a169016416939f83cd2c7
SHA163ec56b0462655fbd24f69597f11dd2faad25ecf
SHA256c160ca82345a7413e51afb32e112f276cbaed2613cdc61227584ef846a339173
SHA5120be8253b1a6d9cc351c8d2f70261a396bbb4e80182f90560b4fcfbac1940e82223e2fb2dda6e492aa9352fd76aabed1c6855b67fabbf4f451bc991807a12a82f
-
Filesize
574KB
MD552ae15f525a8732bcb89ba874461b05e
SHA1265ec2444e7724374a9cbba01c4f4d89e58108fa
SHA2561e6162ad80dc358bd58013500c18ce568ec97734eebb94acd70cb74bba5c0c91
SHA512617d29d831943bb06a2f3846679cd47025a9979bd3331b221f2239f8ac6f7a255d642dd638be761f71b3f4994b6d84cc0b04a2baf072e1b596d18191a24154ac
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\963629fa-6b8f-4f25-9a9c-91284c3e8e63.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5dc879a8af8313d9650b9b9a95ac476bd
SHA16ee2343088f99f9665169d9b5dbb60abfe6248cc
SHA2567435b32ab904760596ee8cb89be798e88e7a97876f91f1a44ba06c1509e480ad
SHA5122b4bc41f441f443aca620b1375f1d35ec69446d619666811901d070ed8a7f9882332a2d5e65d9f33076030208bae0d92c301e2947c7be3575e20b389a6e11548
-
Filesize
1.4MB
MD5a141303fe3fd74208c1c8a1121a7f67d
SHA1b55c286e80a9e128fbf615da63169162c08aef94
SHA2561c3c3560906974161f25f5f81de4620787b55ca76002ac3c4fc846d57a06df99
SHA5122323c292bfa7ea712d39a4d33cdd19563dd073fee6c684d02e7e931abe72af92f85e5bf8bff7c647e4fcdc522b148e9b8d1dd43a9d37c73c0ae86d5efb1885c8
-
Filesize
24.6MB
MD56b41b5d80def31e3fdb78d38c6d92b4b
SHA1eaef2e9e7a7fce39744871072ef1f62687d4eb45
SHA256c2c3f611512a5815921a9f6f9b92bd46d0d4073217f2d21b1241fa3d0f607a4f
SHA512d6a5e951ce88335eeb1ee68afc8c9e6ff6a63549709e1081dc41e9386f1b844920231756d479e76d489374723d79661842f4a2d4a1c7c99a30811382afb71ace
-
\??\Volume{280cc82f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4e9311c4-1ff2-46da-9548-1c8eea309690}_OnDiskSnapshotProp
Filesize6KB
MD52342c8e3719ac77bc2923278291f6e0e
SHA17296bbe9f2a23fcca3afcdb9862463ae7fac3fd7
SHA2561080543268adf7e806e560cc6887552b8caf6608c2b47945c2e8033f1985f896
SHA512a6a0f34d060072e0519223c89fe107ffa8b9222cb80a12a89eb800a0ee40f5bf5508577c34cdd15f326e73aad09e77a5c63209e1144e08211c53b7c019f42cab