Malware Analysis Report

2024-12-07 14:18

Sample ID 241117-lveahsxdrk
Target Slf.msi
SHA256 e483ca3bc78e49f0ceef3406ea963101fe1d2b08b4bace6945ac9298222b8c37
Tags
hijackloader remcos v2 discovery loader persistence privilege_escalation rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e483ca3bc78e49f0ceef3406ea963101fe1d2b08b4bace6945ac9298222b8c37

Threat Level: Known bad

The file Slf.msi was found to be: Known bad.

Malicious Activity Summary

hijackloader remcos v2 discovery loader persistence privilege_escalation rat

Detects HijackLoader (aka IDAT Loader)

Remcos family

Remcos

Hijackloader family

HijackLoader

Enumerates connected drives

Suspicious use of SetThreadContext

Executes dropped EXE

Drops file in Windows directory

Loads dropped DLL

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 09:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 09:50

Reported

2024-11-17 09:53

Platform

win7-20240729-en

Max time kernel

149s

Max time network

148s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

Signatures

Detects HijackLoader (aka IDAT Loader)

Description Indicator Process Target
N/A N/A N/A N/A

HijackLoader

loader hijackloader

Hijackloader family

hijackloader

Remcos

rat remcos

Remcos family

remcos

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2592 set thread context of 1792 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 set thread context of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f771e79.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1EA8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1FC2.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f771e7c.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI21B7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f771e79.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1F54.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f771e7c.ipi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 2740 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2712 wrote to memory of 2740 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2712 wrote to memory of 2740 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2712 wrote to memory of 2740 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2712 wrote to memory of 2740 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2712 wrote to memory of 2740 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2712 wrote to memory of 2740 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2712 wrote to memory of 2592 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2712 wrote to memory of 2592 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2712 wrote to memory of 2592 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2712 wrote to memory of 2592 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2592 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1792 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1792 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1792 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1792 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1792 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B1D0B2B7A8DDD7C1A5A44E96C96E514D

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

"C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Network

Country Destination Domain Proto
NL 185.157.162.126:1995 tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSI71d31.LOG

MD5 a27f3d57af7200e575193882d684859d
SHA1 19fd9d1ef2ef0a3be3bfc00811e56fdbc9abe9db
SHA256 9d0452e9e4f37a8aa9f0e7c06c61d0d7cb2ca5d9911e1a71c838b7e4f6b8a31d
SHA512 2e5546f838deeb5b8638a745149fac15782e0169f95f24e2fad05b739730261031b03ece5ff541cfd7f2be56f93d4f4ae7105a5d8bbe23726a863971e098e817

C:\Windows\Installer\MSI1EA8.tmp

MD5 2c9c51ac508570303c6d46c0571ea3a1
SHA1 e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256 ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512 df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

C:\Config.Msi\f771e7d.rbs

MD5 501667a7ac58de5159521d9452398b31
SHA1 60f233e6e1e932afa5594e68faf1513ba6b1064d
SHA256 3a931e194e15b26d0b4684f7217fa8c4c769a5fb1291fb45b62218dbf3c4cdd8
SHA512 8dacdaf1edb50689ad53c6051118db6c9467a1a78f4d1a9af48c5f62cee2c9a6ff2eef0505df14306e94167f00e86ce5a4e294324cd9434fda8103ea60d871bc

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

MD5 9329ba45c8b97485926a171e34c2abb8
SHA1 20118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256 effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA512 0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 4366cd6c5d795811822b9ccc3df3eab4
SHA1 30f6050729b4c08b7657454cb79dd5a3d463c606
SHA256 55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA512 4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

C:\Users\Admin\AppData\Local\Temp\MFC80U.DLL

MD5 686b224b4987c22b153fbb545fee9657
SHA1 684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256 a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA512 44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

C:\Users\Admin\AppData\Local\Temp\audiogram.tif

MD5 5124236fd955464317fbb1f344a1d2f2
SHA1 fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256 ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA512 2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

memory/2592-47-0x00000000744C0000-0x0000000074634000-memory.dmp

memory/2592-48-0x00000000744C0000-0x0000000074634000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3384daf1

MD5 019b4afb47e64e7c493d927a0795b498
SHA1 be86c486ac392f8cb7812ff9ce2cf9433ac14acd
SHA256 faf812686e077e477fa1a0c6ba8769b62a3122204893343b2d54f6deaabd838b
SHA512 a8112542243ea652a43822920b58501c2fbc9643e75def10ec0594b60923fe06e4328c0036e8a2310420b4609111cbda7b276514c41eed95ceeaac0d130853cb

memory/1792-51-0x00000000777F0000-0x0000000077999000-memory.dmp

memory/1792-98-0x00000000744C0000-0x0000000074634000-memory.dmp

memory/2220-102-0x0000000072D70000-0x0000000073DD2000-memory.dmp

memory/2220-104-0x00000000777F0000-0x0000000077999000-memory.dmp

memory/2220-105-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2220-109-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2220-110-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2220-112-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2220-113-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2220-114-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2220-118-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2220-119-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2220-120-0x00000000001C0000-0x0000000000244000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 09:50

Reported

2024-11-17 09:53

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

Signatures

Detects HijackLoader (aka IDAT Loader)

Description Indicator Process Target
N/A N/A N/A N/A

HijackLoader

loader hijackloader

Hijackloader family

hijackloader

Remcos

rat remcos

Remcos family

remcos

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2364 set thread context of 432 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 432 set thread context of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{BB2F3E18-3F04-450F-B8B5-60A9665181A8} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5764f4.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI66E9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6767.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5764f4.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6551.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6796.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6863.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 448 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1352 wrote to memory of 448 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1352 wrote to memory of 448 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1352 wrote to memory of 2364 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1352 wrote to memory of 2364 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 1352 wrote to memory of 2364 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2364 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 432 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 432 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 432 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 432 wrote to memory of 920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding EA8BBC54578C06EA203A659176962B92

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

"C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 185.157.162.126:1995 tcp
US 8.8.8.8:53 126.162.157.185.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI7632e.LOG

MD5 afbe44e4ce8886708445c5dea3d7a55f
SHA1 4d69db9386b5e901abef0370afeea01f8e36560f
SHA256 5401e7369163f3f69ef2dea2fd8354bb47b54380a2d56f1c6a9db232ebb42663
SHA512 d48eafeebf70d260b747d6020c7e8b36abff796c1abf9817ec4ddd7502b817c4a552db04c176f1faf8d6126ff37fdda80ea4e8b835a58b1b4d21647d577494cd

C:\Windows\Installer\MSI6551.tmp

MD5 2c9c51ac508570303c6d46c0571ea3a1
SHA1 e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256 ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512 df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

C:\Config.Msi\e5764f7.rbs

MD5 501667a7ac58de5159521d9452398b31
SHA1 60f233e6e1e932afa5594e68faf1513ba6b1064d
SHA256 3a931e194e15b26d0b4684f7217fa8c4c769a5fb1291fb45b62218dbf3c4cdd8
SHA512 8dacdaf1edb50689ad53c6051118db6c9467a1a78f4d1a9af48c5f62cee2c9a6ff2eef0505df14306e94167f00e86ce5a4e294324cd9434fda8103ea60d871bc

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

MD5 9329ba45c8b97485926a171e34c2abb8
SHA1 20118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256 effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA512 0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 4366cd6c5d795811822b9ccc3df3eab4
SHA1 30f6050729b4c08b7657454cb79dd5a3d463c606
SHA256 55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA512 4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

C:\Users\Admin\AppData\Local\Temp\MFC80U.DLL

MD5 686b224b4987c22b153fbb545fee9657
SHA1 684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256 a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA512 44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

C:\Users\Admin\AppData\Local\Temp\audiogram.tif

MD5 5124236fd955464317fbb1f344a1d2f2
SHA1 fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256 ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA512 2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

memory/2364-49-0x0000000073A70000-0x0000000073BEB000-memory.dmp

memory/2364-51-0x0000000073A70000-0x0000000073BEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d771dc46

MD5 401ac0daa05e9f06ca9dd886554eb8cd
SHA1 9f8f4fb23cc9f423b05c0fae8d83dc67e8e0c86b
SHA256 f115589b3b465215c4544c41db435cef8c7b08e19a55f7654aa47fa28a2408b5
SHA512 b6626341b29a91d52d3d93343f54fd114cadd6b8e928877f5efe5ed72fe687aec32fde64f8e5d043e8dced16236b28c9e37d4d45f5c76c36f24802fec5db6382

memory/432-54-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp

memory/432-56-0x0000000073A70000-0x0000000073BEB000-memory.dmp

memory/920-58-0x0000000072810000-0x0000000073A64000-memory.dmp

memory/920-60-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp

memory/920-61-0x0000000000410000-0x0000000000494000-memory.dmp

memory/920-64-0x0000000000410000-0x0000000000494000-memory.dmp

memory/920-66-0x0000000000410000-0x0000000000494000-memory.dmp

memory/920-67-0x0000000000410000-0x0000000000494000-memory.dmp

memory/920-68-0x0000000000410000-0x0000000000494000-memory.dmp

memory/920-69-0x0000000000410000-0x0000000000494000-memory.dmp

memory/920-70-0x0000000000410000-0x0000000000494000-memory.dmp

memory/920-71-0x0000000000410000-0x0000000000494000-memory.dmp

memory/920-72-0x0000000000410000-0x0000000000494000-memory.dmp

memory/920-73-0x0000000000410000-0x0000000000494000-memory.dmp

memory/920-74-0x0000000000410000-0x0000000000494000-memory.dmp

memory/920-75-0x0000000000410000-0x0000000000494000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-17 09:50

Reported

2024-11-17 09:53

Platform

win11-20241007-en

Max time kernel

149s

Max time network

148s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

Signatures

Detects HijackLoader (aka IDAT Loader)

Description Indicator Process Target
N/A N/A N/A N/A

HijackLoader

loader hijackloader

Hijackloader family

hijackloader

Remcos

rat remcos

Remcos family

remcos

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4104 set thread context of 2152 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 set thread context of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF9E32AB5A353BAE22.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC24A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DFF0F2F67949320E3F.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57be4f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBEDB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC0B1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF3143AEE546A44E54.TMP C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC18E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{BB2F3E18-3F04-450F-B8B5-60A9665181A8} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF5982F3B1C9905F92.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57be4f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC16D.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 2416 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3604 wrote to memory of 2416 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3604 wrote to memory of 2416 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3604 wrote to memory of 4104 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 3604 wrote to memory of 4104 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 3604 wrote to memory of 4104 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 4104 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2152 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2152 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2152 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
PID 2152 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E7BCC09BB16F7D62775B608A6F2A9C68

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

"C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

Network

Country Destination Domain Proto
NL 185.157.162.126:1995 tcp
US 8.8.8.8:53 126.162.157.185.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI7bcc8.LOG

MD5 c802bfb8aae4aea68532b77d24276e5c
SHA1 268d41cfdc735e903a4c2297ec86806729a873ce
SHA256 a407d57300966821e7f403a9194d51d8a1dff322cf1b144be2ca086e955531ea
SHA512 7a8bbc7683f5c51c9847ad29ab9d48dc5e442ef7d969520f8bc1e9a9f0c3a49093f6b8a4f13f4bdb1dfccd3b740d797f03c0adf4b934ad1f40bca0f77624d1c7

C:\Windows\Installer\MSIBEDB.tmp

MD5 2c9c51ac508570303c6d46c0571ea3a1
SHA1 e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256 ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512 df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

C:\Config.Msi\e57be52.rbs

MD5 0d3f6d7795a8d0a02c83c4324fdf6150
SHA1 7121efd645b78bde8e8c8039445127d892d41b22
SHA256 396422295788b4189249c27da0cb53628dba3aa25e26a176f1e509391e61f8fe
SHA512 b0b281b48fe5a851497e68094f3bc812db3070986aa87df07ee7b3271099fc4c642492050cd25c418305d15cbcbe921606b1986953782e51ecdc2fbb392c6a73

C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe

MD5 9329ba45c8b97485926a171e34c2abb8
SHA1 20118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256 effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA512 0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

C:\Users\Admin\AppData\Local\Temp\http_dll.dll

MD5 4366cd6c5d795811822b9ccc3df3eab4
SHA1 30f6050729b4c08b7657454cb79dd5a3d463c606
SHA256 55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA512 4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

C:\Users\Admin\AppData\Local\Temp\mfc80u.dll

MD5 686b224b4987c22b153fbb545fee9657
SHA1 684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256 a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA512 44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

C:\Users\Admin\AppData\Local\Temp\audiogram.tif

MD5 5124236fd955464317fbb1f344a1d2f2
SHA1 fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256 ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA512 2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

memory/4104-45-0x0000000073B40000-0x0000000073CBD000-memory.dmp

memory/4104-51-0x0000000073B40000-0x0000000073CBD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\128d2ef6

MD5 bf50faff4d81ade48792e0991bb361b4
SHA1 5e8f9afa51c1da142adf90ba939f1b24c971ea6c
SHA256 a380c1d02d28ad84fa1b7e0860f563701f1c84e2bb9e19431b4c6799a4b50c3e
SHA512 2dc088c228fb351d3ff87950c607265eca31bc86e5a80a9aa9ec5c2d10c86e15db7ece80cb161e342fb0f896d8b4703182cd8d419aac74f9d31f5da86170809c

memory/2152-54-0x00007FFE9A940000-0x00007FFE9AB49000-memory.dmp

memory/2152-56-0x0000000073B40000-0x0000000073CBD000-memory.dmp

memory/3088-58-0x0000000072820000-0x0000000073B37000-memory.dmp

memory/3088-60-0x00007FFE9A940000-0x00007FFE9AB49000-memory.dmp

memory/3088-61-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3088-64-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3088-65-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3088-67-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3088-68-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3088-69-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3088-70-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3088-71-0x0000000000410000-0x0000000000494000-memory.dmp

memory/3088-75-0x0000000000410000-0x0000000000494000-memory.dmp