Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/11/2024, 02:40
Static task
static1
Behavioral task
behavioral1
Sample
c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c.msi
Resource
win10v2004-20241007-en
General
-
Target
c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c.msi
-
Size
106.0MB
-
MD5
13efd06a23bfa0e958907db33d947ff9
-
SHA1
57b60766072b7037ca5c5d31a23dd57e332421b8
-
SHA256
c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c
-
SHA512
b2a914c5359a636003d3dc45b8be36a8e059f40893f171a845969ab5a791310f6a86337205f775a0ca0807ddc8a6fcf294a6cf64c990ae58bd2466b1954bb3e0
-
SSDEEP
3145728:8Cc6i9DJclUWcTsPsz+gpvp0lHEavPwsJ+KkKELYfFY:+rDJciusz+gNpUkGP/J+xEfFY
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reg.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
resource yara_rule behavioral1/memory/1936-37-0x000000013F120000-0x000000013F130000-memory.dmp upx -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\Sunlogin\Sunlogin\SunloginClient.exe msiexec.exe File created C:\Program Files\Sunlogin\Sunlogin\cache_18_0 msiexec.exe File created C:\Program Files\Sunlogin\Sunlogin\cache_20_1 msiexec.exe File created C:\Program Files\Sunlogin\Sunlogin\cache_21_0 msiexec.exe File created C:\Program Files\Sunlogin\Sunlogin\cache_21_2 msiexec.exe File created C:\Program Files\Sunlogin\Sunlogin\cache_18_1 msiexec.exe File created C:\Program Files\Sunlogin\Sunlogin\cache_20_0 msiexec.exe File created C:\Program Files\Sunlogin\Sunlogin\XR.exe msiexec.exe File created C:\Program Files\Sunlogin\Sunlogin\cache_18_3 msiexec.exe File created C:\Program Files\Sunlogin\Sunlogin\cache_21_1 msiexec.exe File created C:\Program Files\Sunlogin\Sunlogin\cache_18_2 msiexec.exe File created C:\Program Files\Sunlogin\Sunlogin\cache_18_4 msiexec.exe File created C:\Program Files\Sunlogin\Sunlogin\cache_20_2 msiexec.exe File created C:\Program Files\Sunlogin\Sunlogin\cache_20_3 msiexec.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\Installer\f76cdab.msi msiexec.exe File opened for modification C:\Windows\Installer\f76cdab.msi msiexec.exe File opened for modification C:\Windows\Installer\MSICE18.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICE96.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICF14.tmp msiexec.exe File created C:\Windows\Installer\f76cdae.ipi msiexec.exe File created C:\Windows\Installer\f76cdb0.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f76cdae.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSID06C.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe -
Executes dropped EXE 2 IoCs
pid Process 300 XR.exe 896 jdy_client_mini.exe -
Loads dropped DLL 10 IoCs
pid Process 2488 MsiExec.exe 2488 MsiExec.exe 2488 MsiExec.exe 1936 msiexec.exe 1160 Process not Found 1160 Process not Found 1160 Process not Found 1936 msiexec.exe 1160 Process not Found 896 jdy_client_mini.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1968 msiexec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdy_client_mini.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2980 ipconfig.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Microsoft Management Console mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" XR.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\RenderSoft TextCalc XR.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" XR.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 mmc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@mmcbase.dll,-14008 = "Folder" mmc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Microsoft Management Console\Recent File List mmc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Microsoft Management Console\Settings mmc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft mmc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\RenderSoft TextCalc\TextCalc XR.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mmc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe -
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A9B89E2BAAAAC484599C9858825FEF7D msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A9B89E2BAAAAC484599C9858825FEF7D\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\AuthorizedLUAApp = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\PackageName = "c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\PackageCode = "D709273379E898A4FAF2C5D38D81F708" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14916244394C09842BAF84843796C5AF msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14916244394C09842BAF84843796C5AF\A9B89E2BAAAAC484599C9858825FEF7D msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\ProductName = "Sunlogin" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\Language = "2052" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Media\DiskPrompt = "[1]" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1936 msiexec.exe 1936 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1968 msiexec.exe Token: SeIncreaseQuotaPrivilege 1968 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeSecurityPrivilege 1936 msiexec.exe Token: SeCreateTokenPrivilege 1968 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1968 msiexec.exe Token: SeLockMemoryPrivilege 1968 msiexec.exe Token: SeIncreaseQuotaPrivilege 1968 msiexec.exe Token: SeMachineAccountPrivilege 1968 msiexec.exe Token: SeTcbPrivilege 1968 msiexec.exe Token: SeSecurityPrivilege 1968 msiexec.exe Token: SeTakeOwnershipPrivilege 1968 msiexec.exe Token: SeLoadDriverPrivilege 1968 msiexec.exe Token: SeSystemProfilePrivilege 1968 msiexec.exe Token: SeSystemtimePrivilege 1968 msiexec.exe Token: SeProfSingleProcessPrivilege 1968 msiexec.exe Token: SeIncBasePriorityPrivilege 1968 msiexec.exe Token: SeCreatePagefilePrivilege 1968 msiexec.exe Token: SeCreatePermanentPrivilege 1968 msiexec.exe Token: SeBackupPrivilege 1968 msiexec.exe Token: SeRestorePrivilege 1968 msiexec.exe Token: SeShutdownPrivilege 1968 msiexec.exe Token: SeDebugPrivilege 1968 msiexec.exe Token: SeAuditPrivilege 1968 msiexec.exe Token: SeSystemEnvironmentPrivilege 1968 msiexec.exe Token: SeChangeNotifyPrivilege 1968 msiexec.exe Token: SeRemoteShutdownPrivilege 1968 msiexec.exe Token: SeUndockPrivilege 1968 msiexec.exe Token: SeSyncAgentPrivilege 1968 msiexec.exe Token: SeEnableDelegationPrivilege 1968 msiexec.exe Token: SeManageVolumePrivilege 1968 msiexec.exe Token: SeImpersonatePrivilege 1968 msiexec.exe Token: SeCreateGlobalPrivilege 1968 msiexec.exe Token: SeBackupPrivilege 2948 vssvc.exe Token: SeRestorePrivilege 2948 vssvc.exe Token: SeAuditPrivilege 2948 vssvc.exe Token: SeBackupPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1716 DrvInst.exe Token: SeRestorePrivilege 1716 DrvInst.exe Token: SeRestorePrivilege 1716 DrvInst.exe Token: SeRestorePrivilege 1716 DrvInst.exe Token: SeRestorePrivilege 1716 DrvInst.exe Token: SeRestorePrivilege 1716 DrvInst.exe Token: SeRestorePrivilege 1716 DrvInst.exe Token: SeLoadDriverPrivilege 1716 DrvInst.exe Token: SeLoadDriverPrivilege 1716 DrvInst.exe Token: SeLoadDriverPrivilege 1716 DrvInst.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe Token: SeTakeOwnershipPrivilege 1936 msiexec.exe Token: SeRestorePrivilege 1936 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1968 msiexec.exe 1968 msiexec.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 300 XR.exe 300 XR.exe 2336 mmc.exe 2336 mmc.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2488 1936 msiexec.exe 35 PID 1936 wrote to memory of 2488 1936 msiexec.exe 35 PID 1936 wrote to memory of 2488 1936 msiexec.exe 35 PID 1936 wrote to memory of 2488 1936 msiexec.exe 35 PID 1936 wrote to memory of 2488 1936 msiexec.exe 35 PID 1936 wrote to memory of 2488 1936 msiexec.exe 35 PID 1936 wrote to memory of 2488 1936 msiexec.exe 35 PID 1936 wrote to memory of 300 1936 msiexec.exe 36 PID 1936 wrote to memory of 300 1936 msiexec.exe 36 PID 1936 wrote to memory of 300 1936 msiexec.exe 36 PID 300 wrote to memory of 284 300 XR.exe 38 PID 300 wrote to memory of 284 300 XR.exe 38 PID 300 wrote to memory of 284 300 XR.exe 38 PID 284 wrote to memory of 2980 284 cmd.exe 40 PID 284 wrote to memory of 2980 284 cmd.exe 40 PID 284 wrote to memory of 2980 284 cmd.exe 40 PID 300 wrote to memory of 632 300 XR.exe 41 PID 300 wrote to memory of 632 300 XR.exe 41 PID 300 wrote to memory of 632 300 XR.exe 41 PID 300 wrote to memory of 1288 300 XR.exe 43 PID 300 wrote to memory of 1288 300 XR.exe 43 PID 300 wrote to memory of 1288 300 XR.exe 43 PID 1288 wrote to memory of 328 1288 cmd.exe 45 PID 1288 wrote to memory of 328 1288 cmd.exe 45 PID 1288 wrote to memory of 328 1288 cmd.exe 45 PID 1288 wrote to memory of 928 1288 cmd.exe 46 PID 1288 wrote to memory of 928 1288 cmd.exe 46 PID 1288 wrote to memory of 928 1288 cmd.exe 46 PID 1288 wrote to memory of 1852 1288 cmd.exe 47 PID 1288 wrote to memory of 1852 1288 cmd.exe 47 PID 1288 wrote to memory of 1852 1288 cmd.exe 47 PID 300 wrote to memory of 2036 300 XR.exe 48 PID 300 wrote to memory of 2036 300 XR.exe 48 PID 300 wrote to memory of 2036 300 XR.exe 48 PID 2336 wrote to memory of 896 2336 mmc.exe 51 PID 2336 wrote to memory of 896 2336 mmc.exe 51 PID 2336 wrote to memory of 896 2336 mmc.exe 51 PID 2336 wrote to memory of 896 2336 mmc.exe 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1968
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E9D78674C053B69FDFDBADF5D9D0716E2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2488
-
-
C:\Program Files\Sunlogin\Sunlogin\XR.exe"C:\Program Files\Sunlogin\Sunlogin\XR.exe"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all3⤵
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:2980
-
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\Ilp7p.xml3⤵
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:632
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\7EUMU.bat"3⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F4⤵
- UAC bypass
PID:328
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F4⤵
- UAC bypass
PID:928
-
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F4⤵
- UAC bypass
PID:1852
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\KAdWo\d867R~18\p+C:\Users\Public\Pictures\KAdWo\d867R~18\w C:\Users\Public\Pictures\KAdWo\d867R~18\nw_elf.dll3⤵PID:2036
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E8" "00000000000004A0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Public\Pictures\KAdWo\d867R~18\jdy_client_mini.exe"C:\Users\Public\Pictures\KAdWo\d867R~18\jdy_client_mini.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:896
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5749145467efdf90f8e02249981a7bc2b
SHA16abfee2dea69804e000d922c0762d3d119de745b
SHA256826dc2fc45a2017b9adbdd7152c7c4279ebe272f0b909d5a4400e974c7ff1b54
SHA512ffa95d4f6a96f1a93ed6b989a79194dc7e3e3c05a3eb71f0a1f06c7bec87e310c17797edad49f83357d27efdc2d58a482a510b1f34f7603f790a24959e5ddaf8
-
Filesize
9.0MB
MD5be5628882d28ba1bdb9850dc4b7e7fa1
SHA16d37839c4b8ded05c0e8108696e1b794de59a2a8
SHA256def949e97a2a2d2e504f7c85a27a6f2fd44d3a898357398f4aaa7eb033dfb287
SHA51216037fd6ee2bb26e1014e9e69a2ee5d7290ebe5021ed1eedaa5908b73c39cc2ba6f66c553be9a39163b8831e8f519b10009e71fb94ce392c7229541192aa1c39
-
Filesize
392B
MD530d6eb22d6aeec10347239b17b023bf4
SHA1e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1
SHA256659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08
SHA512500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76
-
Filesize
179KB
MD51bd1c65b610003b945e7b9bd7210db2a
SHA166902e2b5d575c0232eab4576b81daac56a6bbc8
SHA256871814884dd4058d25cc0111fea5bf48da43d7ac6e7b71db166dd3190a116820
SHA512d487bd2beab4e9c44ebbcffab0215b1c2d93ae3feea8130f8cbcafb4b182222e6054c3c7f79c77a6004a67890f3d5e8cc3a39d959c5b3c40249752483ef00928
-
Filesize
2.6MB
MD5c206388d7a4c81a52cf637a3e0d2acc8
SHA1c927b021d7f4691ac84a7a54a8d3358f02c89ee6
SHA2561dab81c0d0650a673151e90d475722906f6d71421ceaa8f0df9b14d2e36cd9d3
SHA512247d2277b23360db7d9e7794be80290e1148eb03d5b15ef56710c5dfd62b0374cc05a1529889f00f59813a4e1ed00f35358069a3397fafd65f89205268e4f783
-
Filesize
1.7MB
MD5c17a7b1c4836089c0c73b03b8ada5941
SHA125629c7994565d12969b36f9b3960bafedd7e20a
SHA2560ef6821b9df8c45c7d817c36bf99cf0057a63bcb5709ffdfd721cc50dcd7afd9
SHA5120b6510127be3014b0b46ed7f4fb48b75bf63b566ae700767115d0e6d26d8e487d0261b19952dc9c0d9946e25d424388b41c7b2f9634c8ff008d9d837de335597
-
Filesize
886KB
MD52ed406d06efeeea53ba02a605f1d1674
SHA170085132cb0207b1389581489149c42052ba374b
SHA2567bdd4e0d14aae0653f703b66b8257f6a9c997547d06fb20063cc02929b7cd1b0
SHA5120213c75c9611102a12ccc26e44fffdc7657606da00a6aa98044394a845dbaa25d1e1f987c5963c7db96f965804db29032cd480d15732cbb33a622ba7dc387762
-
Filesize
886KB
MD5a5b68f44e99929a11b6fead500e8ed61
SHA16dcd1d94e214a3db96c286758c0e2690dddaa977
SHA256fdf58cf91573dfebe3ea25d567b993570ebd5a2f2fd74fd1e22dcd7103ac18b2
SHA512af8c057851ec682047d550d7190d7450f505b848f87aaf6681400acc9a21253321b06de74d7d932cfc1a7a153bc3d13d791c42b365159ae51184c8ec86f201e9
-
Filesize
557KB
MD5db7612f0fd6408d664185cfc81bef0cb
SHA119a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA51225e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9
-
Filesize
18.7MB
MD58fb8044052662077cdc327a12000e3e9
SHA194a421e07d154fcc6d411d72f7aa9c3f08bd8058
SHA256ef413c1fdf376dbac6bde73240146ea2676ed47d08150f8b744576f4d3bc4dd2
SHA5122258250b048b61a9732b0da0ef2fb4b522158718a6ab6dcba4dc9b545e3954aa93926d033111c4e14cf85c30f7fa236c0453d9cd70a06c6d06e1d6dc197373e3