033cbe08cefd4b7a6553619355bc44f20de5c233b4f7a44142c7ae7caf96be41

Analysis

max time kernel
30s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 11:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sdsetup.msi
Size

13.9MB
MD5

90111bdf3173ee59b2b4ebe158b00050
SHA1

77508c78e0a8f23cda0713ca77de15285af66a4e
SHA256

b8bd3eb19eb84bd518e9c5b82d88d6a8743581fcf32f7bacf819c8f0a20e5d11
SHA512

474faa22fc0b0f9a9b9b7c479a3dd86e2c0e7fc2c93bbe650961438f1167b7bee886f31834abe934cb9de6e903be0fed150a63fe58d71001f495ab45f5ca85fa
SSDEEP

393216:d+B+BXTb0RAtdP5OaaBA3DBSdON9gK01jsB:pkRQ5VcAT4dON9g7js

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

MsiExec.exe

pid process

4260 MsiExec.exe
4260 MsiExec.exe

pid	process
4260	MsiExec.exe
4260	MsiExec.exe

Drops file in Program Files directory 15 IoCs

Processes:

msiexec.exe7za.exeMsiExec.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\locale.bin	msiexec.exe
File created	C:\Program Files (x86)\Windows NT\tProtect.dll	7za.exe
File created	C:\Program Files (x86)\Windows NT\7za.bin	msiexec.exe
File created	C:\Program Files (x86)\Windows NT\locale4.bin	msiexec.exe
File created	C:\Program Files (x86)\Windows NT\Update.png	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale4.dat	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\7za.exe	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Windows NT\tProtect.dll	7za.exe
File created	C:\Program Files (x86)\Windows NT\locale2.bin	msiexec.exe
File created	C:\Program Files (x86)\Windows NT\locale3.bin	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Update.png	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale3.dat	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\INIT.DAT	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale.dat	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale2.dat	MsiExec.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIB334.tmp	msiexec.exe
File created	C:\Windows\Installer\e57b064.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b064.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C531EAF3-8246-4F2D-A951-4CE65F86F283}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB15E.tmp	msiexec.exe
File created	C:\Windows\Installer\e57b066.msi	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

7za.exe

pid process

4780 7za.exe

pid	process
4780	7za.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
4132	sc.exe
4328	sc.exe
3324	sc.exe
4960	sc.exe
2480	sc.exe
1460	sc.exe
760	sc.exe
2216	sc.exe
3532	sc.exe
2888	sc.exe
532	sc.exe
4424	sc.exe
1616	sc.exe
428	sc.exe
1500	sc.exe
1648	sc.exe
4540	sc.exe
1644	sc.exe
2292	sc.exe
3112	sc.exe
1856	sc.exe
2432	sc.exe
4904	sc.exe
4516	sc.exe
1720	sc.exe
2332	sc.exe
4088	sc.exe
4868	sc.exe
2364	sc.exe
4412	sc.exe
4568	sc.exe
2688	sc.exe
4148	sc.exe
1720	sc.exe
532	sc.exe
1460	sc.exe
4424	sc.exe
3552	sc.exe
2592	sc.exe
208	sc.exe
2592	sc.exe
2656	sc.exe
4512	sc.exe
4508	sc.exe
1616	sc.exe
2364	sc.exe
4956	sc.exe
2520	sc.exe
4592	sc.exe
3684	sc.exe
2108	sc.exe
3328	sc.exe
4780	sc.exe
4128	sc.exe
4632	sc.exe
2628	sc.exe
4488	sc.exe
60	sc.exe
2440	sc.exe
4428	sc.exe
4256	sc.exe
3056	sc.exe
3656	sc.exe
2644	sc.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

4260 MsiExec.exe
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

4836 msiexec.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

7za.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe

pid	process
4260	MsiExec.exe

pid	process
4836	msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

msiexec.exeLogonUI.exeMsiExec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "232"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Magisk\ring3_username = "Admin"	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Magisk	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3FAE135C6428D2F49A15C46EF5682F38	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3FAE135C6428D2F49A15C46EF5682F38\ProdFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\ProductName = "Setup"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\PackageCode = "057C27D048C846642BECE75325F4B32F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\SourceList\PackageName = "sdsetup.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\Version = "16973828"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C\3FAE135C6428D2F49A15C46EF5682F38	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msiexec.exeMsiExec.exe

pid	process
2324	msiexec.exe
2324	msiexec.exe
4260	MsiExec.exe
4260	MsiExec.exe
4260	MsiExec.exe
4260	MsiExec.exe
4260	MsiExec.exe
4260	MsiExec.exe
4260	MsiExec.exe
4260	MsiExec.exe
4260	MsiExec.exe
4260	MsiExec.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4836	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4836	msiexec.exe
Token: SeSecurityPrivilege	2324	msiexec.exe
Token: SeCreateTokenPrivilege	4836	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4836	msiexec.exe
Token: SeLockMemoryPrivilege	4836	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4836	msiexec.exe
Token: SeMachineAccountPrivilege	4836	msiexec.exe
Token: SeTcbPrivilege	4836	msiexec.exe
Token: SeSecurityPrivilege	4836	msiexec.exe
Token: SeTakeOwnershipPrivilege	4836	msiexec.exe
Token: SeLoadDriverPrivilege	4836	msiexec.exe
Token: SeSystemProfilePrivilege	4836	msiexec.exe
Token: SeSystemtimePrivilege	4836	msiexec.exe
Token: SeProfSingleProcessPrivilege	4836	msiexec.exe
Token: SeIncBasePriorityPrivilege	4836	msiexec.exe
Token: SeCreatePagefilePrivilege	4836	msiexec.exe
Token: SeCreatePermanentPrivilege	4836	msiexec.exe
Token: SeBackupPrivilege	4836	msiexec.exe
Token: SeRestorePrivilege	4836	msiexec.exe
Token: SeShutdownPrivilege	4836	msiexec.exe
Token: SeDebugPrivilege	4836	msiexec.exe
Token: SeAuditPrivilege	4836	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4836	msiexec.exe
Token: SeChangeNotifyPrivilege	4836	msiexec.exe
Token: SeRemoteShutdownPrivilege	4836	msiexec.exe
Token: SeUndockPrivilege	4836	msiexec.exe
Token: SeSyncAgentPrivilege	4836	msiexec.exe
Token: SeEnableDelegationPrivilege	4836	msiexec.exe
Token: SeManageVolumePrivilege	4836	msiexec.exe
Token: SeImpersonatePrivilege	4836	msiexec.exe
Token: SeCreateGlobalPrivilege	4836	msiexec.exe
Token: SeBackupPrivilege	3516	vssvc.exe
Token: SeRestorePrivilege	3516	vssvc.exe
Token: SeAuditPrivilege	3516	vssvc.exe
Token: SeBackupPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

4836 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2972 LogonUI.exe

pid	process
4836	msiexec.exe

pid	process
2972	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.execmd.exeMsiExec.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2324 wrote to memory of 4032	2324	msiexec.exe	srtasks.exe
PID 2324 wrote to memory of 4032	2324	msiexec.exe	srtasks.exe
PID 2324 wrote to memory of 4260	2324	msiexec.exe	MsiExec.exe
PID 2324 wrote to memory of 4260	2324	msiexec.exe	MsiExec.exe
PID 2356 wrote to memory of 4956	2356	cmd.exe	sc.exe
PID 2356 wrote to memory of 4956	2356	cmd.exe	sc.exe
PID 4260 wrote to memory of 3640	4260	MsiExec.exe	cmd.exe
PID 4260 wrote to memory of 3640	4260	MsiExec.exe	cmd.exe
PID 3640 wrote to memory of 4780	3640	cmd.exe	7za.exe
PID 3640 wrote to memory of 4780	3640	cmd.exe	7za.exe
PID 3640 wrote to memory of 4780	3640	cmd.exe	7za.exe
PID 1504 wrote to memory of 3552	1504	cmd.exe	sc.exe
PID 1504 wrote to memory of 3552	1504	cmd.exe	sc.exe
PID 2536 wrote to memory of 4428	2536	cmd.exe	sc.exe
PID 2536 wrote to memory of 4428	2536	cmd.exe	sc.exe
PID 2092 wrote to memory of 4256	2092	cmd.exe	sc.exe
PID 2092 wrote to memory of 4256	2092	cmd.exe	sc.exe
PID 2704 wrote to memory of 4860	2704	cmd.exe	sc.exe
PID 2704 wrote to memory of 4860	2704	cmd.exe	sc.exe
PID 4460 wrote to memory of 1648	4460	cmd.exe	sc.exe
PID 4460 wrote to memory of 1648	4460	cmd.exe	sc.exe
PID 3144 wrote to memory of 3056	3144	cmd.exe	sc.exe
PID 3144 wrote to memory of 3056	3144	cmd.exe	sc.exe
PID 2216 wrote to memory of 2480	2216	cmd.exe	sc.exe
PID 2216 wrote to memory of 2480	2216	cmd.exe	sc.exe
PID 376 wrote to memory of 1720	376	cmd.exe	sc.exe
PID 376 wrote to memory of 1720	376	cmd.exe	sc.exe
PID 3032 wrote to memory of 2888	3032	cmd.exe	sc.exe
PID 3032 wrote to memory of 2888	3032	cmd.exe	sc.exe
PID 4328 wrote to memory of 3656	4328	cmd.exe	sc.exe
PID 4328 wrote to memory of 3656	4328	cmd.exe	sc.exe
PID 4448 wrote to memory of 4148	4448	cmd.exe	sc.exe
PID 4448 wrote to memory of 4148	4448	cmd.exe	sc.exe
PID 3004 wrote to memory of 2644	3004	cmd.exe	sc.exe
PID 3004 wrote to memory of 2644	3004	cmd.exe	sc.exe
PID 2664 wrote to memory of 4488	2664	cmd.exe	sc.exe
PID 2664 wrote to memory of 4488	2664	cmd.exe	sc.exe
PID 2552 wrote to memory of 2716	2552	cmd.exe	sc.exe
PID 2552 wrote to memory of 2716	2552	cmd.exe	sc.exe
PID 4204 wrote to memory of 4540	4204	cmd.exe	sc.exe
PID 4204 wrote to memory of 4540	4204	cmd.exe	sc.exe
PID 4212 wrote to memory of 2332	4212	cmd.exe	sc.exe
PID 4212 wrote to memory of 2332	4212	cmd.exe	sc.exe
PID 4188 wrote to memory of 60	4188	cmd.exe	sc.exe
PID 4188 wrote to memory of 60	4188	cmd.exe	sc.exe
PID 1392 wrote to memory of 532	1392	cmd.exe	sc.exe
PID 1392 wrote to memory of 532	1392	cmd.exe	sc.exe
PID 2428 wrote to memory of 1460	2428	cmd.exe	sc.exe
PID 2428 wrote to memory of 1460	2428	cmd.exe	sc.exe
PID 3444 wrote to memory of 4512	3444	cmd.exe	sc.exe
PID 3444 wrote to memory of 4512	3444	cmd.exe	sc.exe
PID 4852 wrote to memory of 4240	4852	cmd.exe	sc.exe
PID 4852 wrote to memory of 4240	4852	cmd.exe	sc.exe
PID 3536 wrote to memory of 1720	3536	cmd.exe	sc.exe
PID 3536 wrote to memory of 1720	3536	cmd.exe	sc.exe
PID 1304 wrote to memory of 4424	1304	cmd.exe	sc.exe
PID 1304 wrote to memory of 4424	1304	cmd.exe	sc.exe
PID 4412 wrote to memory of 3328	4412	cmd.exe	sc.exe
PID 4412 wrote to memory of 3328	4412	cmd.exe	sc.exe
PID 2432 wrote to memory of 2592	2432	cmd.exe	sc.exe
PID 2432 wrote to memory of 2592	2432	cmd.exe	sc.exe
PID 2644 wrote to memory of 4956	2644	cmd.exe	sc.exe
PID 2644 wrote to memory of 4956	2644	cmd.exe	sc.exe
PID 1908 wrote to memory of 4780	1908	cmd.exe	sc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\sdsetup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4836

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4032
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 2F191D322A9522199EEF17C42EDBBBAA E Global\MSI0000
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\System32\cmd.exe
    cmd.exe /c 7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Program Files (x86)\Windows NT\7za.exe
      7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -f -r -t 00
    3⤵
    PID:3536
  - - C:\Windows\system32\shutdown.exe
      shutdown -f -r -t 00
      4⤵
      PID:3860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
  2⤵
  - Launches sc.exe
  PID:4956

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3552

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4428

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4256

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4860

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1648

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3056

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2480

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1720

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2888

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3656

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4148

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2644

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4488

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2716

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4540

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2332

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:60

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:532

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1460

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4512

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4240

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1720

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4424

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3328

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2592

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4956

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4780

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2304
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1644

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:5068
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2332

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1972
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4568

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4084
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:532

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3144
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1460

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1456
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:208

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4868
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4132

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2752
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1720

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2316
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4424

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2284
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4508

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4640
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2592

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2212
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2292

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1500
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4088

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4684
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2520

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1076
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2488

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4632
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:760

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3760
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4128

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:5020
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1856

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4792
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2216

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3420
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4868

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2004
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2888

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2316
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4328

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3004
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2432

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2592
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2440

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4956
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3532

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2940
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:3112

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3552
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1616

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2848
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4632

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2688
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4592

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:436
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2628

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1628
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:3324

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3972
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:224

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:428
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3540
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4412

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3860
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3684

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3040
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4720

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3616
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1908

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4944
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3112

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2536
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1616

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3148
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4568

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4592
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2364

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1460
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4904

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2480
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4516

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4132
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:428

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2972
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:3716

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3004
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2656

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4436
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1500

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1780
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4064

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4324
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2108

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3252
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4960

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4584
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2688

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4100
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2364

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1628
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3324

C:\Windows\system32\cmd.exe
cmd /c start shutdown -f -r -t 00
1⤵
PID:4176
- C:\Windows\system32\shutdown.exe
  shutdown -f -r -t 00
  2⤵
  PID:2752

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ae855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b065.rbs

Filesize
13.4MB

MD5
2060feb252da360192c190284fccd506

SHA1
6c930cb3856452d8a7d3929107564c1aad658923

SHA256
6a96acc9538e77f891787bdb41ebe1c3f89b8c91f5e12c6252c2d01910ff0ab8

SHA512
cb679e6ff23ed5c47b182790767c77167e0e5fb49865d18ca727714d1479e421122f41ae156244bd0386539d150d008a0180030a344155ffe71f7d56d4b83745

Download Submit
C:\Program Files (x86)\Windows NT\7za.bin

Filesize
577KB

MD5
f77c0b61806b6865c888592e178294c3

SHA1
e9e0b393cc977fbdbc44fe19d92879a38a4dad0c

SHA256
b85490de04744a2e30a815bfad752b520e87f71a1ce92dd23a0ed975b4836c82

SHA512
b4214f31ce76ba40d57ff64d204b3e0943a66e0b58302a22a92dbba98b847cbd6191a780e8940bea0498771a207c7024370b61fcbf310b22824d2b632efa7f12

Download Submit
C:\Program Files (x86)\Windows NT\7za.exe

Filesize
577KB

MD5
fbc6e272e89203cb9ddb3f88b4954deb

SHA1
fc75778e7e0c9f1bb67bc1097fdb9a5bcd5e7a0d

SHA256
99026dc8b99c6ea934b943f41a543f39040d837650d7f185ebd9f147a49ea1b6

SHA512
b010571d7924e35feedc32ad82020dc85903cf4e8a606ee055f6f4f6485982839ad1bad83f56301610d9b063a7fe55d403e6113a8c285c06d96c9b3ec8783425

Download Submit
C:\Program Files (x86)\Windows NT\locale.bin

Filesize
48KB

MD5
7abe8030a0e18d93028ec0a4f30bf22d

SHA1
78b4ae69d3023c0d796b12645a0a6523d4703d08

SHA256
3bf3dd866b1bdc3669e54b0c96abbe1180635ecb1270c20a46b9fd45771ab7cd

SHA512
be3d35b2837626ca85d54b0e4ce6639809a6a1f28d24a735b87ab6c689603bf2462ee52bea1094dc8ebb0d227e5818ea4bbfd052e2d21a9749aef2b648c5117d

Download Submit
C:\Program Files (x86)\Windows NT\locale2.bin

Filesize
55KB

MD5
2f2bf41e2cae24881b7353510b3b35e8

SHA1
21babd383c1e89eed4993760e2f64ef8ea39aedd

SHA256
826a8a6b44d5ea01cf7d23b0941e8e0591e83c9d246ccd052d6739d736f35133

SHA512
96b878fc10c345f4090b410c51d2f6617fbaa7cd9a67c288e4e3c5c49b43a4613c030d10e89baa03d1b780ace4de0e6c7c66dbf6a7e3d92d93a16c4ce1c7845e

Download Submit
C:\Program Files (x86)\Windows NT\locale3.bin

Filesize
29KB

MD5
6177495bc3fe9c1c9ddb004cce5e51ac

SHA1
5b2d16055a93ee4fceedc0f308f3733156f5deb8

SHA256
5fbfd09294d7e0fc9a86964c68d646a6a74d590762b75b65ce138ce356ca1b51

SHA512
4f725f9a75113a192aba27c96efb3c387559d64be0ee30f26cc74bd0fddc1f57ca1592054dde18fe5dd9516ab017801705b043dfa40ca3d85a6cc5f2ee9105a7

Download Submit
C:\Program Files (x86)\Windows NT\locale3.dat

Filesize
29KB

MD5
c6cd33f25c71000e089e3ba2a18e907a

SHA1
853f963fd6edcb07e199c20eac25177f2894c5ba

SHA256
161196b017d1fa466c9b806e2d62614026e9d34958eb47af0dab270f4eca881c

SHA512
a27b014fc0df449a39111067ce21ba3ef2ead39d1a2abad9d9e61a60b43f53d50d2789a61961dced1fe3782d55e42fc084fa06eec335a51b802d6a4c13436bd7

Download Submit
C:\Program Files (x86)\Windows NT\locale4.bin

Filesize
73KB

MD5
1ed346bcc3cc05a73f8391ffcd7f60cc

SHA1
3df7906454103d79ab93148e9a3e8f0ed6e9c90d

SHA256
e7b4f3562ab8e296701316291a73b0aadd9ba9f5e98c64d97fea35b21a670a21

SHA512
e5f57a73744fecdbf2b329f6f24c816b86e883bbc56b9b9b0049271d59c39c7b677a5eea8a846c487f23f5d9c8dcf027e9df548b604cdad98fad221949f49c91

Download Submit
C:\Windows\Installer\MSIB334.tmp

Filesize
13.4MB

MD5
99d971164757b8f6c8803e09e9844970

SHA1
2b825a0506e00aa5cb0076bea3a6f55fd184ced9

SHA256
2420b386b2b13e29c0e6384f0d025c8e396eb6de8695370260643e0d1ae42f08

SHA512
c927963257da1d301f6f2b39584065b7b9d570230a4cf7d6cd60557b31fe17aec88ff0a10d91dff17cdd6b99bc6b2c68a24b66e1aec3e66088e1f0428c3346be

Download Submit
C:\Windows\Installer\e57b064.msi

Filesize
13.9MB

MD5
90111bdf3173ee59b2b4ebe158b00050

SHA1
77508c78e0a8f23cda0713ca77de15285af66a4e

SHA256
b8bd3eb19eb84bd518e9c5b82d88d6a8743581fcf32f7bacf819c8f0a20e5d11

SHA512
474faa22fc0b0f9a9b9b7c479a3dd86e2c0e7fc2c93bbe650961438f1167b7bee886f31834abe934cb9de6e903be0fed150a63fe58d71001f495ab45f5ca85fa

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
473984895dde34833d964615f3cb09b7

SHA1
6f259122eefeb8b1186061b838fa307ede333f27

SHA256
ad0111dfabd355d18a73722651fb3c8563a60c0f61bc898e7dd2e8a73d5826cd

SHA512
a31f5dc584869b995e2311c9e6df5c695999f48d6af021149b1bc77387fc22df2ed4f1a5eb24b3bda461c7e76f58afd35a814a4a0cd69c9035e608f07ee71c92

Download Submit
\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{138ebb4d-9209-431c-b8d1-ab83cfd5c05d}_OnDiskSnapshotProp

Filesize
6KB

MD5
2e0013092c28f3483f68d28edfb617bc

SHA1
560bb4125af56d4452bf17fe46eed23d2d07dba7

SHA256
3d3597c410999d33dd55f6ace2b9fada95a7c5dee8cdbd8f4adbb64ca103ac4c

SHA512
fab7e86138b9d6a99f6d0213b04aba2ad67b5824820b30919900795fe5afd7b1d07021dfe88ece8c21196ba50eb3f43f94e282c8bbccd9e3ab47baf76a25bb92

Download Submit
memory/4260-27-0x00007FFECE170000-0x00007FFECF757000-memory.dmp

Filesize
21.9MB

Download
memory/4260-26-0x00007FFEEF320000-0x00007FFEEF322000-memory.dmp

Filesize
8KB

Download
memory/4260-25-0x00007FFEEF310000-0x00007FFEEF312000-memory.dmp

Filesize
8KB

Download

pid	process
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640

pid	process
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

pid	process
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640
640