Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22/11/2024, 08:09
Static task
static1
Behavioral task
behavioral1
Sample
wangnengjs-winoencxans_1.1.0.6.msi
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
wangnengjs-winoencxans_1.1.0.6.msi
Resource
win10v2004-20241007-en
General
-
Target
wangnengjs-winoencxans_1.1.0.6.msi
-
Size
50.9MB
-
MD5
143b59cd302d0ca40f146ba53aaaaad5
-
SHA1
a8a5345e19b20500b62629f14060aefc883e3b52
-
SHA256
4a68bdfa3e31a8c063bbf94469160eb7998a556027d5ad33f37c347a71c2d3a4
-
SHA512
f0ee06942a41d51dceb3dd5d512dad6f3380f1ade868807f7134c0607d195e8e4eac979dc2559aa6976eb0d0ff654dded10b9c647188fca206cff287298a1b90
-
SSDEEP
1572864:ONd1Bl1AJnKNldB6ZCUu6ofwyEICAf3u1ihUsMhMG:ONd1Blzd0ZX3QC03u11sMe
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: colorcpl.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: colorcpl.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: colorcpl.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: colorcpl.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: colorcpl.exe File opened (read-only) \??\U: colorcpl.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Q: colorcpl.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: colorcpl.exe File opened (read-only) \??\P: colorcpl.exe File opened (read-only) \??\Z: colorcpl.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: colorcpl.exe File opened (read-only) \??\T: colorcpl.exe File opened (read-only) \??\V: colorcpl.exe File opened (read-only) \??\Y: colorcpl.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: colorcpl.exe File opened (read-only) \??\I: colorcpl.exe File opened (read-only) \??\X: colorcpl.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: colorcpl.exe File opened (read-only) \??\R: colorcpl.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: colorcpl.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1132 set thread context of 2400 1132 down.exe 40 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\好压万能压缩_1.1.0.263\好压万能压缩_1.1.0.263\好压万能压缩_1.1.0.263\好压万能压缩_1.1.0.263.exe msiexec.exe File created C:\Program Files (x86)\好压万能压缩_1.1.0.263\好压万能压缩_1.1.0.263\好压万能压缩_1.1.0.263\ziplib.dll msiexec.exe File created C:\Program Files (x86)\好压万能压缩_1.1.0.263\好压万能压缩_1.1.0.263\好压万能压缩_1.1.0.263\ToDesk_Daas_v1.0.2.0.exe msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Installer\f76fc78.msi msiexec.exe File opened for modification C:\Windows\Installer\f76fc78.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFCF5.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI264.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76fc79.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSIFE8B.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76fc79.ipi msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 1132 down.exe 2436 down.exe -
Loads dropped DLL 20 IoCs
pid Process 2624 MsiExec.exe 2624 MsiExec.exe 2624 MsiExec.exe 2624 MsiExec.exe 2624 MsiExec.exe 1980 MsiExec.exe 2920 MsiExec.exe 2920 MsiExec.exe 2920 MsiExec.exe 1132 down.exe 1132 down.exe 1132 down.exe 1132 down.exe 2436 down.exe 2436 down.exe 2436 down.exe 2436 down.exe 2104 WerFault.exe 2104 WerFault.exe 2104 WerFault.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2556 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 1368 msiexec.exe 1368 msiexec.exe 2920 MsiExec.exe 2920 MsiExec.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe 2400 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2556 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2556 msiexec.exe Token: SeIncreaseQuotaPrivilege 2556 msiexec.exe Token: SeRestorePrivilege 1368 msiexec.exe Token: SeTakeOwnershipPrivilege 1368 msiexec.exe Token: SeSecurityPrivilege 1368 msiexec.exe Token: SeCreateTokenPrivilege 2556 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2556 msiexec.exe Token: SeLockMemoryPrivilege 2556 msiexec.exe Token: SeIncreaseQuotaPrivilege 2556 msiexec.exe Token: SeMachineAccountPrivilege 2556 msiexec.exe Token: SeTcbPrivilege 2556 msiexec.exe Token: SeSecurityPrivilege 2556 msiexec.exe Token: SeTakeOwnershipPrivilege 2556 msiexec.exe Token: SeLoadDriverPrivilege 2556 msiexec.exe Token: SeSystemProfilePrivilege 2556 msiexec.exe Token: SeSystemtimePrivilege 2556 msiexec.exe Token: SeProfSingleProcessPrivilege 2556 msiexec.exe Token: SeIncBasePriorityPrivilege 2556 msiexec.exe Token: SeCreatePagefilePrivilege 2556 msiexec.exe Token: SeCreatePermanentPrivilege 2556 msiexec.exe Token: SeBackupPrivilege 2556 msiexec.exe Token: SeRestorePrivilege 2556 msiexec.exe Token: SeShutdownPrivilege 2556 msiexec.exe Token: SeDebugPrivilege 2556 msiexec.exe Token: SeAuditPrivilege 2556 msiexec.exe Token: SeSystemEnvironmentPrivilege 2556 msiexec.exe Token: SeChangeNotifyPrivilege 2556 msiexec.exe Token: SeRemoteShutdownPrivilege 2556 msiexec.exe Token: SeUndockPrivilege 2556 msiexec.exe Token: SeSyncAgentPrivilege 2556 msiexec.exe Token: SeEnableDelegationPrivilege 2556 msiexec.exe Token: SeManageVolumePrivilege 2556 msiexec.exe Token: SeImpersonatePrivilege 2556 msiexec.exe Token: SeCreateGlobalPrivilege 2556 msiexec.exe Token: SeCreateTokenPrivilege 2556 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2556 msiexec.exe Token: SeLockMemoryPrivilege 2556 msiexec.exe Token: SeIncreaseQuotaPrivilege 2556 msiexec.exe Token: SeMachineAccountPrivilege 2556 msiexec.exe Token: SeTcbPrivilege 2556 msiexec.exe Token: SeSecurityPrivilege 2556 msiexec.exe Token: SeTakeOwnershipPrivilege 2556 msiexec.exe Token: SeLoadDriverPrivilege 2556 msiexec.exe Token: SeSystemProfilePrivilege 2556 msiexec.exe Token: SeSystemtimePrivilege 2556 msiexec.exe Token: SeProfSingleProcessPrivilege 2556 msiexec.exe Token: SeIncBasePriorityPrivilege 2556 msiexec.exe Token: SeCreatePagefilePrivilege 2556 msiexec.exe Token: SeCreatePermanentPrivilege 2556 msiexec.exe Token: SeBackupPrivilege 2556 msiexec.exe Token: SeRestorePrivilege 2556 msiexec.exe Token: SeShutdownPrivilege 2556 msiexec.exe Token: SeDebugPrivilege 2556 msiexec.exe Token: SeAuditPrivilege 2556 msiexec.exe Token: SeSystemEnvironmentPrivilege 2556 msiexec.exe Token: SeChangeNotifyPrivilege 2556 msiexec.exe Token: SeRemoteShutdownPrivilege 2556 msiexec.exe Token: SeUndockPrivilege 2556 msiexec.exe Token: SeSyncAgentPrivilege 2556 msiexec.exe Token: SeEnableDelegationPrivilege 2556 msiexec.exe Token: SeManageVolumePrivilege 2556 msiexec.exe Token: SeImpersonatePrivilege 2556 msiexec.exe Token: SeCreateGlobalPrivilege 2556 msiexec.exe Token: SeCreateTokenPrivilege 2556 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2556 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2400 colorcpl.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1368 wrote to memory of 2624 1368 msiexec.exe 31 PID 1368 wrote to memory of 2624 1368 msiexec.exe 31 PID 1368 wrote to memory of 2624 1368 msiexec.exe 31 PID 1368 wrote to memory of 2624 1368 msiexec.exe 31 PID 1368 wrote to memory of 2624 1368 msiexec.exe 31 PID 1368 wrote to memory of 2624 1368 msiexec.exe 31 PID 1368 wrote to memory of 2624 1368 msiexec.exe 31 PID 1368 wrote to memory of 1980 1368 msiexec.exe 36 PID 1368 wrote to memory of 1980 1368 msiexec.exe 36 PID 1368 wrote to memory of 1980 1368 msiexec.exe 36 PID 1368 wrote to memory of 1980 1368 msiexec.exe 36 PID 1368 wrote to memory of 1980 1368 msiexec.exe 36 PID 1368 wrote to memory of 1980 1368 msiexec.exe 36 PID 1368 wrote to memory of 1980 1368 msiexec.exe 36 PID 1368 wrote to memory of 2920 1368 msiexec.exe 37 PID 1368 wrote to memory of 2920 1368 msiexec.exe 37 PID 1368 wrote to memory of 2920 1368 msiexec.exe 37 PID 1368 wrote to memory of 2920 1368 msiexec.exe 37 PID 1368 wrote to memory of 2920 1368 msiexec.exe 37 PID 2920 wrote to memory of 1132 2920 MsiExec.exe 38 PID 2920 wrote to memory of 1132 2920 MsiExec.exe 38 PID 2920 wrote to memory of 1132 2920 MsiExec.exe 38 PID 1132 wrote to memory of 2436 1132 down.exe 39 PID 1132 wrote to memory of 2436 1132 down.exe 39 PID 1132 wrote to memory of 2436 1132 down.exe 39 PID 1132 wrote to memory of 2400 1132 down.exe 40 PID 1132 wrote to memory of 2400 1132 down.exe 40 PID 1132 wrote to memory of 2400 1132 down.exe 40 PID 1132 wrote to memory of 2400 1132 down.exe 40 PID 2436 wrote to memory of 2104 2436 down.exe 41 PID 2436 wrote to memory of 2104 2436 down.exe 41 PID 2436 wrote to memory of 2104 2436 down.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wangnengjs-winoencxans_1.1.0.6.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2556
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 99B2C1D7D95C5124A14D49CFA04827F5 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2624
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B6ADDCA3DC46E9811B74AD24405685C92⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1980
-
-
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding C785E9434742DF4E4E03761583D999DC2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\74CB9133-9BA8-4ECC-9886-0000876844B0\down.exeC:\Users\Admin\74CB9133-9BA8-4ECC-9886-0000876844B0\\down.exe3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Users\Admin\74CB9133-9BA8-4ECC-9886-0000876844B0\down.exeC:\Users\Admin\74CB9133-9BA8-4ECC-9886-0000876844B0\down.exe /aut4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2436 -s 965⤵
- Loads dropped DLL
PID:2104
-
-
-
C:\Windows\system32\colorcpl.execolorcpl.exe4⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2400
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1144
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C4" "0000000000000068"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5104377ef759cac02d376e016d9f4d958
SHA1dec2b319dcab188536f87dcb01a321bbccbba724
SHA2561a7c2b371e63dba9cc111702018f0d69a81ae669f8701d68984b1c56a2a15df8
SHA5122bbaf285d5892b640b9d0d8f4efa7de66ecd84200a75f60549d4db42bfd4fcdb33e93d94324a54dc0857695d166bc950ecc825577fa496909eb0660ae2a722da
-
Filesize
613KB
MD5c1b066f9e3e2f3a6785161a8c7e0346a
SHA18b3b943e79c40bc81fdac1e038a276d034bbe812
SHA25699e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd
SHA51236f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728
-
Filesize
116KB
MD5e9b690fbe5c4b96871214379659dd928
SHA1c199a4beac341abc218257080b741ada0fadecaf
SHA256a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8
SHA51200cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c
-
Filesize
48KB
MD5eb49c1d33b41eb49dfed58aafa9b9a8f
SHA161786eb9f3f996d85a5f5eea4c555093dd0daab6
SHA2566d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e
SHA512d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6
-
Filesize
1.3MB
MD551698f9d781f9ba83b9d1896f047b666
SHA15e28f766d10af39ec28f46f20a8d047474135923
SHA256300776a76cf4faaa2ef0d0928adf0bb9621ae486e316f81af8d71719d9f413cb
SHA512cee9cb3c89b0a7defdc5cc61acc479f94a3e29556c9fec5ede12997cee8b67e780af443fae1f81399274e0602ac9102521e6389422ec9ede49e23647a256e952
-
Filesize
656KB
MD590ddb0bcf3638b0c48caed930c641313
SHA195d1c419151d832260522310fab49c4694882e8a
SHA25650fc547c6c47d3237832d7d9e40712f9c47fb547629023a78dfc46a5f1c50ff9
SHA5125e90a257315d9b3938b9ac0e6205c3b754ee56721a0fb62081be3c06c570a094df134d8437c29cf50f34ceda6ac4461358b8518f505d0a5278617a9afb1c1cb1
-
Filesize
557KB
MD5db7612f0fd6408d664185cfc81bef0cb
SHA119a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA51225e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9
-
Filesize
25KB
MD581902d13c01fd8a187f3a7f2b72d5dd0
SHA10ac01518c5588eb2788730c78f0c581f79cf2ed4
SHA256eef31e9195cfacde7b4e7eb7384c8178d8811063b375fd4a28ae897cc180c6a6
SHA51204d6e2e937328477803084e0ef9da2c3636cdc9d34af74e2d1871d7190be21cbb2771ae835175e104e24eccba52add1ba6f58407bfd522ef82b81d76e977f24c
-
Filesize
3.0MB
MD568b50c0c6c89cb9cd971c793cda8e036
SHA1414eb5d40636ca50baae60a42f15b259ae64e01d
SHA256736435af598acbd3d4e802cc8e3114b38cdaf9d400ed33b971aa10fe2011f093
SHA512d8861032bc3e84211746894cc2bd1e057fa1f6f9f5da9a9d43db578fe364c0606978d5e711bee886961206d8a6d9eb79479e396ad8ec7edb6c15a2b53aade690
-
Filesize
2.7MB
MD5e025fb98bf7b06e2e1c00d0642cff374
SHA134b9a8b326023ef06a2545f8932da207b2064237
SHA2569c9a6bc84961f341a783bbda8181e2e189bafe96772bc145cd1e85739cf7da7c
SHA5124491c9ba8f4357ecfaa9e995ec4b6693e981f4268341bc73a9709fdb8f8671b60e79917b8446370ebc22f299be655b6d3aec5041cd277cccb4588372f0159854