blackmoon | 371c685d9b8f71da804ec0de71fcd8c41a02928a64fffa9601999e77d810ede4

Analysis

max time kernel
134s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chromestup翻译插件.msi
Size

6.4MB
MD5

5e95a04a874d801f406b1f2531056131
SHA1

66caf403d62d69f065a20ee71d8699456319893d
SHA256

b59cb81b4ea7d8e84a5738b9095d63670362380d0fb16feaa13badc4308c4dc5
SHA512

97c028d9ff9792234b2c5c1551e34c9b68df2bc489b0bdb2389a60021b2a28adb5a931d2f2973fb09194d5e538832bd20b5ed2a9c1cc3919a4119cfc27eceabd
SSDEEP

98304:/PBflMPzidUtZX3GcYXhDpjRPuZ+ksUmz6e30YhLUuunN/A0sO0vcap:HBfMDXXYXlsMz6evpjunNI0x0v

Score

10^/10

blackmoon fatalrat aspackv2 banker discovery infostealer persistence privilege_escalation rat trojan vmprotect

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/536-60-0x0000000000400000-0x0000000000441000-memory.dmp	family_blackmoon

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat
Fatalrat family
fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/2108-52-0x0000000010000000-0x000000001002D000-memory.dmp	fatalrat

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0005000000019467-34.dat	aspack_v212_v242

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x00050000000194ad-58.dat	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NVDisplay = "C:\\ProgramData\\Smart\\csrss.exe"	setup.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f7700af.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f7700ac.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7700ac.msi	msiexec.exe
File created	C:\Windows\Installer\f7700af.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E9.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI39C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI468.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI158.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI243.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C1.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
536	setup.exe
2108	svchost.exe

Loads dropped DLL 13 IoCs

pid	Process
2408	MsiExec.exe
2408	MsiExec.exe
2408	MsiExec.exe
2408	MsiExec.exe
2408	MsiExec.exe
536	setup.exe
536	setup.exe
536	setup.exe
536	setup.exe
536	setup.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2360	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Group = "Fatal"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\InstallTime = "2024-12-05 03:23"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
2052	msiexec.exe
2052	msiexec.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe
2108	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2360	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2360	msiexec.exe
Token: SeRestorePrivilege	2052	msiexec.exe
Token: SeTakeOwnershipPrivilege	2052	msiexec.exe
Token: SeSecurityPrivilege	2052	msiexec.exe
Token: SeCreateTokenPrivilege	2360	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2360	msiexec.exe
Token: SeLockMemoryPrivilege	2360	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2360	msiexec.exe
Token: SeMachineAccountPrivilege	2360	msiexec.exe
Token: SeTcbPrivilege	2360	msiexec.exe
Token: SeSecurityPrivilege	2360	msiexec.exe
Token: SeTakeOwnershipPrivilege	2360	msiexec.exe
Token: SeLoadDriverPrivilege	2360	msiexec.exe
Token: SeSystemProfilePrivilege	2360	msiexec.exe
Token: SeSystemtimePrivilege	2360	msiexec.exe
Token: SeProfSingleProcessPrivilege	2360	msiexec.exe
Token: SeIncBasePriorityPrivilege	2360	msiexec.exe
Token: SeCreatePagefilePrivilege	2360	msiexec.exe
Token: SeCreatePermanentPrivilege	2360	msiexec.exe
Token: SeBackupPrivilege	2360	msiexec.exe
Token: SeRestorePrivilege	2360	msiexec.exe
Token: SeShutdownPrivilege	2360	msiexec.exe
Token: SeDebugPrivilege	2360	msiexec.exe
Token: SeAuditPrivilege	2360	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2360	msiexec.exe
Token: SeChangeNotifyPrivilege	2360	msiexec.exe
Token: SeRemoteShutdownPrivilege	2360	msiexec.exe
Token: SeUndockPrivilege	2360	msiexec.exe
Token: SeSyncAgentPrivilege	2360	msiexec.exe
Token: SeEnableDelegationPrivilege	2360	msiexec.exe
Token: SeManageVolumePrivilege	2360	msiexec.exe
Token: SeImpersonatePrivilege	2360	msiexec.exe
Token: SeCreateGlobalPrivilege	2360	msiexec.exe
Token: SeBackupPrivilege	2892	vssvc.exe
Token: SeRestorePrivilege	2892	vssvc.exe
Token: SeAuditPrivilege	2892	vssvc.exe
Token: SeBackupPrivilege	2052	msiexec.exe
Token: SeRestorePrivilege	2052	msiexec.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeRestorePrivilege	2796	DrvInst.exe
Token: SeLoadDriverPrivilege	2796	DrvInst.exe
Token: SeLoadDriverPrivilege	2796	DrvInst.exe
Token: SeLoadDriverPrivilege	2796	DrvInst.exe
Token: SeRestorePrivilege	2052	msiexec.exe
Token: SeTakeOwnershipPrivilege	2052	msiexec.exe
Token: SeRestorePrivilege	2052	msiexec.exe
Token: SeTakeOwnershipPrivilege	2052	msiexec.exe
Token: SeRestorePrivilege	2052	msiexec.exe
Token: SeTakeOwnershipPrivilege	2052	msiexec.exe
Token: SeRestorePrivilege	2052	msiexec.exe
Token: SeTakeOwnershipPrivilege	2052	msiexec.exe
Token: SeRestorePrivilege	2052	msiexec.exe
Token: SeTakeOwnershipPrivilege	2052	msiexec.exe
Token: SeRestorePrivilege	2052	msiexec.exe
Token: SeTakeOwnershipPrivilege	2052	msiexec.exe
Token: SeRestorePrivilege	2052	msiexec.exe
Token: SeTakeOwnershipPrivilege	2052	msiexec.exe
Token: SeRestorePrivilege	2052	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2360	msiexec.exe
2360	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
536	setup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2408	2052	msiexec.exe	35
PID 2052 wrote to memory of 2408	2052	msiexec.exe	35
PID 2052 wrote to memory of 2408	2052	msiexec.exe	35
PID 2052 wrote to memory of 2408	2052	msiexec.exe	35
PID 2052 wrote to memory of 2408	2052	msiexec.exe	35
PID 2052 wrote to memory of 2408	2052	msiexec.exe	35
PID 2052 wrote to memory of 2408	2052	msiexec.exe	35
PID 2052 wrote to memory of 536	2052	msiexec.exe	36
PID 2052 wrote to memory of 536	2052	msiexec.exe	36
PID 2052 wrote to memory of 536	2052	msiexec.exe	36
PID 2052 wrote to memory of 536	2052	msiexec.exe	36
PID 2052 wrote to memory of 536	2052	msiexec.exe	36
PID 2052 wrote to memory of 536	2052	msiexec.exe	36
PID 2052 wrote to memory of 536	2052	msiexec.exe	36
PID 536 wrote to memory of 2108	536	setup.exe	37
PID 536 wrote to memory of 2108	536	setup.exe	37
PID 536 wrote to memory of 2108	536	setup.exe	37
PID 536 wrote to memory of 2108	536	setup.exe	37
PID 536 wrote to memory of 2108	536	setup.exe	37
PID 536 wrote to memory of 2108	536	setup.exe	37
PID 536 wrote to memory of 2108	536	setup.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Chromestup翻译插件.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2360

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B1D07100E1F85EC45786294699D06EAC
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2408
- C:\ProgramData\Smart\setup.exe
  "C:\ProgramData\Smart\setup.exe"
  2⤵
  - Adds Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\ProgramData\NVIDIARV\svchost.exe
    C:\ProgramData\NVIDIARV\svchost.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002F4" "0000000000000584"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7700b0.rbs

Filesize
1KB

MD5
484e9141e07140e1eb3fb09958f34867

SHA1
e3f306ad0645f482517ba21cf86c256960fb7be1

SHA256
095ee6cec16788dffc42e18a651ef1fb981fe9ba8d1b44cde46ca946ffcee993

SHA512
abf505705c795db22d662bd9c9c688b896dbdd95d14c33be068a7ed3e0bbda19aa5e0267da2db371ac22d16ff7c3d30579fcda95f7016b4ba1adb29be5ecbc25

Download Submit
C:\ProgramData\Smart\csrss.exe

Filesize
978KB

MD5
8e945aaf7128bb3db83e51f3c2356637

SHA1
bcc64335efc63cb46e14cc330e105520391e2b00

SHA256
4fcf6394b14e24d830b04209a0ede1dcc911d199740a55d12c8ab8aeabb84073

SHA512
150636eea0cab3e738f5e94ae910d189622fa3221aca1cecc05bf0f5a80f2fab055adeafd99eab7a2a1d3911ff2784cf521a2681e5ddf7737f4363b915b8c2a8

Download Submit
C:\ProgramData\Smart\libcef.dll

Filesize
756KB

MD5
48fbee27eabd6b592e96fe5ff4086077

SHA1
f9210d906a7db652c1487af704b065b641ed4f8c

SHA256
03115d392d4d012975476906fa61722b8845bdc8aad603021e766864458f9e08

SHA512
772375425457d15ac05376ae92bdc76582a6a538f2f9e0d4838396ae08c8ec5206b43e088604e8888440a227c5663035d6bbdff897353d39c339148425727bcf

Download Submit
C:\ProgramData\Smart\setup.exe

Filesize
77KB

MD5
40e9f7352914f047d2a38c499260be39

SHA1
38a327ba8682cf7991b6a10f80d7d747aab4d998

SHA256
1063f82b25d035d9027456569bfc08ba436132a36c519ecebe4b7fd7ad1cd34c

SHA512
aea8a8a7b62bf3c7712decef260138ed376956cc6aef5e58f9001ddf3e7acd04d4084be3b9a2990fa7486e6842a2c400e1e138358ea08916bade3dd4d159f19a

Download Submit
C:\Windows\Installer\MSI158.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Windows\Installer\MSI2C1.tmp

Filesize
1.1MB

MD5
ae463676775a1dd0b7a28ddb265b4065

SHA1
dff64c17885c7628b22631a2cdc9da83e417d348

SHA256
83fbfcaff3da3eb89f9aec29e6574cf15502fd670cbb2ab0c8a84451b2598b22

SHA512
e47c2db249e7a08c5d2864671fbc235e48aebecbe0b2c2334d1a4cba1b5b3037522ff89408589f3559b3a1eaf507bd338645387d55800029bb3b941d4c7744d6

Download Submit
\ProgramData\NVIDIARV\svchost.exe

Filesize
3.4MB

MD5
e06b6a425c32bafc08908f7364b4f153

SHA1
3804397a1f2997db63c8d0133fd90b16a995f4eb

SHA256
1cd4f79327c883ad9b869b2dbb93396e283663613065613421b6f3f43eaf8cdb

SHA512
c7613d95eb1bab7f5487106686e21b95d240cf1608cb96f1da17b6f11507f38474695ffb76d143d29f4e83931ebfe418fa3bed5f9d74e353e2fcd69bbea3bb5b

Download Submit
memory/536-40-0x00000000001C0000-0x0000000000201000-memory.dmp

Filesize
260KB

Download
memory/536-41-0x00000000001C0000-0x0000000000201000-memory.dmp

Filesize
260KB

Download
memory/536-42-0x00000000001C0000-0x0000000000201000-memory.dmp

Filesize
260KB

Download
memory/536-60-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-35-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2108-50-0x0000000000400000-0x0000000000911000-memory.dmp

Filesize
5.1MB

Download
memory/2108-52-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download