d00a3e22e53210acbd5c3e39b85332e3d47c8ec001d2bbf7a13abb07427bbba2

Resubmissions

10-01-2025 18:05

250110-wn7cts1pct 10

10-01-2025 18:03

250110-wnc4zs1pay 10

10-01-2025 17:59

250110-wkqwns1ndx 10

Analysis

max time kernel
38s
max time network
21s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dogusign Reader 1.26g.msi
Size

10.5MB
MD5

35f774e65e57f419fff8d8f74945ea51
SHA1

c3e1d2d50a9bbca445576e0d71c6984cc1dc60bb
SHA256

d00a3e22e53210acbd5c3e39b85332e3d47c8ec001d2bbf7a13abb07427bbba2
SHA512

34db08df1751754159ca37249dd8a66a811150e2a0bbdc020858f5ee55f9fb8ef763bb74bbb723633f79ea9fde8dd0feeb0c79e0c442ca6f15a8c6d8ffa58a26
SSDEEP

196608:xaZKIcPtwQbOmV7SPjZJrtiXPFsKASDdybmR67JU6OpkKM1sQT9nAJDPMRAl6q7r:Y3cPt30JrtiXdsKAcrR67J0kR1syAtMU

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 908 set thread context of 2188	908	RttHlp.exe	39
PID 3060 set thread context of 1836	3060	RttHlp.exe	41

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f770982.msi	msiexec.exe
File created	C:\Windows\Installer\f770983.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA7C.tmp	msiexec.exe
File created	C:\Windows\Installer\f770985.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f770983.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f770982.msi	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
2996	RttHlp.exe
3060	RttHlp.exe
908	RttHlp.exe

Loads dropped DLL 10 IoCs

pid	Process
2996	RttHlp.exe
2996	RttHlp.exe
2996	RttHlp.exe
2996	RttHlp.exe
3060	RttHlp.exe
3060	RttHlp.exe
3060	RttHlp.exe
3060	RttHlp.exe
908	RttHlp.exe
908	RttHlp.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2892	msiexec.exe
2892	msiexec.exe
2996	RttHlp.exe
3060	RttHlp.exe
3060	RttHlp.exe
908	RttHlp.exe
908	RttHlp.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2188	cmd.exe
2188	cmd.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
1836	cmd.exe
1836	cmd.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2676	taskmgr.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
908	RttHlp.exe
3060	RttHlp.exe
2188	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2340	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeSecurityPrivilege	2892	msiexec.exe
Token: SeCreateTokenPrivilege	2340	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2340	msiexec.exe
Token: SeLockMemoryPrivilege	2340	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2340	msiexec.exe
Token: SeMachineAccountPrivilege	2340	msiexec.exe
Token: SeTcbPrivilege	2340	msiexec.exe
Token: SeSecurityPrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeLoadDriverPrivilege	2340	msiexec.exe
Token: SeSystemProfilePrivilege	2340	msiexec.exe
Token: SeSystemtimePrivilege	2340	msiexec.exe
Token: SeProfSingleProcessPrivilege	2340	msiexec.exe
Token: SeIncBasePriorityPrivilege	2340	msiexec.exe
Token: SeCreatePagefilePrivilege	2340	msiexec.exe
Token: SeCreatePermanentPrivilege	2340	msiexec.exe
Token: SeBackupPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeShutdownPrivilege	2340	msiexec.exe
Token: SeDebugPrivilege	2340	msiexec.exe
Token: SeAuditPrivilege	2340	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2340	msiexec.exe
Token: SeChangeNotifyPrivilege	2340	msiexec.exe
Token: SeRemoteShutdownPrivilege	2340	msiexec.exe
Token: SeUndockPrivilege	2340	msiexec.exe
Token: SeSyncAgentPrivilege	2340	msiexec.exe
Token: SeEnableDelegationPrivilege	2340	msiexec.exe
Token: SeManageVolumePrivilege	2340	msiexec.exe
Token: SeImpersonatePrivilege	2340	msiexec.exe
Token: SeCreateGlobalPrivilege	2340	msiexec.exe
Token: SeBackupPrivilege	2728	vssvc.exe
Token: SeRestorePrivilege	2728	vssvc.exe
Token: SeAuditPrivilege	2728	vssvc.exe
Token: SeBackupPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeDebugPrivilege	2676	taskmgr.exe
Token: SeRestorePrivilege	2452	DrvInst.exe
Token: SeRestorePrivilege	2452	DrvInst.exe
Token: SeRestorePrivilege	2452	DrvInst.exe
Token: SeRestorePrivilege	2452	DrvInst.exe
Token: SeRestorePrivilege	2452	DrvInst.exe
Token: SeRestorePrivilege	2452	DrvInst.exe
Token: SeRestorePrivilege	2452	DrvInst.exe
Token: SeLoadDriverPrivilege	2452	DrvInst.exe
Token: SeLoadDriverPrivilege	2452	DrvInst.exe
Token: SeLoadDriverPrivilege	2452	DrvInst.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2340	msiexec.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2340	msiexec.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe
2676	taskmgr.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2996	2892	msiexec.exe	36
PID 2892 wrote to memory of 2996	2892	msiexec.exe	36
PID 2892 wrote to memory of 2996	2892	msiexec.exe	36
PID 2892 wrote to memory of 2996	2892	msiexec.exe	36
PID 2996 wrote to memory of 3060	2996	RttHlp.exe	37
PID 2996 wrote to memory of 3060	2996	RttHlp.exe	37
PID 2996 wrote to memory of 3060	2996	RttHlp.exe	37
PID 2996 wrote to memory of 3060	2996	RttHlp.exe	37
PID 3060 wrote to memory of 908	3060	RttHlp.exe	38
PID 3060 wrote to memory of 908	3060	RttHlp.exe	38
PID 3060 wrote to memory of 908	3060	RttHlp.exe	38
PID 3060 wrote to memory of 908	3060	RttHlp.exe	38
PID 908 wrote to memory of 2188	908	RttHlp.exe	39
PID 908 wrote to memory of 2188	908	RttHlp.exe	39
PID 908 wrote to memory of 2188	908	RttHlp.exe	39
PID 908 wrote to memory of 2188	908	RttHlp.exe	39
PID 3060 wrote to memory of 1836	3060	RttHlp.exe	41
PID 3060 wrote to memory of 1836	3060	RttHlp.exe	41
PID 3060 wrote to memory of 1836	3060	RttHlp.exe	41
PID 3060 wrote to memory of 1836	3060	RttHlp.exe	41
PID 908 wrote to memory of 2188	908	RttHlp.exe	39
PID 3060 wrote to memory of 1836	3060	RttHlp.exe	41
PID 2188 wrote to memory of 756	2188	cmd.exe	45
PID 2188 wrote to memory of 756	2188	cmd.exe	45
PID 2188 wrote to memory of 756	2188	cmd.exe	45
PID 2188 wrote to memory of 756	2188	cmd.exe	45
PID 2188 wrote to memory of 756	2188	cmd.exe	45
PID 1836 wrote to memory of 1864	1836	cmd.exe	46
PID 1836 wrote to memory of 1864	1836	cmd.exe	46
PID 1836 wrote to memory of 1864	1836	cmd.exe	46
PID 1836 wrote to memory of 1864	1836	cmd.exe	46

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Dogusign Reader 1.26g.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2340

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Yarrow\RttHlp.exe
  "C:\Users\Admin\AppData\Local\Yarrow\RttHlp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Roaming\configRemote_PZ4\RttHlp.exe
    C:\Users\Admin\AppData\Roaming\configRemote_PZ4\RttHlp.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Users\Admin\AppData\Roaming\configRemote_PZ4\VIAUFVAGINDHTZQXNG\RttHlp.exe
      C:\Users\Admin\AppData\Roaming\configRemote_PZ4\VIAUFVAGINDHTZQXNG\RttHlp.exe
      4⤵
      Suspicious use of SetThreadContext
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        5⤵
        
        PID:1864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2676

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000003D8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f770984.rbs

Filesize
8KB

MD5
218b52f20b0d9c596216f8acc329e34e

SHA1
55e84ffc11b607f2b81d4cb6b95b36e2255a838c

SHA256
b2ff6d0531432ebb31b346bfbe50bc554c7ef7409fe0968b974111886802e138

SHA512
83a1048c2d7b4f5d3c38e43fd8c627886bb28f7ac12a3b8c3ff477cae20bd139043f2940bc167c9b825578426fdb2ddc5d5e9cfa14f7064eb347553d34d1297f

Download Submit
C:\Users\Admin\AppData\Local\Temp\156e7f32

Filesize
12.9MB

MD5
fbbc25e716b72342933da783cf79928c

SHA1
f9e6b39ab388f50f37780021e3ac29fb924ed5b7

SHA256
0a2164246cf2e6d7a95f1f56ebe379e9f78d15591384452d1dbc58a3b923604d

SHA512
d2cd70de15971598f83b900f3c997b6a4e9b9bb205409058fa6e518de2216e08423543ddfd85f9b80b512e8aaa736c66909d7dbc77ad684a5eff32aff8bbe78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\17939614

Filesize
1.0MB

MD5
6a1e97ac56a4dee6d5549de78a925753

SHA1
c71f9906763d4dab49956f61332ef36ef7318b61

SHA256
1efd5fd6ef1f59a17946b29c9869d5a98d954f0efa46a0036d6562dba6a2e575

SHA512
8dc554e357f28a54d2cd0dd22ab5042d36f148f4c2eabcac2bc532d4809bdbfcbc295d6c5ec843b9f879fb481049ba762893ebd98e6db39130939bf80cf46a99

Download Submit
C:\Users\Admin\AppData\Local\Yarrow\Register.dll

Filesize
1.0MB

MD5
40b9628354ef4e6ef3c87934575545f4

SHA1
8fb5da182dea64c842953bf72fc573a74adaa155

SHA256
372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

SHA512
02b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641

Download Submit
C:\Users\Admin\AppData\Local\Yarrow\RttHlp.exe

Filesize
135KB

MD5
a2d70fbab5181a509369d96b682fc641

SHA1
22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

SHA256
8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

SHA512
219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

Download Submit
C:\Users\Admin\AppData\Local\Yarrow\burro.ini

Filesize
10.5MB

MD5
95a61e7f85bc8b48e6e52992d39eefc6

SHA1
df90ab3e50a7e566948ff56dde540139d23934c0

SHA256
0cea6a8a1b71eaaf329b70552ebe353d1a468ae2da5ac9c018d1927b55406bf5

SHA512
7a2ebb2caebe5efed73b701ee96a7880dea32301776a16beb288ab008531b396d06e36f6d0c4e60590c02355b4e1fc206e1468bc181042900fc18bc7b9f20086

Download Submit
C:\Users\Admin\AppData\Local\Yarrow\magnesium.csv

Filesize
52KB

MD5
038c02b1cdce1b2738c09d9d2b8bbd74

SHA1
0f20d6c4a1cb65ca8a33c613b0f297148f9a39b2

SHA256
ff5f5110ca6ca5d57db34ec4ea566d28d4b2535d71540331448711a25a89b3f4

SHA512
afb692a8bddf29feb352a3129165c045187c5a41ac134515d5d5ff884b26f24789113929e9c49f0277b8e509755566f5725be05d15a268fd07f03771ab004717

Download Submit
C:\Users\Admin\AppData\Local\Yarrow\rtl120.bpl

Filesize
1.1MB

MD5
adf82ed333fb5567f8097c7235b0e17f

SHA1
e6ccaf016fc45edcdadeb40da64c207ddb33859f

SHA256
d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

SHA512
2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

Download Submit
C:\Users\Admin\AppData\Local\Yarrow\vcl120.bpl

Filesize
1.9MB

MD5
37c89f8997af129d230837c87997b737

SHA1
5031df412eaf09cc72688e7865e4604cda6c2fbd

SHA256
f3ea5d6457089b4c4ab207f0b96dd5f321cdc7b3360ca27cd6ed273ec25d807e

SHA512
3ede7277cb8d16c83e65bb6e6626f30b124ff9cb1579cfc8fbea7358489f9520d416238e998707219b4b0debb6cc1fc2634133f2fe9457a840d8b2bc76ddb3bf

Download Submit
C:\Users\Admin\AppData\Roaming\configRemote_PZ4\VIAUFVAGINDHTZQXNG\burro.ini

Filesize
791KB

MD5
28431839e39dffad0485cc51b34c705f

SHA1
0b63857ea0abe841fdae8fd8b9f9b3ef0af881a0

SHA256
d832c2fd66e09b3eb829901fa6e7a2b610a398d8e007d6352edf4763ea3ce363

SHA512
cca16a18f52f2d059308214897673acd48cfca144a5075fba372ad33b8c645d202ebf32576d9d299d95e37e059d78dfdf70f7e844c479bd8c8484dc06bfe9d03

Download Submit
C:\Windows\Installer\f770982.msi

Filesize
10.5MB

MD5
35f774e65e57f419fff8d8f74945ea51

SHA1
c3e1d2d50a9bbca445576e0d71c6984cc1dc60bb

SHA256
d00a3e22e53210acbd5c3e39b85332e3d47c8ec001d2bbf7a13abb07427bbba2

SHA512
34db08df1751754159ca37249dd8a66a811150e2a0bbdc020858f5ee55f9fb8ef763bb74bbb723633f79ea9fde8dd0feeb0c79e0c442ca6f15a8c6d8ffa58a26

Download Submit
memory/756-118-0x0000000076D80000-0x0000000076F29000-memory.dmp

Filesize
1.7MB

Download
memory/908-102-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/908-98-0x0000000074350000-0x00000000744C4000-memory.dmp

Filesize
1.5MB

Download
memory/908-100-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/908-101-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/908-93-0x0000000076D80000-0x0000000076F29000-memory.dmp

Filesize
1.7MB

Download
memory/908-92-0x0000000074350000-0x00000000744C4000-memory.dmp

Filesize
1.5MB

Download
memory/1836-114-0x0000000076D80000-0x0000000076F29000-memory.dmp

Filesize
1.7MB

Download
memory/2188-115-0x0000000074350000-0x00000000744C4000-memory.dmp

Filesize
1.5MB

Download
memory/2188-104-0x0000000076D80000-0x0000000076F29000-memory.dmp

Filesize
1.7MB

Download
memory/2676-0-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2676-1-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2676-94-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2996-39-0x0000000074370000-0x00000000744E4000-memory.dmp

Filesize
1.5MB

Download
memory/2996-40-0x0000000076D80000-0x0000000076F29000-memory.dmp

Filesize
1.7MB

Download
memory/2996-57-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2996-55-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2996-56-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/3060-66-0x0000000076D80000-0x0000000076F29000-memory.dmp

Filesize
1.7MB

Download
memory/3060-106-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/3060-65-0x0000000074350000-0x00000000744C4000-memory.dmp

Filesize
1.5MB

Download
memory/3060-97-0x0000000074350000-0x00000000744C4000-memory.dmp

Filesize
1.5MB

Download
memory/3060-68-0x0000000074350000-0x00000000744C4000-memory.dmp

Filesize
1.5MB

Download