35c42c98b784974a965c358a9bda63b6cb4edde80db83f87daa2fee83e6cfad6

Resubmissions

05/02/2025, 14:45

250205-r4w5kssngm 8

28/01/2025, 13:04

250128-qa9cdayrhw 8

Analysis

max time kernel
117s
max time network
227s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05/02/2025, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirtualBox-7.1.6-167084-Win.exe
Size

117.3MB
MD5

8addd310d09249bc176c9c891aae41cb
SHA1

81212ad29642b2b261df42d25ccd23fe715914d1
SHA256

35c42c98b784974a965c358a9bda63b6cb4edde80db83f87daa2fee83e6cfad6
SHA512

b6126211ade8b38215ea70692af8cff5e47cb922484a3f08e377edf01a4a1d9b865772f4703d6914d779faba95eb46f16266e6f05411efba4691bc6f411d1d77
SSDEEP

3145728:Zqar23mGGWtNN/fdSqyI/LUs5DuFsdOKtVeBi4g:82GGOFfAqyI/7FdUAT

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET407.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SET407.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetAdp6.sys	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETEDA9.tmp	MsiExec.exe
File created	C:\Windows\system32\DRIVERS\SETEDA9.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\DRIVERS\VBoxNetLwf.sys	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
32	960	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\Q:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\X:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\K:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\U:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\I:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\Y:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\L:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\W:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\N:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\O:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\R:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\M:	VirtualBox-7.1.6-167084-Win.exe
File opened (read-only)	\??\V:	VirtualBox-7.1.6-167084-Win.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\SETDCAA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\SETEFEA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\VBoxSup.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\VBoxSup.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	MsiExec.exe
File created	C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\SETEFFC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\VBoxNetAdp6.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE24.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\VBoxNetAdp6.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE26.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\SETDC99.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\SETDCAB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_neutral_9855768fcc4a8263\vboxnetlwf.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	MsiExec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\SETEFEA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\VBoxNetAdp6.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\VBoxSup.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_neutral_9855768fcc4a8263\vboxnetlwf.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_neutral_15909adfa959bbd7\vboxnetadp6.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE24.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE25.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE26.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\SETDC99.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\VBoxNetLwf.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\SETDCAA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\VBoxNetLwf.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\SETDCAB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\VBoxNetLwf.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_neutral_9855768fcc4a8263\VBoxNetLwf.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\SETEFEB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\SETEFFC.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\SETEFEB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_neutral_15909adfa959bbd7\vboxnetadp6.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\vboxnetadp6.inf_amd64_neutral_15909adfa959bbd7\VBoxNetAdp6.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE25.tmp	DrvInst.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_el.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ko.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_tr.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qwindowsVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\os2_cid_install.cmd	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt6GuiVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\doc\UserManual.pdf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\x86.d	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.inf	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\redhat_postinstall.sh	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDDU.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDbg.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_da.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxRT-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxRT.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_150px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_cs.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\sqldrivers\qsqliteVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UserManual.qhc	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxSharedFolders.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\platforms\qminimalVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\dtrace\lib\amd64\CPUMInternal.d	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ja.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_zh_TW.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\device\VBoxUSB.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UICommon.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox_70px.png	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\USB\filter\VBoxUSBMon.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxLibSsh.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ko.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ca.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestAdditions.iso	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetDHCP.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_lt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_it.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_pt.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\Qt6HelpVBox.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxBugReport.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxDragAndDropSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_eu.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_sl.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\debian_preseed.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_hr_HR.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_ka.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_uk.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ol8_ks.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\UnattendedTemplates\ubuntu_preseed.cfg	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxAuthSimple.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxGuestPropSvc.dll	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxHeadless.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\VirtualBox_de.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_en.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\nls\qt_ru.qm	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.sys	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VBoxNetNAT.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\VirtualBox.exe	msiexec.exe
File created	C:\Program Files\Oracle\VirtualBox\drivers\vboxsup\VBoxSup.cat	msiexec.exe

Drops file in Windows directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI9080.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID814.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{08123D53-81FD-48DF-BDD1-64FC2B977919}\IconVirtualBox	msiexec.exe
File created	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI913C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI95C1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA7EE.tmp	msiexec.exe
File created	C:\Windows\Installer\{08123D53-81FD-48DF-BDD1-64FC2B977919}\IconVirtualBox	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9227.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI94B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID777.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI8F85.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9777.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MsiExec.exe
File created	C:\Windows\Installer\f788595.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	MsiExec.exe
File opened for modification	C:\Windows\INF\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\f788594.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIC60.tmp	msiexec.exe
File created	C:\Windows\INF\oem3.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\f788595.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f788594.msi	msiexec.exe
File created	C:\Windows\Installer\f788597.msi	msiexec.exe
File created	C:\Windows\INF\oem0.PNF	MsiExec.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIA6F3.tmp	msiexec.exe
File created	C:\Windows\INF\oem1.PNF	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIEEB1.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Loads dropped DLL 18 IoCs

pid	Process
2512	MsiExec.exe
2512	MsiExec.exe
2512	MsiExec.exe
2512	MsiExec.exe
2512	MsiExec.exe
2512	MsiExec.exe
1264	MsiExec.exe
1264	MsiExec.exe
1264	MsiExec.exe
1264	MsiExec.exe
3020	MsiExec.exe
1264	MsiExec.exe
1612	MsiExec.exe
1612	MsiExec.exe
1612	MsiExec.exe
1612	MsiExec.exe
1612	MsiExec.exe
1264	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VirtualBox-7.1.6-167084-Win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000c0faaaefdc77db01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000e01eb2efdc77db01	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tcpipcfg.dll,-50002 = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks."	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4E77131D-3629-431C-9818-C5679DC83E81} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000e01eb2efdc77db01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MsiExec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{537707F7-EBF9-4D5C-7AEA-877BFC4256BA}\NumMethods\ = "69"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{726EACA9-091E-41B4-BCA6-355EFE864107}\NumMethods\ = "30"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D23A9CA3-42DA-C94B-8AEC-21968E08355D}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{D3D5F1EE-BCB2-4905-A7AB-CC85448A742B}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD3E2654-A161-41F1-B583-4892F4A9D5D5}\ = "IMediumConfigChangedEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{75DFF9BE-6CB3-4857-BDE6-2FAF82ED9A8D}\ = "IPlatformARM"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D05C91E2-3E8A-11E9-8082-DB8AE479EF87}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD3FC71D-26C0-4FE1-BF6F-67F633265BBA}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E775EA3-9070-4F9C-B0D5-53054496DBE0}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B2F98F8-9641-4397-854A-040439D0114B}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D0F4C6F-A77E-45C5-96D2-7CA7DAAE63A9}\NumMethods\ = "17"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F4ADCF6-3E87-11E9-8AF2-576E84223953}\ = "IBooleanFormValue"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{5ADA589F-09C9-4604-B700-9AB3A5572E3A}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{28935887-782B-4C94-8410-CE557B9CFE44}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{755E6BDF-1640-41F9-BD74-3EF5FD653250}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F4D803B4-9B2D-4377-BFE6-9702E881516B}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00391758-00B1-4E9D-0000-11FA00F9D583}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{327E3C00-EE61-462F-AED3-0DFF6CBF9904}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5587D0F6-A227-4F23-8278-2F675EEA1BB2}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DDEF35E-4737-457B-99FC-BC52C851A44F}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{9709DB9B-3346-49D6-8F1C-41B0C4784FF2}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ABE94809-2E88-4436-83D7-50F3E64D0503}\ = "IMachineDataChangedEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4FDEBBF0-BE30-49C0-B315-E9749E1BDED1}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EA9227C-E9BB-49B3-BFC7-C5171E93EF38}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0BAD6DF-D612-47D3-89D4-DB3992533948}\NumMethods\ = "17"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{E28E227A-F231-11EA-9641-9B500C6D5365}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0FE2DA40-5637-472A-9736-72019EABD7DE}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{28935887-782B-4C94-8410-CE557B9CFE44}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{28935887-782B-4C94-8410-CE557B9CFE44}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{5094F67A-8084-11E9-B185-DBE296E54799}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{5900472F-CC58-48AC-A088-B571B77F839B}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{69BFB134-80F6-4266-8E20-16371F68FA25}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6BB335CC-1C58-440C-BB7B-3A1397284C7B}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{BC68370C-8A02-45F3-A07D-A67AA72756AA}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{D134C6B6-4479-430D-BB73-68A452BA3E67}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4F4ADCF6-3E87-11E9-8AF2-576E84223953}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B0A0904D-2F05-4D28-855F-488F96BAD2B2}\TypeLib\Version = "1.3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B79DE686-EABD-4FA6-960A-F1756C99EA1C}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{35CF4B3F-4453-4F3E-C9B8-5686939C80B6}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{4DA2DEC7-71B2-4817-9A64-4ED12C17388E}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{5CA9E537-5A1D-43F1-6F27-6A0DB298A9A8}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{392F1DE4-80E1-4A8A-93A1-67C5F92A838A}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{6A5E65BA-EEB9-11EA-AE38-73242BC0F172}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{6CC49055-DAD4-4496-85CF-3F76BCB3B5FA}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E253EE8-477A-2497-6759-88B8292A5AF0}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FB220201-2FD3-47E2-A5DC-2C2431D833CC}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{B9ACD33F-647D-45AC-8FE9-F49B3183BA37}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{E062A915-3CF5-4C0A-BC90-9B8D4CC94D89}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FF58A51D-54A1-411C-93E9-3047EB4DCD21}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{92F21DC0-44DE-1653-B717-2EBF0CA9B664}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{A508E094-BF24-4ECA-80C6-467766A1E4C0}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A71E5822-365B-49BA-BD14-C8D616E6740D}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D78374E9-486E-472F-481B-969746AF2480}\NumMethods\ = "15"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DB2AB1A-6CF7-42F1-8BF5-E1C0553E0B30}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A06253A7-DCD2-44E3-8689-9C9C4B6B6234}\TypeLib\Version = "1.3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F22DD3B4-E4D0-437A-BFDF-0372896BA162}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2514881B-23D0-430A-A7FF-7ED7F05534BC}\ = "INATNetworkPortForwardEvent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDCA7247-BF98-47FB-AB2F-B5177533F493}\ = "IStorageController"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DD6A1080-E1B7-4339-A549-F0878115596E}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{75DFF9BE-6CB3-4857-BDE6-2FAF82ED9A8D}\ProxyStubClsid32\ = "{0BB3B78C-1807-4249-5BA5-EA42D66AF0BF}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5BBDB7D-8CE7-469F-A4C2-6476F581FF72}\NumMethods\ = "14"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{024F00CE-6E0B-492A-A8D0-968472A94DC7}\TypeLib\ = "{D7569351-1750-46F0-936E-BD127D5BC264}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{426EF1B8-DE91-49FB-ABC3-0E2BAE654FF2}\TypeLib\Version = "1.3"	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.1.6-167084-Win.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	VirtualBox-7.1.6-167084-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.1.6-167084-Win.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	VirtualBox-7.1.6-167084-Win.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
960	msiexec.exe
960	msiexec.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncreaseQuotaPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeRestorePrivilege	960	msiexec.exe
Token: SeTakeOwnershipPrivilege	960	msiexec.exe
Token: SeSecurityPrivilege	960	msiexec.exe
Token: SeCreateTokenPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeAssignPrimaryTokenPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeLockMemoryPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncreaseQuotaPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeMachineAccountPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeTcbPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeSecurityPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeTakeOwnershipPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeLoadDriverPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemProfilePrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemtimePrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeProfSingleProcessPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncBasePriorityPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreatePagefilePrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreatePermanentPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeBackupPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeRestorePrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeShutdownPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeDebugPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeAuditPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemEnvironmentPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeChangeNotifyPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeRemoteShutdownPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeUndockPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeSyncAgentPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeEnableDelegationPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeManageVolumePrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeImpersonatePrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreateGlobalPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreateTokenPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeAssignPrimaryTokenPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeLockMemoryPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncreaseQuotaPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeMachineAccountPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeTcbPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeSecurityPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeTakeOwnershipPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeLoadDriverPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemProfilePrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemtimePrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeProfSingleProcessPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeIncBasePriorityPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreatePagefilePrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreatePermanentPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeBackupPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeRestorePrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeShutdownPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeDebugPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeAuditPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeSystemEnvironmentPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeChangeNotifyPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeRemoteShutdownPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeUndockPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeSyncAgentPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeEnableDelegationPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeManageVolumePrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeImpersonatePrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreateGlobalPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe
Token: SeCreateTokenPrivilege	2208	VirtualBox-7.1.6-167084-Win.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2208	VirtualBox-7.1.6-167084-Win.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 2512	960	msiexec.exe	43
PID 960 wrote to memory of 2512	960	msiexec.exe	43
PID 960 wrote to memory of 2512	960	msiexec.exe	43
PID 960 wrote to memory of 2512	960	msiexec.exe	43
PID 960 wrote to memory of 2512	960	msiexec.exe	43
PID 960 wrote to memory of 1264	960	msiexec.exe	47
PID 960 wrote to memory of 1264	960	msiexec.exe	47
PID 960 wrote to memory of 1264	960	msiexec.exe	47
PID 960 wrote to memory of 1264	960	msiexec.exe	47
PID 960 wrote to memory of 1264	960	msiexec.exe	47
PID 960 wrote to memory of 3020	960	msiexec.exe	48
PID 960 wrote to memory of 3020	960	msiexec.exe	48
PID 960 wrote to memory of 3020	960	msiexec.exe	48
PID 960 wrote to memory of 3020	960	msiexec.exe	48
PID 960 wrote to memory of 3020	960	msiexec.exe	48
PID 960 wrote to memory of 3020	960	msiexec.exe	48
PID 960 wrote to memory of 3020	960	msiexec.exe	48
PID 960 wrote to memory of 1612	960	msiexec.exe	49
PID 960 wrote to memory of 1612	960	msiexec.exe	49
PID 960 wrote to memory of 1612	960	msiexec.exe	49
PID 960 wrote to memory of 1612	960	msiexec.exe	49
PID 960 wrote to memory of 1612	960	msiexec.exe	49
PID 960 wrote to memory of 2556	960	msiexec.exe	50
PID 960 wrote to memory of 2556	960	msiexec.exe	50
PID 960 wrote to memory of 2556	960	msiexec.exe	50
PID 960 wrote to memory of 2556	960	msiexec.exe	50
PID 960 wrote to memory of 2556	960	msiexec.exe	50
PID 960 wrote to memory of 2556	960	msiexec.exe	50
PID 960 wrote to memory of 2556	960	msiexec.exe	50
PID 1884 wrote to memory of 472	1884	DrvInst.exe	52
PID 1884 wrote to memory of 472	1884	DrvInst.exe	52
PID 1884 wrote to memory of 472	1884	DrvInst.exe	52
PID 2100 wrote to memory of 2444	2100	DrvInst.exe	54
PID 2100 wrote to memory of 2444	2100	DrvInst.exe	54
PID 2100 wrote to memory of 2444	2100	DrvInst.exe	54

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:2
1⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:8
1⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1660 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:8
1⤵
PID:1820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=1460 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:1
1⤵
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:1
1⤵
PID:1016

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1604 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:2
1⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=1364 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:1
1⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.6-167084-Win.exe
"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.1.6-167084-Win.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 --field-trial-handle=1388,i,268427178292899125,17008093136944114292,131072 /prefetch:8
1⤵
PID:2368

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 1C71857DAA81C75EDE81153CB638A51B C
  2⤵
  - Loads dropped DLL
  PID:2512
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 2ED9274274A0FC4300338B765CA9A96C
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  PID:1264
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 49F5C2E1A3D0F329B28324C0D05EC0DC
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3020
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding AD698649D9DB851D59BF51B2050F1CB7 M Global\MSI0000
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:1612
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 42D779F1B1992771AD031827DC24B605 M Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2556

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:760

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000068" "00000000000003F0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2428

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{43711d41-affb-4410-6b82-c249e87f0d21}\VBoxNetLwf.inf" "9" "631e52bcb" "00000000000005B0" "WinSta0\Default" "0000000000000068" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{5c7240e0-7b79-4af1-479f-f10773afb55e} Global\{2a95f175-d916-7339-024a-b65ebd3e250a} C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\VBoxNetLwf.inf C:\Windows\System32\DriverStore\Temp\{123dcffc-b148-1ce4-0fff-1a585b004b4d}\VBoxNetLwf.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:472

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3fc1518a-d50a-5ff1-5d03-cd0316e7cc2f}\VBoxNetAdp6.inf" "9" "673b17b7b" "00000000000005B0" "WinSta0\Default" "00000000000005D4" "208" "C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3291b95c-ecb3-04e8-6c26-f15a697eb273} Global\{45f4d342-d615-43d1-1e5e-523f0f810f15} C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\VBoxNetAdp6.inf C:\Windows\System32\DriverStore\Temp\{7af29a4b-6a83-7c2f-9929-cd670b1f4a12}\VBoxNetAdp6.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2444

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{39b7bdb0-9a93-53c7-097d-cd6e62b4cb5e}\VBoxSup.inf" "9" "6edacf3f3" "00000000000005FC" "WinSta0\Default" "00000000000005D4" "208" "C:\Program Files\Oracle\VirtualBox\drivers\vboxsup"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f788596.rbs

Filesize
718KB

MD5
a9f53389b0c84fec395f288ec7070e59

SHA1
15cde3f11c906282180810f118d9ff2f7211c6b4

SHA256
25ec09aac17c6d5402f1ce6ccd6383da417193c5eb67590f17fd3c9545546edd

SHA512
18cf9f7a6527611172e12d7707915ae00074caa33e2793ba5cb717565d622f42cee07bc5d80c27a92a97579c82a81ae282b3fccf757c846be6137ed623da832b

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netadp6\VBoxNetAdp6.sys

Filesize
240KB

MD5
bb13c7ae29af3d73e2e2326bd37ef752

SHA1
d2b5617fe2f2de0831d2ad0f6301e5cb88851261

SHA256
755120e64cec6673bf8ad2ed0cfb031dd71a31ab8fc063c1b26cc3a8b9198857

SHA512
6aa2a7c483dd205a6d0f667a5249f7eb23b45ee760de009400c208e73c21feda8d94ca428e4922303727e735a0f6026ddfd02bc419f2f280e68f2b55a93acf82

Download Submit
C:\PROGRA~1\Oracle\VIRTUA~1\drivers\network\netlwf\VBoxNetLwf.sys

Filesize
250KB

MD5
10ed4a0f400f1db09e258c99939f15c7

SHA1
4ed115fb4bece2aaf9b0d724330811cd2c7878b2

SHA256
b7d5361a58530add79cdce5544f41190196ea7b16b32c889627e8b5a61be8483

SHA512
a573233ca92ff878f79261bf7ebc10def90c0995c46527a2f5f3791f5e48cf54158c07af1e0d969ba4d196f182126ca2e4c9ab5a1464e6974b279a6038102a6b

Download Submit
C:\Program Files\Oracle\VirtualBox\VBoxProxyStub.dll

Filesize
936KB

MD5
dea158fd47abc3d173f6d8de13971372

SHA1
d42cdc78678744d4b23c338fe81e327c1d4d4abf

SHA256
701332a337b452e64a56bd7e1a1d7c76eb8b7fb7f6f63f74413866b7e2113980

SHA512
11f96f77dee048cf7a487334607d517ed3cb7ea0314f4daf719e361d9c6d0bc09c827081cfb6bb6403ecc174e5e6f4201e47c6c4ff186028380e0ac8240ddefa

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.cat

Filesize
10KB

MD5
552b5869498a21ebd60394c43855cd40

SHA1
936ffdd331ba58c7106b5e8f83788465150b1873

SHA256
10b6ae89e111003e4f8f4f1b53cc051aa4372e3705e23902df81e502891604a7

SHA512
06b70dd7ec315bd51567a1694e902fcb8cb697e27b3d588f8a0541c91152fb5ae035e5dc45e0d6628243e592288d9505b86df8fcf333d303d4bd41001f10b798

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\network\netadp6\VBoxNetAdp6.inf

Filesize
3KB

MD5
7bd5968035e290fc975a3655d2a30c08

SHA1
f07a370d4734c9b332b35d26b4d16d7ae1ec17b6

SHA256
c1af8774a2b6c246a31b8c3f5185fff67a856c4f96d55c21b4d0587b34e4611b

SHA512
2da219b9fc716499b2d8fa62084c5039d61660bf4ea26e48599eb4d10d95b4ba408e8415a092307b5731cc1de9201bb000848f68d7e79f6b03da453e223253ac

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.cat

Filesize
10KB

MD5
9a7ea922dc84aff4eba3913b4e4baf7f

SHA1
0ac25dd63071e9f2018e30c96351975be3f91a66

SHA256
e2cd20ad1aa6650bb3bfb7a8eecaa3d8311cf367bb39b2b787a0857f9a0e53f6

SHA512
f1a4cbf81acf640a882e2c93e7443d8d607025c9f8e141fa93a8f0cbaf2c7b06f38ae567e06d58ad086809cbcfb419070f00e7f1ca0abfea5db884cdae9a8c54

Download Submit
C:\Program Files\Oracle\VirtualBox\drivers\network\netlwf\VBoxNetLwf.inf

Filesize
4KB

MD5
7da30975a6c38e9a0fe9676950f70033

SHA1
d0134da02edaf78b60143d9d6a310ab97137b709

SHA256
aee3b03ca632f7985c71c56d747ed61d0a83e8250f72c4e3cecaca43d6262cdb

SHA512
2ab29cfa41572e3b94680a298248d8d459da50d7f136ec1885a092f8c6550a6fbc5c0e256bdf42285cd7d9234f015d2a577e90989e8eeaa8f4a2780d69c87f01

Download Submit
C:\Program Files\Oracle\VirtualBox\x86\VBoxProxyStub-x86.dll

Filesize
684KB

MD5
a575376c0da3e58d68ddb30cf903af50

SHA1
5c82c307d82d57b51f365006b7935f952b0775b1

SHA256
ac2e8cda8c16350c20115774413245d2ef4fe2ee76aca73b2b3c47ad4add6116

SHA512
b16a1920b5c51df04e2adfeefbbdc523dfb99586a6e397c43f521fc7111b28416cb4b72052d00a7d2f6ea3f04ae6935f4536ba27a456dc714296940e2b557a2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
42cff42b997443cb256b1289a350b1b6

SHA1
651afb301d9acc6d9c7306060597e6a5c30625fc

SHA256
5a0156e23df8fc05add3ecbdc44fb33b70d86fd08dcafad7fbb37b2107bb629a

SHA512
6e50f0b49cabdc45f4b1609a0d388d0c5c544bd3e957951f23637a3059da8500d7e1afe8e8b76d9bacdc2cbb6f7516d2bdbffc09a7e6fbe3a16c4d8100214cdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
727B

MD5
30d135e2903facc564d175c2b6e4044c

SHA1
5db057c161190338ffae691542cabe047fdd37e8

SHA256
4344543735255f395138e70373d859469b598f3c599c350249f9128dd81d812d

SHA512
df6337142a1187e0a049aa5866303783395d448aa6fa32fd3bddf07c23f01c343e361e81394ce36764b2e1e29b84e1a8b86068dd79a306180b77010c45176fd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
7ede1c2319349ee09eef9b918f848ee1

SHA1
907bc671d8865713c6c6758ab35d880bc195cd26

SHA256
0091300b2b650fad4fdf32c8681ca431aa280403bb7afec50e1e3b2232537c9e

SHA512
673710e89af144f22a6a69011341e48681cf2b46ec58fa7ceed13688f3dfa17e5c8ea9f8054cb99c054864ec980fa0acebdb480ce9abf4d1d7a8ec46dcfb5866

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
6c4dc00fd3cada904697c7d0d2cc90a9

SHA1
6be8276f41821a8fa5d143175f3f6502721474c9

SHA256
78b2ac20c69750226145018f2e06a0f0affecba3b197d25322f144ecfd6ed55d

SHA512
533528a8faef1a8a2fcda8fb82af090025c5c8e5419f543c1320d1887c267215c9f3c171cd37e04254689c72d69fb5bcba3ad6e77b35f64aeea3775fd4f17b0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D2F6556190F7B1A25A117FFB5467EEBD

Filesize
412B

MD5
fbe79bbbac43dabd5e2b4dc121cdec9f

SHA1
393b80c851b9cf6fb20e08e090e6606367004173

SHA256
78c4027cb98aa4d5d6850bdbc828c8108f40da746f7ea4c1416a5c6ac83fd541

SHA512
e13fb49a37a577355ca6851904081136104707e14d03fbe2e1d27d808e720f8d1a3cd1a3f581deb7ffae6690a5a9f7a157b6527e3538c2e29678f8ecc341b73c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57861c86a745f7470e89fd26b9cd6432

SHA1
8ae74c16388511828a6a762f3cbf2a396325cfe4

SHA256
8bb6ec5908d29855377a9ff387ba660f01b58da18d495a90d6492a02a46bc1a0

SHA512
6f7aadc67607a1d617d13961a7aec88a138d13e172390fbbcf4ed0b56ecc9b9bc9126b5df7743017fd34a607bbfa794f55a2f4bdfbd3ae8348bd803e393f2ff0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
08af6ecc9bc93049ce406a2f21c0b612

SHA1
817fb72adcb293b09347d97aa2147bbf6908de7c

SHA256
a05befae9b89bcaeff43dbb4e549fda8c4adb69b54cc075daa789f71b47cb9da

SHA512
80e6ff6ee047fdf7075b6972300f1e868373a60614698b1cf621e777469cb742fbc001d2ddda81f28b001ff7af911c69881f4c8db849bc8aa458f9a7d55a3b64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
933B

MD5
7ee3baa5245d29541c29b8c862b99aaa

SHA1
0d7dfb41f55bf84e9ccb802a96187fbb07e0cb6c

SHA256
3b2ac1abb0a3ba21fdd9f90d0efb4acd808eac1a3505cac9c9aee7bb0bd97ce7

SHA512
c50a94d2eecaeb2828759b82a91fa029a2bfad0184db413fc0617302b910256bd400b21318d7b759b496409895e4bee215efe8ef0d540fd9709361151300565c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6BC0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI71BD.tmp

Filesize
476KB

MD5
39f6c48493b5225bae95cdb52c8bf69d

SHA1
f54e11158d71068dc61f2c3c2a9db471ecdfcadd

SHA256
55dcfb4404fd2a7ce72dabc23d856f7529f7ed4359e1af19eca2619c2bf840cd

SHA512
0c5a07e45ba250e253e5ec3fb87c191e9de46027ee1f8ff5fae4be0a4c0e8a7aac48f64d6fb12dfbdd1b77ee93b5c6740e36a5a90e6ff817dd5f18e3fe3bdd6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6F4C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\MSI94B7.tmp

Filesize
330KB

MD5
ac831c25bc16a05ee60aea5d79517434

SHA1
4946133e7fac34315a0ccaa30ca8ad383d5f0140

SHA256
947f8fd98efb1986df32a9c179eccf720376721798cc15d4cf9e31cdb8324869

SHA512
72f625386a7af35b58bdb70f35b8a29cd06c091f04e4cc2f9c7ec1c1ec194e4fb120b5528b55ed589c9daa890c1bdf8762dce1e17dd69a77ec7a002d2685ba5b

Download Submit
C:\Windows\System32\DriverStore\FileRepository\vboxnetlwf.inf_amd64_neutral_9855768fcc4a8263\vboxnetlwf.PNF

Filesize
9KB

MD5
667276dab6d500ca19b865f648a53d96

SHA1
a3aecca5cef5f2dc4b9b31b7282a9242ea49b826

SHA256
277bb1dd365972a94524549ce1152d5323bb4d8bacb886c40f03d55e45587cb0

SHA512
0efe6e86e2fbb3962d4ff0f879c9d807cf3bb821becfd25a5d1aa1699144befff0e66ef828294914e680fcc05d11cfd571c5171f340d1b81f5234adb32bcf6ba

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
35a717ecab29b165dc7dbf0b1be15b5e

SHA1
3dfc969fcb9e77a715dc75fda25651cce066d0c2

SHA256
addf5b47c3bf6cbb3fe82fefe84eccd544b187309e1569ee4910291e68991d84

SHA512
cab2cc2d5dfa3ed7700cc1a7b351109e0a38ddd69a707e67cbce3917f6b3a1881c0d57a3f419cb34962a3a23dce1db5f0a4f71fdec21d13e700ab0e1e3a81043

Download Submit
C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE24.tmp

Filesize
10KB

MD5
616622190cbd26c6297e711002db9a18

SHA1
3ae814e574c3e1f7e1a47b74d409d76dbfcc7c04

SHA256
338534cc66c824995a299888caea8dc83de179e88f22e9a037dfd7c399a66ea2

SHA512
cc574a02c278f96b9bb45cbc9164b77e4b66341eb2f2b8cb1870590735b2d5ee13fbf0de96f85309a544c7a88b50453830db50c25a4c73cd843ba4d0d9772c2e

Download Submit
C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE25.tmp

Filesize
2KB

MD5
59048a0500cb88084655b38de2a3097f

SHA1
014f0f333df2fac12045fb89ce1042f3352241c4

SHA256
c3c0f8172fee9aeeff7d4ac43af0b0b9357f2f119b53c70377f015168586c546

SHA512
cb596dc5048d09186b011ea4a314b7355c2191fff0cae929ebaa919294ed17041006ae575122d7191bfa3572c4da3f75e109d10cbc847e48121de0ef2761b9c0

Download Submit
C:\Windows\System32\DriverStore\Temp\{7cd139e7-af9c-05b0-5d9d-661a7f568e71}\SETE26.tmp

Filesize
1.0MB

MD5
9b7cdaa9dfa551282134f4e75074f702

SHA1
e05035fcfe2369000a0264ab1c7eac9c40ecbb5c

SHA256
decc9f7c751ded1aaddc3528dd545837a2a2994c415e983f30a6af1747ac3acf

SHA512
7da4fe862ce314548977672494391370045b80c6bd38f74f82e1f39a88143f93b36c1c06feeca4668a4e29ad60ff73e5f615fd61c6b514bdd902042ab7698af2

Download Submit
C:\Windows\inf\oem2.PNF

Filesize
9KB

MD5
834da9911ab6cc4846d0c277d8e8cfb3

SHA1
73d982ae07378a573fad645d2daff5fea0a2fcbc

SHA256
7954f9f456b12ebaee26aac8744e20bf1846ea1653f79c10d888546e12ae283d

SHA512
02235165aab39f56249315ee201a1f90a3bce10276df0480da004cda8d3a412486ce87377f07f0af4816ffb7b18488ec69b63557e7c9e9f2fb9b90fda3fd2a9f

Download Submit
memory/1612-394-0x0000000000220000-0x0000000000246000-memory.dmp

Filesize
152KB

Download