b1fa0c62e07f9ad0a625fd1474a197c1d687b985714c3d697981f5fbe4993266

Analysis

max time kernel
128s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-02-2025 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EchonexMeets.exe
Size

5.2MB
MD5

521706693511fdecdb0d9052a50ae5fc
SHA1

94214094c8c7c16fb4afc0947a47a386366f4e81
SHA256

b1fa0c62e07f9ad0a625fd1474a197c1d687b985714c3d697981f5fbe4993266
SHA512

ea9608a78e1363b73174c2a3a0732e98fca9e358949e64bfdd7d4dcd9c0a6ccdc2214033dc59cb2c658cc364c172e791233654b3ecf6a1e0cf351b16749f9b74
SSDEEP

98304:PE+JqHlyDS/KzOYH8t9WB2XPzvSXIXf/a+dab7jgOnXTzKqCUvsARxefha5:PE+JqHlyDSixHM9WB4zEHhnXTetUTeC

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
9	1992	MsiExec.exe

Loads dropped DLL 11 IoCs

pid	Process
1992	MsiExec.exe
1992	MsiExec.exe
1992	MsiExec.exe
1992	MsiExec.exe
1992	MsiExec.exe
1992	MsiExec.exe
1992	MsiExec.exe
1992	MsiExec.exe
2504	EchonexMeets.exe
1992	MsiExec.exe
1992	MsiExec.exe

Blocklisted process makes network request 7 IoCs

flow	pid	Process
9	1992	MsiExec.exe
11	1992	MsiExec.exe
12	1992	MsiExec.exe
14	1992	MsiExec.exe
16	1992	MsiExec.exe
18	1992	MsiExec.exe
19	2204	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	EchonexMeets.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	EchonexMeets.exe
File opened (read-only)	\??\Y:	EchonexMeets.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	EchonexMeets.exe
File opened (read-only)	\??\G:	EchonexMeets.exe
File opened (read-only)	\??\T:	EchonexMeets.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	EchonexMeets.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	EchonexMeets.exe
File opened (read-only)	\??\I:	EchonexMeets.exe
File opened (read-only)	\??\Q:	EchonexMeets.exe
File opened (read-only)	\??\U:	EchonexMeets.exe
File opened (read-only)	\??\X:	EchonexMeets.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	EchonexMeets.exe
File opened (read-only)	\??\Z:	EchonexMeets.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	EchonexMeets.exe
File opened (read-only)	\??\K:	EchonexMeets.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	EchonexMeets.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	EchonexMeets.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	EchonexMeets.exe
File opened (read-only)	\??\B:	EchonexMeets.exe
File opened (read-only)	\??\J:	EchonexMeets.exe
File opened (read-only)	\??\N:	EchonexMeets.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	EchonexMeets.exe
File opened (read-only)	\??\I:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EchonexMeets.exe

Modifies system certificate store 2 TTPs 4 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	EchonexMeets.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	EchonexMeets.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	EchonexMeets.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	EchonexMeets.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	308	msiexec.exe
Token: SeTakeOwnershipPrivilege	308	msiexec.exe
Token: SeSecurityPrivilege	308	msiexec.exe
Token: SeCreateTokenPrivilege	2504	EchonexMeets.exe
Token: SeAssignPrimaryTokenPrivilege	2504	EchonexMeets.exe
Token: SeLockMemoryPrivilege	2504	EchonexMeets.exe
Token: SeIncreaseQuotaPrivilege	2504	EchonexMeets.exe
Token: SeMachineAccountPrivilege	2504	EchonexMeets.exe
Token: SeTcbPrivilege	2504	EchonexMeets.exe
Token: SeSecurityPrivilege	2504	EchonexMeets.exe
Token: SeTakeOwnershipPrivilege	2504	EchonexMeets.exe
Token: SeLoadDriverPrivilege	2504	EchonexMeets.exe
Token: SeSystemProfilePrivilege	2504	EchonexMeets.exe
Token: SeSystemtimePrivilege	2504	EchonexMeets.exe
Token: SeProfSingleProcessPrivilege	2504	EchonexMeets.exe
Token: SeIncBasePriorityPrivilege	2504	EchonexMeets.exe
Token: SeCreatePagefilePrivilege	2504	EchonexMeets.exe
Token: SeCreatePermanentPrivilege	2504	EchonexMeets.exe
Token: SeBackupPrivilege	2504	EchonexMeets.exe
Token: SeRestorePrivilege	2504	EchonexMeets.exe
Token: SeShutdownPrivilege	2504	EchonexMeets.exe
Token: SeDebugPrivilege	2504	EchonexMeets.exe
Token: SeAuditPrivilege	2504	EchonexMeets.exe
Token: SeSystemEnvironmentPrivilege	2504	EchonexMeets.exe
Token: SeChangeNotifyPrivilege	2504	EchonexMeets.exe
Token: SeRemoteShutdownPrivilege	2504	EchonexMeets.exe
Token: SeUndockPrivilege	2504	EchonexMeets.exe
Token: SeSyncAgentPrivilege	2504	EchonexMeets.exe
Token: SeEnableDelegationPrivilege	2504	EchonexMeets.exe
Token: SeManageVolumePrivilege	2504	EchonexMeets.exe
Token: SeImpersonatePrivilege	2504	EchonexMeets.exe
Token: SeCreateGlobalPrivilege	2504	EchonexMeets.exe
Token: SeCreateTokenPrivilege	2504	EchonexMeets.exe
Token: SeAssignPrimaryTokenPrivilege	2504	EchonexMeets.exe
Token: SeLockMemoryPrivilege	2504	EchonexMeets.exe
Token: SeIncreaseQuotaPrivilege	2504	EchonexMeets.exe
Token: SeMachineAccountPrivilege	2504	EchonexMeets.exe
Token: SeTcbPrivilege	2504	EchonexMeets.exe
Token: SeSecurityPrivilege	2504	EchonexMeets.exe
Token: SeTakeOwnershipPrivilege	2504	EchonexMeets.exe
Token: SeLoadDriverPrivilege	2504	EchonexMeets.exe
Token: SeSystemProfilePrivilege	2504	EchonexMeets.exe
Token: SeSystemtimePrivilege	2504	EchonexMeets.exe
Token: SeProfSingleProcessPrivilege	2504	EchonexMeets.exe
Token: SeIncBasePriorityPrivilege	2504	EchonexMeets.exe
Token: SeCreatePagefilePrivilege	2504	EchonexMeets.exe
Token: SeCreatePermanentPrivilege	2504	EchonexMeets.exe
Token: SeBackupPrivilege	2504	EchonexMeets.exe
Token: SeRestorePrivilege	2504	EchonexMeets.exe
Token: SeShutdownPrivilege	2504	EchonexMeets.exe
Token: SeDebugPrivilege	2504	EchonexMeets.exe
Token: SeAuditPrivilege	2504	EchonexMeets.exe
Token: SeSystemEnvironmentPrivilege	2504	EchonexMeets.exe
Token: SeChangeNotifyPrivilege	2504	EchonexMeets.exe
Token: SeRemoteShutdownPrivilege	2504	EchonexMeets.exe
Token: SeUndockPrivilege	2504	EchonexMeets.exe
Token: SeSyncAgentPrivilege	2504	EchonexMeets.exe
Token: SeEnableDelegationPrivilege	2504	EchonexMeets.exe
Token: SeManageVolumePrivilege	2504	EchonexMeets.exe
Token: SeImpersonatePrivilege	2504	EchonexMeets.exe
Token: SeCreateGlobalPrivilege	2504	EchonexMeets.exe
Token: SeCreateTokenPrivilege	2504	EchonexMeets.exe
Token: SeAssignPrimaryTokenPrivilege	2504	EchonexMeets.exe
Token: SeLockMemoryPrivilege	2504	EchonexMeets.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2504	EchonexMeets.exe
2204	msiexec.exe
2204	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 1992	308	msiexec.exe	31
PID 308 wrote to memory of 1992	308	msiexec.exe	31
PID 308 wrote to memory of 1992	308	msiexec.exe	31
PID 308 wrote to memory of 1992	308	msiexec.exe	31
PID 308 wrote to memory of 1992	308	msiexec.exe	31
PID 308 wrote to memory of 1992	308	msiexec.exe	31
PID 308 wrote to memory of 1992	308	msiexec.exe	31
PID 2504 wrote to memory of 2204	2504	EchonexMeets.exe	33
PID 2504 wrote to memory of 2204	2504	EchonexMeets.exe	33
PID 2504 wrote to memory of 2204	2504	EchonexMeets.exe	33
PID 2504 wrote to memory of 2204	2504	EchonexMeets.exe	33
PID 2504 wrote to memory of 2204	2504	EchonexMeets.exe	33
PID 2504 wrote to memory of 2204	2504	EchonexMeets.exe	33
PID 2504 wrote to memory of 2204	2504	EchonexMeets.exe	33
PID 308 wrote to memory of 2112	308	msiexec.exe	36
PID 308 wrote to memory of 2112	308	msiexec.exe	36
PID 308 wrote to memory of 2112	308	msiexec.exe	36

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\EchonexMeets.exe
"C:\Users\Admin\AppData\Local\Temp\EchonexMeets.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Echonex Limited\Echonex Meets 7.4.3\install\B57F050\EchonexMeetsRedist.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\EchonexMeets.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1739970636 "
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:2204

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C78E24A7C9DC34038C33A3E9F39FC0FC C
  2⤵
  - Downloads MZ/PE file
  - Loads dropped DLL
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1992
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 308 -s 900
  2⤵
  PID:2112

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3064

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Filesize
1KB

MD5
e94fb54871208c00df70f708ac47085b

SHA1
4efc31460c619ecae59c1bce2c008036d94c84b8

SHA256
7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

SHA512
2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2124bd5e1f40dc039ef1dd7395d713a

SHA1
356ac3d703e120b7594e6014f6d6ad9ee0114598

SHA256
541967e5c657dcfbd02b227b106c14448fbde38c7aba0771fcb289a516f317e5

SHA512
b05ea37541d9276c7e60db703ba02efeb1e373ad8fb205bf4a586824f36da90050b7ef838da31bf86624225d7fa49bf4b83ccb29fc55dc32eec3613ad70cfebc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c6c011fef728f503a18d86667e8e73a

SHA1
5c1a49392b308a1668210bc49417063a61bb4a83

SHA256
fb4094297b4d8850d83c19330ab5139b052357dbeb44b7722143d2b28bc6c898

SHA512
879ebe43c71fe9b68bed1ce7a412d094a0ed5761fd20a7c2562cf072e76b6cff4edea1e6e3e1524f41546fe2d45e9e2e3e426c5b1b6014cafc638b9ecbb8375a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

Filesize
264B

MD5
23ff54d97b1d1232c735cfc42ca7ddf9

SHA1
13a8fd250d8b94e3ec3bcf23ad8dfc22ff10c9ed

SHA256
d5a968c498c36e9dd67f7d63dfbc6f0f43dd98e89ffb195a155f49837315fc06

SHA512
44ba44630f992323b9d4381eaefbcbe68e5145ff12effd26109b4148cc967bceef45fb1d2c3ade41c8e13dec939cdce0a75a6b707159a398aa97b7f4da88c540

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab85A6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI88A3.tmp

Filesize
1005KB

MD5
0606e1a2fe0d72593405cafeb945c740

SHA1
641e8cfea8d2203d3127b49939b1ed5f1c97dc9e

SHA256
7b3a4e3e3f58fa49164d49b14bc10c13a9d734846956c8a7a433c8bb6c82d983

SHA512
696152be48a1256c5eda545b8759671117a7b55e49723b437b6ee258a3b568b9440f1592e4abf4eb1aa878e960cc721bdbc55f2a48d77bb1b3315b75cc15946a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8920.tmp

Filesize
894KB

MD5
713c5d0c1b98583f3638212f91f9b99e

SHA1
2845ae2516d94e05c8ae305b2f83a452a7e10117

SHA256
1a42e41b6c284aeb55d9ac8a28bc7fb50b98008d6a04464d73ebe8d200662ce0

SHA512
1cdfd877a950733a12506002a885364842883adfc589c6fb6d06b894848e256b017308dd0939523a82497e7f1b33e6552f0bd5b469727f7fc0290a3eb3915d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8693.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Echonex Limited\Echonex Meets 7.4.3\install\B57F050\EchonexMeetsRedist.msi

Filesize
4.4MB

MD5
3ed69057e89c33a66e3864ee4b508006

SHA1
1a8b887612d766cc1cb0e5228d9525690a70bfaa

SHA256
5ed795b676b9af0246622fc7758868632797618759451ab279f9dc52228529b9

SHA512
60066eb9595e73815aab8d237b76b3502698d1c893ca6a2202102376a62466bfbf59a8c65773c2a362a69c52432898d1849bd7896aa3c02016a53aceda8ccffe

Download Submit
memory/2504-0-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2504-249-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download