1872989902227cb3f310cb389e4566cc8feb9a756c43dc08454795c5a14594f7

Resubmissions

25/03/2025, 05:15

250325-fxt6vs1ycx 6

12/04/2023, 01:53

230412-ca8tysae3v 7

12/04/2023, 01:41

230412-b39raagg39 7

Analysis

max time kernel
122s
max time network
120s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
25/03/2025, 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0133fc64c0bb7215aaa57c142357070d2d2f782039c3b4191786ad3fbd224cf.msi
Size

2.4MB
MD5

48ac303566e6f8c8f56c9472fb14d9d1
SHA1

e3d9786e86f26261beb2f98fc8f3e289f2f5286b
SHA256

a0133fc64c0bb7215aaa57c142357070d2d2f782039c3b4191786ad3fbd224cf
SHA512

88265ee72da76523617c23c232f4fc9d3a9a9425280193216487157b378837d5cc780157e30675d2b2ef5a442050b6288bc2a9db244e9557781b33d61d7385e3
SSDEEP

49152:T0uYUMV3eVougTDAFPsJ6ma8zotlmfwrgxMy+y29IAan6DrH4vLNgmUESIEjPMNs:TYUMV39hAlAfwrty04veHjPMNaG

Score

6^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIDE9D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c42c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC601.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e57c42c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1BE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3058.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c42b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC498.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC564.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC650.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID5D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI26F1.tmp	msiexec.exe
File created	C:\Windows\Installer\e57c42b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{33C5C8E4-A81F-4FDD-BD4F-351E66D38037}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B45.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CFC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D6B.tmp	msiexec.exe

Loads dropped DLL 24 IoCs

pid	Process
5312	MsiExec.exe
5312	MsiExec.exe
5312	MsiExec.exe
5312	MsiExec.exe
5312	MsiExec.exe
5312	MsiExec.exe
5312	MsiExec.exe
3004	MsiExec.exe
3004	MsiExec.exe
3004	MsiExec.exe
3004	MsiExec.exe
3004	MsiExec.exe
4800	MsiExec.exe
4800	MsiExec.exe
4800	MsiExec.exe
4800	MsiExec.exe
4800	MsiExec.exe
4800	MsiExec.exe
4800	MsiExec.exe
4052	MsiExec.exe
4052	MsiExec.exe
4052	MsiExec.exe
4052	MsiExec.exe
4052	MsiExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5520	powershell.exe
3564	powershell.exe
1388	powershell.exe
5536	powershell.exe
396	powershell.exe
2828	powershell.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1344	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7cf3f444b48aaeb0000000000000000000000000000000000000000000000000000000000000000000000000000000000001071020000000000c01200000000ffffffff000000002701010000883801b7cf3f440000000000001071020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d083020000000000c050e1000000ffffffff000000000700010000e84101b7cf3f44000000000000d08302000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090d4e30000000000000005000000ffffffff00000000070001000048ea71b7cf3f4400000000000090d4e300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7cf3f4400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
476	msiexec.exe
476	msiexec.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
1388	powershell.exe
1388	powershell.exe
1388	powershell.exe
5536	powershell.exe
5536	powershell.exe
5536	powershell.exe
476	msiexec.exe
476	msiexec.exe
396	powershell.exe
396	powershell.exe
2828	powershell.exe
2828	powershell.exe
2828	powershell.exe
5520	powershell.exe
5520	powershell.exe
5520	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1344	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1344	msiexec.exe
Token: SeSecurityPrivilege	476	msiexec.exe
Token: SeCreateTokenPrivilege	1344	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1344	msiexec.exe
Token: SeLockMemoryPrivilege	1344	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1344	msiexec.exe
Token: SeMachineAccountPrivilege	1344	msiexec.exe
Token: SeTcbPrivilege	1344	msiexec.exe
Token: SeSecurityPrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeLoadDriverPrivilege	1344	msiexec.exe
Token: SeSystemProfilePrivilege	1344	msiexec.exe
Token: SeSystemtimePrivilege	1344	msiexec.exe
Token: SeProfSingleProcessPrivilege	1344	msiexec.exe
Token: SeIncBasePriorityPrivilege	1344	msiexec.exe
Token: SeCreatePagefilePrivilege	1344	msiexec.exe
Token: SeCreatePermanentPrivilege	1344	msiexec.exe
Token: SeBackupPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeShutdownPrivilege	1344	msiexec.exe
Token: SeDebugPrivilege	1344	msiexec.exe
Token: SeAuditPrivilege	1344	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1344	msiexec.exe
Token: SeChangeNotifyPrivilege	1344	msiexec.exe
Token: SeRemoteShutdownPrivilege	1344	msiexec.exe
Token: SeUndockPrivilege	1344	msiexec.exe
Token: SeSyncAgentPrivilege	1344	msiexec.exe
Token: SeEnableDelegationPrivilege	1344	msiexec.exe
Token: SeManageVolumePrivilege	1344	msiexec.exe
Token: SeImpersonatePrivilege	1344	msiexec.exe
Token: SeCreateGlobalPrivilege	1344	msiexec.exe
Token: SeCreateTokenPrivilege	1344	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1344	msiexec.exe
Token: SeLockMemoryPrivilege	1344	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1344	msiexec.exe
Token: SeMachineAccountPrivilege	1344	msiexec.exe
Token: SeTcbPrivilege	1344	msiexec.exe
Token: SeSecurityPrivilege	1344	msiexec.exe
Token: SeTakeOwnershipPrivilege	1344	msiexec.exe
Token: SeLoadDriverPrivilege	1344	msiexec.exe
Token: SeSystemProfilePrivilege	1344	msiexec.exe
Token: SeSystemtimePrivilege	1344	msiexec.exe
Token: SeProfSingleProcessPrivilege	1344	msiexec.exe
Token: SeIncBasePriorityPrivilege	1344	msiexec.exe
Token: SeCreatePagefilePrivilege	1344	msiexec.exe
Token: SeCreatePermanentPrivilege	1344	msiexec.exe
Token: SeBackupPrivilege	1344	msiexec.exe
Token: SeRestorePrivilege	1344	msiexec.exe
Token: SeShutdownPrivilege	1344	msiexec.exe
Token: SeDebugPrivilege	1344	msiexec.exe
Token: SeAuditPrivilege	1344	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1344	msiexec.exe
Token: SeChangeNotifyPrivilege	1344	msiexec.exe
Token: SeRemoteShutdownPrivilege	1344	msiexec.exe
Token: SeUndockPrivilege	1344	msiexec.exe
Token: SeSyncAgentPrivilege	1344	msiexec.exe
Token: SeEnableDelegationPrivilege	1344	msiexec.exe
Token: SeManageVolumePrivilege	1344	msiexec.exe
Token: SeImpersonatePrivilege	1344	msiexec.exe
Token: SeCreateGlobalPrivilege	1344	msiexec.exe
Token: SeCreateTokenPrivilege	1344	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1344	msiexec.exe
Token: SeLockMemoryPrivilege	1344	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1344	msiexec.exe
1344	msiexec.exe
1728	msiexec.exe
1728	msiexec.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 476 wrote to memory of 5312	476	msiexec.exe	83
PID 476 wrote to memory of 5312	476	msiexec.exe	83
PID 476 wrote to memory of 5312	476	msiexec.exe	83
PID 476 wrote to memory of 3100	476	msiexec.exe	94
PID 476 wrote to memory of 3100	476	msiexec.exe	94
PID 476 wrote to memory of 3004	476	msiexec.exe	96
PID 476 wrote to memory of 3004	476	msiexec.exe	96
PID 476 wrote to memory of 3004	476	msiexec.exe	96
PID 3004 wrote to memory of 3564	3004	MsiExec.exe	97
PID 3004 wrote to memory of 3564	3004	MsiExec.exe	97
PID 3004 wrote to memory of 3564	3004	MsiExec.exe	97
PID 3004 wrote to memory of 1388	3004	MsiExec.exe	99
PID 3004 wrote to memory of 1388	3004	MsiExec.exe	99
PID 3004 wrote to memory of 1388	3004	MsiExec.exe	99
PID 3004 wrote to memory of 5536	3004	MsiExec.exe	102
PID 3004 wrote to memory of 5536	3004	MsiExec.exe	102
PID 3004 wrote to memory of 5536	3004	MsiExec.exe	102
PID 476 wrote to memory of 4800	476	msiexec.exe	114
PID 476 wrote to memory of 4800	476	msiexec.exe	114
PID 476 wrote to memory of 4800	476	msiexec.exe	114
PID 476 wrote to memory of 4052	476	msiexec.exe	116
PID 476 wrote to memory of 4052	476	msiexec.exe	116
PID 476 wrote to memory of 4052	476	msiexec.exe	116
PID 4052 wrote to memory of 396	4052	MsiExec.exe	117
PID 4052 wrote to memory of 396	4052	MsiExec.exe	117
PID 4052 wrote to memory of 396	4052	MsiExec.exe	117
PID 4052 wrote to memory of 2828	4052	MsiExec.exe	121
PID 4052 wrote to memory of 2828	4052	MsiExec.exe	121
PID 4052 wrote to memory of 2828	4052	MsiExec.exe	121
PID 4052 wrote to memory of 5520	4052	MsiExec.exe	123
PID 4052 wrote to memory of 5520	4052	MsiExec.exe	123
PID 4052 wrote to memory of 5520	4052	MsiExec.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a0133fc64c0bb7215aaa57c142357070d2d2f782039c3b4191786ad3fbd224cf.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1344

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:476
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 96DE129612301034DCB39ED9B9229356 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5312
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3100
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D34F33B7744B95CD8D5964A41B43A7AE
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssC67F.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiC67C.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrC67D.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrC67E.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3564
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssD605.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiD602.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrD603.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrD604.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssDEE4.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiDEC1.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrDEC2.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrDEC3.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5536
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7594F315432A7B2D48503CB61DBE04EA C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4800
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5AE9BE421A128DEA7C83694DFBEEA70D
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss1D74.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi1D71.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr1D72.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr1D73.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:396
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss271E.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi271B.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr271C.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr271D.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2828
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss306A.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi3057.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr3058.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr3059.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5856

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\a0133fc64c0bb7215aaa57c142357070d2d2f782039c3b4191786ad3fbd224cf.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
fe7adbdb9f7ddc58d22ca3615b652d95

SHA1
58435ea0d1a43cf35a6a8d674730cb2de889e9c4

SHA256
5dde1d7a8534cd3d60cdb66056b135c3cc715b7f324c8e095b0f8926573f8ecb

SHA512
11f3af6be330f4364decba02add76d30fa72e95f2aa7949de0697581a8cc17fe5600d14a59db5236b24157a58d73b5b1a3c20c7ef264dca9868895c60d56fc6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
eb15ac2aa56a745840eb31d5a812ddce

SHA1
0d7530457dc0c8308d098c9ef9c5b058a21d83e9

SHA256
784597fde8d46833878a1ca9aaa93aec82c92f52b9fac6f22dcb3c60e294c9df

SHA512
e61d0747f72f7d5e6156cf7e1871b6f023cc4dbb3bd93dc2552b2bf1968761bd6338969e74a6446c6bfb21e6f41134dd4ba3346b482c2731a4153d3fb5aceff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8f1281a7e80014e0b8c2385662032276

SHA1
b5d3418cc482768ee22f81ec77db147718133bc0

SHA256
fceb74e87519539fd7804bf162881eb435fe1d407313c467b201bd2ff158aa33

SHA512
9afe69874d7a0b1449d13a3bc383314b0ddc1f47303fc32ddd2eea97c03bda99e382c39bc6d95b47f9e5e1dca3b4e0bd80136673a1b46e63c7da265b651b1bea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
72f58a5229e8e19bad572124ff9df94d

SHA1
6e85d6175c344f17a13426eb2396423d65c8ba2e

SHA256
e08a8e910c9e487e4bd2a21c6d2bb54d534d05c129e2511f1c9ed8e9d0914841

SHA512
a27ec3d037fd36cb685cf2d36b204985922cf183f71b0c418ec500a7d196549f8f4471504468d6eb3ad5e7e60d5162412345b0d0efd8d8d4ac2c15bdd9dde58c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
d25d315ae813169fd4c40e0ea8ff69b4

SHA1
e5b45ebe9018269c13b31a5025014974c7e96b97

SHA256
bc90c79d45bea872fc28108caead75f7a15630405b1f3996717a8e03cc9e2bea

SHA512
22aee21fd15943d127a3a9d6138048372b240aa5679303c19520d6f2654be0396ab685a02de5c59030995ff303ed417ad1a59b5013520a061d5763d156842236

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI66F7.tmp

Filesize
377KB

MD5
af61221c6f4e9ab3ac2440b25d751868

SHA1
094f68ff354ac4c8dbdfe4689cb821f8d25880b8

SHA256
1e587d8593152b2538da7bdcb13880c45d256e84baa7e94c00ec4de08ab018d8

SHA512
c695d101c761812c1805d8ee54b8fed73869d3680372368ec3de90dc25ab1c27aa08f771dc274854ba051e0afeb17827c01b17e2bed33cb87ff0bdc884f6b791

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI694E.tmp

Filesize
837KB

MD5
e76f80f8c9a51813813c351e35bf0755

SHA1
ec69253f3fd681d2829d60f3a14a48c779fabbb4

SHA256
87388281ef2eb907b4ad843c8bc0e3ec13dae903edfe53b29f78557588eb5161

SHA512
134a7be4012dc52763e5ac28eed7ce8e423a913f17449a672ce9f1192e69e5e00c62bce1f0374f76443832345eded1668f28fb9fbe7d287fc51dfdc199911dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pro1D75.tmp

Filesize
438B

MD5
cd080a1df65c4c345b8bcf6d9325502b

SHA1
a17f55a91758bbf29b076daf58094cb2f67c1883

SHA256
c049a446f6e1f0ce2ba6050038bd664b90ce144f73bac4678366b8a14a71ea75

SHA512
1cc595464bbde9d4a0d1b3759a28ee3538118e41d1ee9966627d3ce33402e3fae406c496223fde354eedaef59ef821bfe26b9ed43a264df0852c5e23c0ca2a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1rkjhr1o.1o2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssC67F.ps1

Filesize
5KB

MD5
9d4a3ae7392f70bd510b93da5335626e

SHA1
6377e034c1b14fdaca0966f49520f72651b26ed5

SHA256
f8b9fd8d05f80a6483811899e6a55128048df8971874848502acbf950ab6a678

SHA512
c2cb31a707ab998633b11cc018186704ac5773a2282249484cdccf48a92cafbb031e3bc453072608c861ed48f298bd67d1856bb1a54766a490ec4c78d3e62bc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrC67D.ps1

Filesize
232B

MD5
fc6616b4cc1df80350fe254756b2388b

SHA1
314bdf4e96129f5daf6a02627c15d78c9187afe4

SHA256
29fd655b1b3850c6ee1b0f1783735e27f92f8cb6a8aa40bb8a0e4981c68f4c8c

SHA512
b641c209d6a203d1bed3bcf8197693a63a05233b1f4154385c31edaedb7f717238c702c404a57aba9c90a3e1e87b9c34064a9401f02779380db80c4278a5c91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrDEC2.ps1

Filesize
540B

MD5
12c25e6b5c03361911c334b8e08dcd4d

SHA1
774dabb5242e7a2a3b69cc063571532e44226075

SHA256
e922f7f638f3fe209f15d0b9a041aeac9bfcc633b10dd61013375a535d9466c3

SHA512
b6bd27bc93246b287744fc61c3dce9e47ddd77036e88a448fc2af4041d57636fcaeb089b23d28d4ec480d593f6515bae6c53bb8a4ccc46c0410a63b5b5568943

Download Submit
C:\Windows\Installer\MSIC650.tmp

Filesize
622KB

MD5
d379b9daf6ede2adb807977361e51a75

SHA1
3f4c714c20d3bae8dcf0ba7505d434fee6c6b9e1

SHA256
f16b55942f25331baf246b43cacd510de96019a6838532b61de59bf35b56dcc4

SHA512
7cd492264a936a9fd04c549e58351f1516609c4f88502fdabe5db821f5fb8292e4d962d62a77f5f121d51058a3f22b016a68d259aebd6d48acf9b5039f604cf1

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.0MB

MD5
05fb13863daf5ed5e391573b2c78b0b2

SHA1
cc03e831a361f66cc60357d894a0ca13fe30e8bd

SHA256
224ea5fb94ba27268d80b463d81cfd87891e15a8b95116331a908370b7e0750e

SHA512
0158f8d059136e7b0b0810e128b7e4f1fcee12b11ff440875a766e42d7a9e7a4af2d207bae1f1247715573a73a8fa9b6be758803c719e0c5b8ede52bb61faae0

Download Submit
\??\Volume{443fcfb7-0000-0000-0000-d08302000000}\System Volume Information\SPP\OnlineMetadataCache\{586aac68-05eb-43b8-bc60-8e22fac8acce}_OnDiskSnapshotProp

Filesize
6KB

MD5
ec301b02abd2e70c4c5c4d2ff3b93066

SHA1
d59a2dcfca253a9c5d7f9508393fe8a61fcd2183

SHA256
5a2008927163285134bf70b0e0e8d1543beafc1fc76effc09447afa19e420d1c

SHA512
802751a0ceba6943c76715d2ec74666832eacc95f85bc46ac6290c18d3da1b37b03b4fc544fea1fa5e1c7a90f73414e99372cc335261fb94228d41f5749a48ef

Download Submit
memory/396-190-0x0000000005AF0000-0x0000000005E47000-memory.dmp

Filesize
3.3MB

Download
memory/1388-96-0x0000000005CA0000-0x0000000005FF7000-memory.dmp

Filesize
3.3MB

Download
memory/3564-53-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/3564-66-0x0000000005D10000-0x0000000005D5C000-memory.dmp

Filesize
304KB

Download
memory/3564-71-0x00000000074E0000-0x0000000007A86000-memory.dmp

Filesize
5.6MB

Download
memory/3564-70-0x0000000006BB0000-0x0000000006BD2000-memory.dmp

Filesize
136KB

Download
memory/3564-69-0x0000000006190000-0x00000000061AA000-memory.dmp

Filesize
104KB

Download
memory/3564-50-0x0000000004640000-0x0000000004676000-memory.dmp

Filesize
216KB

Download
memory/3564-68-0x0000000006C50000-0x0000000006CE6000-memory.dmp

Filesize
600KB

Download
memory/3564-72-0x0000000008110000-0x000000000878A000-memory.dmp

Filesize
6.5MB

Download
memory/3564-65-0x0000000005C20000-0x0000000005C3E000-memory.dmp

Filesize
120KB

Download
memory/3564-64-0x0000000005630000-0x0000000005987000-memory.dmp

Filesize
3.3MB

Download
memory/3564-54-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/3564-52-0x0000000004BF0000-0x0000000004C12000-memory.dmp

Filesize
136KB

Download
memory/3564-51-0x0000000004D50000-0x000000000541A000-memory.dmp

Filesize
6.8MB

Download
memory/5536-120-0x0000000005910000-0x0000000005C67000-memory.dmp

Filesize
3.3MB

Download