Analysis
-
max time kernel
37s -
max time network
43s -
platform
windows11-21h2_x64 -
resource
win11-20250313-en -
resource tags
-
submitted
31/03/2025, 15:36
General
-
Target
is4_aisi_ooo.msi
-
Size
244.8MB
-
MD5
d6051404c4089adbd54b3c0b82e39fb2
-
SHA1
cbe196a0e69582541e5ae797ff0138507c0eaf90
-
SHA256
881ccaa5625ca03bb22d68a74bc7f05a6b025378bd57ec28f3ca25623aa70443
-
SHA512
2657d0ba4557a60a320b93b4e3be2fa271b0447c119691937bf87452d8acc11498b452723a7982f5e22bea41368fe0c453067e4fb39ba4fc33a9697300603be5
-
SSDEEP
3145728:m0MHQUMwm4dKteU+LRXLJNXCbzyYxKhqz6mmB5DM7qXN5nDMTBPOEu2ZZExR7gqZ:gFsMMzhaWOXbDMTBPFTKeSQUztlK8
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 15 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 14 IoCs
-
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 23 IoCs
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\is4_aisi_ooo.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9392315B57ACF02A00FAE63884ABDBC8 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\爱思助手_8.35_1741661015\爱思助手_8.35_1741661015\8.exe"C:\Program Files (x86)\爱思助手_8.35_1741661015\爱思助手_8.35_1741661015\8.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-12281.tmp\8.tmp"C:\Users\Admin\AppData\Local\Temp\is-12281.tmp\8.tmp" /SL5="$600D8,24380645,791040,C:\Program Files (x86)\爱思助手_8.35_1741661015\爱思助手_8.35_1741661015\8.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\88f6d8dec\32de380088\87f45776c\cef5a5f.exe"C:\Users\Admin\AppData\Roaming\88f6d8dec\32de380088\87f45776c\cef5a5f.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\'"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CA9B3FBFCBE0AE9C97C72E67C99EFD992⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Installer\MSIBD58.tmp"C:\Windows\Installer\MSIBD58.tmp" /EnforcedRunAsAdmin /DontWait /RunAsAdmin "C:\Program Files (x86)\爱思助手_8.35_1741661015\爱思助手_8.35_1741661015\爱思助手_8.35_1741661015.exe"2⤵
- Executes dropped EXE
- Access Token Manipulation: Create Process with Token
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\爱思助手_8.35_1741661015\爱思助手_8.35_1741661015\爱思助手_8.35_1741661015.exe"C:\Program Files (x86)\爱思助手_8.35_1741661015\爱思助手_8.35_1741661015\爱思助手_8.35_1741661015.exe"3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Event Triggered Execution
1Installer Packages
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
527KB
MD5c201c433168381bdea33da92d495a61f
SHA15b93850364c10b440918202d080d23bc6cf6e2b8
SHA25672694dafca4d0f960835e0592944edf88beab097720f0938ed39f3b705f6984d
SHA51220f7765de3716e6ba4a60cabdcc544eaaa2698e4bb1900e71706de835a4190f374c9ac15cc06eabace5dc8de545f0be6039882f04d2b59fb77825481c3eff612
-
Filesize
1.2MB
MD5d923bccdcf93676a608724bb1d8be627
SHA1b86457632e85fe811f096cdc48ca2f84a8eaa175
SHA256eb9501a1b62f4529375ba20a3b5245e4a9e247f05c397065fd0f919ab76cb066
SHA5125c6a855b7d448ac43db2224de358ff51352178e75bda6a037dbd0c47ed3c6f4b5dfa017e105d813b924d621ce3441da15ac5743e430823b43a6de7c879047048
-
Filesize
1KB
MD5a73bcc83dc2729d19d9d0e1eb36bbd96
SHA19d15df65438cab48d07ebe7e9359258ff1011423
SHA25629739779fd76b21175d4ea24d7ded3e057233127062d05c164b9ab4df9e11a3f
SHA512c37de466294c22c9b3ed6587c639a7d53ae6f5cc8d352931035885191a2fd329dae3ff28d1bdeb363c2c12243505584354acc5f88bb8e21da9c2942d03cacf03
-
Filesize
2.6MB
MD586e2b390629665fbc20e06dfbf01a48f
SHA1d9f4697a6f4eceea24735822cb1df501268ca0b0
SHA25646e31e284da64d6c2d366352b8a8abcf7db28d3e2a870d8fcf15c4a6fe0a6dd1
SHA51205ecd3be5779f39db09329dda4dce0e3c49ac5d3950e92833031622b53542dadbe9e2948df35faeb4c41dbc8e01992935087c4a2975c797bd008ae177f7c3fea
-
Filesize
195KB
MD530511278df0a734661a69fb14422e2b1
SHA1c2a7a6172576fab3deff5bb89c83ac16aabf66a9
SHA256760f9b88e96e73196de563b5bc43c306022c1dff1424b101fa70ecfb71b8d581
SHA512fa85f2eb4cbdd664eec1a94d0f880f10cb896d0fad874cb041081a90249b8c522554edef49b48fb1952d857b40184e9ce776ede28760504f1f7704d99fd09e21
-
Filesize
93KB
MD58101d596b2b8fa35fe3a634ea342d7c3
SHA1d6c1f41972de07b09bfa63d2e50f9ab41ec372bd
SHA256540bc6dec1dd4b92ea4d3fb903f69eabf6d919afd48f4e312b163c28cff0f441
SHA5129e1634eb02ab6acdfd95bf6544eefa278dfdec21f55e94522df2c949fb537a8dfeab6bcfecf69e6c82c7f53a87f864699ce85f0068ee60c56655339927eebcdb
-
Filesize
13.5MB
MD5d079006f0218c9c3244532d118554ec6
SHA15dde2d8ea017cbb0380a47d7a266969a48f3276c
SHA256ca6f7bdfc01bd870365af64f987f01f14f6ab6c273eabb1c41ada6c5987b0f50
SHA51270ffdafdc5dd940684844f56161e51d6147264d9a891535a4978e38e66130a3c0c140e83e6956cc73cf447dcae159a021c60ba840956301c377632f8155b7568
-
Filesize
411KB
MD5e3c817f7fe44cc870ecdbcbc3ea36132
SHA12ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA5124fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe
-
Filesize
755KB
MD5bf38660a9125935658cfa3e53fdc7d65
SHA10b51fb415ec89848f339f8989d323bea722bfd70
SHA25660c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA51225f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
Filesize
22KB
MD511d00b701160c1244899bc1647e3b756
SHA1866c9acf31291a1459e6719dff2764af41eddde0
SHA25647be7f1aea7eba3fe98080713b1c4414ed5018aee75ee7f6453ae2ff95aa76c0
SHA512f1e8727fa33b70bd146d71aa782ef8000b6824c06b936b7584057ca77cd082a001398bc5ef2202e12b50bd86687f3a75ba3a6b028d14c7ae3d1a21d868cb756b
-
Filesize
185KB
MD5d512456777500dc13ef834ed528d3704
SHA190a32284052c3fe12c18afec9f7ff56735e2e34b
SHA256c515dd2a2e00765b5f651aae124a55d617b24777138019abc5a7001da7417561
SHA512babef929ac600c117967b42389623f352d219a466c484ae68ef3c9da9ff61555875ffb0dafc3e5eada6fb43d37f7afe74a6b6c73458a93ffb42819e1068c9a3b
-
Filesize
135KB
MD526b777c6c94c5aa6e61f949aa889bf74
SHA1f78da73388c86d4d5e90d19bb3bd5f895c027f27
SHA2564281c421984772665a9d72ab32276cfe1e2a3b0ebe21d4b63c5a4c3ba1f49365
SHA5128e02ce06f6de77729aefa24410cbd4bfba2d935ef10dcf071da47bb70d9c5e0969f528bdb3db5cab00e3142d7c573fcf66ea5eb4a2bc557229ad082c0eb1dbcc
-
Filesize
16B
MD5bcebcf42735c6849bdecbb77451021dd
SHA14884fd9af6890647b7af1aefa57f38cca49ad899
SHA2569959b510b15d18937848ad13007e30459d2e993c67e564badbfc18f935695c85
SHA512f951b511ffb1a6b94b1bcae9df26b41b2ff829560583d7c83e70279d1b5304bde299b3679d863cad6bb79d0beda524fc195b7f054ecf11d2090037526b451b78
-
Filesize
24.2MB
MD5dda73b25b28f24cacc5c15f5a722abad
SHA15fb833c1c6d36ee3cd1698fb7dc7f54dcb0f0483
SHA2567c1916f38a13873222f62cf04e82cbb5f80c0e4de7f1e36e5e2d0a2fda150a52
SHA512d4bc630819db8388cdcf603c8981b38a1761e04f0b8801b006a3024cbfeda77ea18414e2ee805a631a710c141cafc08fe3f8b0ae930a978324446bdb413823a0
-
Filesize
381KB
MD5891de63dad09d3f100263727297e9205
SHA1aeb1c23ab5014dca9d5208afe96585b40ac2a27e
SHA25696513f32d35ccdc3fe50eee2ee7b30836d1e5f09f73c13f151f13091464e0b50
SHA512f517dfecf4d89ed140a9e31ab6e02da64d32070660494f18ea3d8a62228c30d89822e24a86ff0112d42a8b5cb90bb5e4d3e34e83697cf4cca7224a24fe2c45e6
-
Filesize
828KB
MD57f335df3a986fe5e0ee5d482f309aea6
SHA1919c0c558eacc6ec0eefb053143034ebddc62aaf
SHA256f9b5641d0c863da052f8a42c075cc006768fcee9c67e6721571a795c25f42746
SHA512e18b68865514a03b52a3a76ffba62884ed10f0443774dd1647f8ecde71117fd5fbd9cc377a9a3c777366b205f8a88f9f9b4aa32df2ccdf26f0110d06253678e1
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.1MB
MD587976ad29ea73bf12531c3c781011ba8
SHA157b2a518649c495a4968b06198b70314882e8d3d
SHA2563014be80732ef44d277d889b2d3ca7f8da36c961305cc50837d7e3f37cb025bc
SHA5127b6366cc810ea7d6be5f2fac2648e4e6ce303af10c45207b05503dc023aa11f90b22951c6a446662996fe1d67fac6a99fa35ac34978407d57c3bb12fd028eae8
-
Filesize
28KB
MD5077cb4461a2767383b317eb0c50f5f13
SHA1584e64f1d162398b7f377ce55a6b5740379c4282
SHA2568287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64
SHA512b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547
-
Filesize
4.5MB
MD5587c13220a42912afc21563d4ea78d8e
SHA1fa4c3a45d2c49d8e5116eb7ba99093eb8b21f75a
SHA256364855303ab06b05663c0da1143f77bb73266087ffe12d9a78d4e1d771053cbe
SHA512f561a48d74e0044791974b58c800e82dfe0150e23cd8f1d2edb70f3075730970749c1cec95010d30428db3614b0f2cc271ead64b53033472e47216db5988cc4d
-
Filesize
3.8MB
MD58dfec12f7de2900a247b64289cbf6167
SHA1d19eb3de87372a18c59321f57a375dee6ee602fe
SHA2569bb6bbffb74fd7abc469e71f25038275e0cb6cff8f54b5c0d2a03ec20883c4ed
SHA512a71b1752e2391a164d661a8c1c96a2247446d77ba64138fd875ba889f4c91e9f3332bbe9e42b630d44305f3fa60cbd1a22c405dad82296e355bbdde30ebcca28
-
Filesize
5.2MB
MD5ae6606fed056b9e6caf8062e032b8baf
SHA181fb684befd51422c3b1dc726a99be6a108ddd74
SHA256d8e57a22ee61481be9ab382371b474bf155f9e481f42d63829c8282dc81caf38
SHA512f100ff86ab61cb00e10cc720452ca777915d83027f1d0aa35b8b97fa70b5e5d1475b02ba4edf30c1ad09d0864aca054eb2ff755e6937369e629ae4ec3110cc7d
-
Filesize
566KB
MD5a62a22c33ed01a2cf362d3890ffa70e1
SHA1ea3f55d92cdcb788876d689d394ec3225b1d222c
SHA256003da4807acdc912e67edba49be574daa5238bb7acff871d8666d16f8072ff89
SHA5127da909a6c5dc26631fec8a382d5cb677d3aabf5b5c4e98b545c120685f879adcef8cc98e7bf74d37f7fc24b0f18999780d70aa28061f50adf6b28f19ce06930a
-
Filesize
11.9MB
MD56bacab6ba150d9a96c2874bc5edb2940
SHA1ec8f332572336f9f1ef91f308e3e38c2590aa91d
SHA2563c5f64d3e3336850a392762d9e1e0b5d4daf25c93521d63eb4eb01b72c88a32f
SHA51220da1589813925f691c308b24316d0dc5743e50ad0494f4545a672cd447ad20c9c804ae688d92738851d46fcb6bb31d193b289f944227f0f90bb6a873f75db59
-
Filesize
177KB
MD55c28edd460f4a3496e1c9455a2969a39
SHA1811b24ac3ef5fe52c1b7370e4026173219714dcc
SHA256e94dce32639f2463b2a07d3136de442548349aafdbdc75cb6ceba645b6b7f67d
SHA5128c5a10e76ca5cbf1f0b088219ea427f92d81e17edcea565746b4b96550160764dcba140c699a68635cf8173eaeb192e983410da05a8b0587b4d119e852bd7c9c
-
Filesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
Filesize
48KB
MD57e668ab8a78bd0118b94978d154c85bc
SHA1dbac42a02a8d50639805174afd21d45f3c56e3a0
SHA256e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f
SHA51272bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032
-
Filesize
256KB
MD53c26bd5fb72f26acbf8ac8e7bfcc16c7
SHA1f400c0889c1b198b36e21122eb14a0522efe4942
SHA256f2130305e7b6347f6736ae53de21a2d5e0ecea05f323b7fd69fdf23fa632a021
SHA51233749c29ddd2d77e325a56bd3b16322caffe0aa1d8130362e642fe2e4cd85e8cc571e07959bd438527e3c5fadd73980221cb4ad534700e9a3a01bac82d423cab
-
Filesize
223KB
MD502b218d6bb699ae250e15fb515ae8c9d
SHA1aeb71f59491707ec19b45f05a722f3bf643c658d
SHA256ca0609897eedfd0b115e6dc7c0dadc0bc40eb13c7812db83aa5a073891bdcd6b
SHA5127f17cab9c7c2262b385a0ff9356abeee337ed8fe5a420324bf5251e87d51713386bbb51d9e7ab4d6ced5aaf05a404d779fef353895ddda034b4c80241ff0c17a
-
Filesize
373KB
MD539f8351aefd7d48a3219e1729ebb746a
SHA150502cd12ebab12a256c1bbcdd6def1b59cd3c80
SHA25691ebf39eaea8be759c5f639f70984f40586347e2200b1905cee583b2755fd453
SHA512ef44ab39bea5334037ee848bea2a862d9b8caa44f2d82b49e856cb5f4aa4f3fd8adf689c57b6496e2451ac7d5c521432ad5a2d46a30b3d94070f6c4f9da9e33f
-
Filesize
517KB
MD5028c9c708d810aba9603b63a8283d014
SHA1ed4724e84c4ceb6a1619d34cc06369a1ab4d3d7d
SHA25667504c94e46e70980cc5bbc0ea926e01fbd6116560304029261e2455004dc098
SHA5129262da976a064732f8d12301d178d65d6df90c195937ff6e882c9de781d2ecabc3594cd71a1490b5c69b1c85da3c8bac8e4cee080f1055bcf51e50318f9e8d5f
-
Filesize
828KB
-
Filesize
828KB
-
Filesize
3.2MB
-
Filesize
136KB
-
Filesize
11.8MB
-
Filesize
11.8MB
-
Filesize
11.8MB
-
Filesize
11.8MB
