latrodectus | 9003415cc22d4e8b3c444ffcf84bb3f1c3a294d40d1f66329733edfc8472a7d2

Analysis

max time kernel
1200s
max time network
1199s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Form_Ver-16-46-33.js
Size

572KB
MD5

b1da07a445bfdf809306f5fe74e54d67
SHA1

3cec038e474050c290bdf4e670a36f482032ed68
SHA256

9003415cc22d4e8b3c444ffcf84bb3f1c3a294d40d1f66329733edfc8472a7d2
SHA512

728b321b98f45fc6cd1395ee5a34c1ee06ca17800c35ec1ee7f19ac3219aa8fc805140e6d0ecc25a638f8c815db541380d0651df2ff448121477ed3445bd6637
SSDEEP

6144:kMuyrXL4P/YsoZR3U52fYiGnh2xFpMp4/KJHaWTyFIXgBoEKnDmmzPvKYUNul8D7:kM/74PPitCt4XGlgJ5+Dk

Score

10^/10

latrodectus execution loader persistence

Malware Config

Extracted

Family

latrodectus

https://finjuiceer.com/live/

https://trymeakafr.com/live/

Signatures

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Detect larodectus Loader variant 2 3 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/2952-163-0x000007FFFFF70000-0x000007FFFFF83000-memory.dmp	family_latrodectus_v2
behavioral1/memory/1352-170-0x0000000002AE0000-0x0000000002AF3000-memory.dmp	family_latrodectus_v2
behavioral1/memory/1352-171-0x0000000002AE0000-0x0000000002AF3000-memory.dmp	family_latrodectus_v2

Blocklisted process makes network request 32 IoCs

Processes:

wscript.exemsiexec.exerundll32.exe

flow	pid	process
3	2912	wscript.exe
5	2912	wscript.exe
8	2912	wscript.exe
11	2488	msiexec.exe
15	2952	rundll32.exe
17	2952	rundll32.exe
19	2952	rundll32.exe
21	2952	rundll32.exe
24	2952	rundll32.exe
26	2952	rundll32.exe
28	2952	rundll32.exe
29	2952	rundll32.exe
30	2952	rundll32.exe
31	2952	rundll32.exe
32	2952	rundll32.exe
33	2952	rundll32.exe
34	2952	rundll32.exe
35	2952	rundll32.exe
36	2952	rundll32.exe
37	2952	rundll32.exe
38	2952	rundll32.exe
39	2952	rundll32.exe
41	2952	rundll32.exe
42	2952	rundll32.exe
43	2952	rundll32.exe
44	2952	rundll32.exe
45	2952	rundll32.exe
46	2952	rundll32.exe
47	2952	rundll32.exe
48	2952	rundll32.exe
49	2952	rundll32.exe
50	2952	rundll32.exe

Executes dropped EXE 1 IoCs

Processes:

MSI35A7.tmp

pid process

1656 MSI35A7.tmp
Loads dropped DLL 7 IoCs

Processes:

MsiExec.exerundll32.exe

pid process

2624 MsiExec.exe
2624 MsiExec.exe
2624 MsiExec.exe
2952 rundll32.exe
2952 rundll32.exe
2952 rundll32.exe
2952 rundll32.exe

pid	process
1656	MSI35A7.tmp

pid	process
2624	MsiExec.exe
2624	MsiExec.exe
2624	MsiExec.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\funeral = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\capisp.dll\", remi"	rundll32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI35A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI26B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI33AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI348A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI34AA.tmp	msiexec.exe
File created	C:\Windows\Installer\f7634d8.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3576.tmp	msiexec.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

wscript.exerundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EF8D24D199E43EA4376C7CBD7E11C89544E02EE\Blob = 19000000010000001000000085001626422d39bb3fb35fe78eccef1e0f00000001000000200000009f0ecc0fbfd6267e25602f8d207620071e24d5f15855fe6713a9b998ab7f215a0300000001000000140000004ef8d24d199e43ea4376c7cbd7e11c89544e02ee1400000001000000140000002c613a4aeffddb28abab116a3fe57fddaa1f23482000000001000000f9020000308202f5308201dda003020102021002528667ff20db349f87355887ea47f8300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303531373031303030305a170d3239303531363031303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100dbffc5b2952720f253dad13a7485069377a1d3738f709ded5aca0c0a5809252d9379d9538c50099fd214bd48fe5ba960f7a2b2f77a5d883c36019dceaf0ef327b3876bb2eb4cbbf33f34b0bf9985b727b7559b75b541c85d219e92745b262ce8afe9a25cc295dcfbe66b190f8cb15eec20e24a18ee039170546e44dc98d59ce91bda588ebac6c0eede0b292229f8ebc887d844d2db959bebf7ddf6b2437f5c9b76e89f622e32b69ecd314ab57bab22f39f66e1ef7f86130ab118ec4b8e4aa7057cc1ec65eefb6042a04fab0f1fec60890c4ea80023afceb8cd87525d4b674b570bc7e7c64671ed28829eebd08c46a00e39e0484ca1a06b142d6ac790dc01a11f0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604142c613a4aeffddb28abab116a3fe57fddaa1f2348300d06092a864886f70d01010b0500038201010049861194d183ae75f6e2d3b4cab121116d0607a447585c9ea56e4f5aa6481dcbde3b382d144516371fb802e4f4320894b8dc4a7cbef099343d2edaf574a33d165ad7dcb13638f3769a9a91efe6e07d9059354b0189b9b53b0f9ccb6fb00179ae21d1bfc0f8abb04fd0528ce55dd8b45bbb6e8561af260d6a2b18f2585dab751bcc051d2beca850ea33b010e94828738f57ed280822a39b4078e453987e80b9e3173929ed7b9feac2e2cef1c1909afc4707278b60116808c1eaedba6691b36b5cdffda51353f0f103cdc0fcc383abc393dca03fef988c43feffd6f8ffebf80fb48c68b329d672c85e0ffe57be4b423f20010caa17f20df44a05264de2558a05d9	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EF8D24D199E43EA4376C7CBD7E11C89544E02EE	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EF8D24D199E43EA4376C7CBD7E11C89544E02EE\Blob = 1400000001000000140000002c613a4aeffddb28abab116a3fe57fddaa1f23480300000001000000140000004ef8d24d199e43ea4376c7cbd7e11c89544e02ee0f00000001000000200000009f0ecc0fbfd6267e25602f8d207620071e24d5f15855fe6713a9b998ab7f215a2000000001000000f9020000308202f5308201dda003020102021002528667ff20db349f87355887ea47f8300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303531373031303030305a170d3239303531363031303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100dbffc5b2952720f253dad13a7485069377a1d3738f709ded5aca0c0a5809252d9379d9538c50099fd214bd48fe5ba960f7a2b2f77a5d883c36019dceaf0ef327b3876bb2eb4cbbf33f34b0bf9985b727b7559b75b541c85d219e92745b262ce8afe9a25cc295dcfbe66b190f8cb15eec20e24a18ee039170546e44dc98d59ce91bda588ebac6c0eede0b292229f8ebc887d844d2db959bebf7ddf6b2437f5c9b76e89f622e32b69ecd314ab57bab22f39f66e1ef7f86130ab118ec4b8e4aa7057cc1ec65eefb6042a04fab0f1fec60890c4ea80023afceb8cd87525d4b674b570bc7e7c64671ed28829eebd08c46a00e39e0484ca1a06b142d6ac790dc01a11f0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604142c613a4aeffddb28abab116a3fe57fddaa1f2348300d06092a864886f70d01010b0500038201010049861194d183ae75f6e2d3b4cab121116d0607a447585c9ea56e4f5aa6481dcbde3b382d144516371fb802e4f4320894b8dc4a7cbef099343d2edaf574a33d165ad7dcb13638f3769a9a91efe6e07d9059354b0189b9b53b0f9ccb6fb00179ae21d1bfc0f8abb04fd0528ce55dd8b45bbb6e8561af260d6a2b18f2585dab751bcc051d2beca850ea33b010e94828738f57ed280822a39b4078e453987e80b9e3173929ed7b9feac2e2cef1c1909afc4707278b60116808c1eaedba6691b36b5cdffda51353f0f103cdc0fcc383abc393dca03fef988c43feffd6f8ffebf80fb48c68b329d672c85e0ffe57be4b423f20010caa17f20df44a05264de2558a05d9	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EF8D24D199E43EA4376C7CBD7E11C89544E02EE\Blob = 0f00000001000000200000009f0ecc0fbfd6267e25602f8d207620071e24d5f15855fe6713a9b998ab7f215a0300000001000000140000004ef8d24d199e43ea4376c7cbd7e11c89544e02ee2000000001000000f9020000308202f5308201dda003020102021002528667ff20db349f87355887ea47f8300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303531373031303030305a170d3239303531363031303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100dbffc5b2952720f253dad13a7485069377a1d3738f709ded5aca0c0a5809252d9379d9538c50099fd214bd48fe5ba960f7a2b2f77a5d883c36019dceaf0ef327b3876bb2eb4cbbf33f34b0bf9985b727b7559b75b541c85d219e92745b262ce8afe9a25cc295dcfbe66b190f8cb15eec20e24a18ee039170546e44dc98d59ce91bda588ebac6c0eede0b292229f8ebc887d844d2db959bebf7ddf6b2437f5c9b76e89f622e32b69ecd314ab57bab22f39f66e1ef7f86130ab118ec4b8e4aa7057cc1ec65eefb6042a04fab0f1fec60890c4ea80023afceb8cd87525d4b674b570bc7e7c64671ed28829eebd08c46a00e39e0484ca1a06b142d6ac790dc01a11f0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604142c613a4aeffddb28abab116a3fe57fddaa1f2348300d06092a864886f70d01010b0500038201010049861194d183ae75f6e2d3b4cab121116d0607a447585c9ea56e4f5aa6481dcbde3b382d144516371fb802e4f4320894b8dc4a7cbef099343d2edaf574a33d165ad7dcb13638f3769a9a91efe6e07d9059354b0189b9b53b0f9ccb6fb00179ae21d1bfc0f8abb04fd0528ce55dd8b45bbb6e8561af260d6a2b18f2585dab751bcc051d2beca850ea33b010e94828738f57ed280822a39b4078e453987e80b9e3173929ed7b9feac2e2cef1c1909afc4707278b60116808c1eaedba6691b36b5cdffda51353f0f103cdc0fcc383abc393dca03fef988c43feffd6f8ffebf80fb48c68b329d672c85e0ffe57be4b423f20010caa17f20df44a05264de2558a05d9	wscript.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

msiexec.exeMSI35A7.tmprundll32.exeExplorer.EXE

pid	process
2488	msiexec.exe
2488	msiexec.exe
1656	MSI35A7.tmp
2952	rundll32.exe
1352	Explorer.EXE
1352	Explorer.EXE
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe
2952	rundll32.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

wscript.exemsiexec.exeExplorer.EXE

description	pid	process
Token: SeShutdownPrivilege	2912	wscript.exe
Token: SeIncreaseQuotaPrivilege	2912	wscript.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeTakeOwnershipPrivilege	2488	msiexec.exe
Token: SeSecurityPrivilege	2488	msiexec.exe
Token: SeCreateTokenPrivilege	2912	wscript.exe
Token: SeAssignPrimaryTokenPrivilege	2912	wscript.exe
Token: SeLockMemoryPrivilege	2912	wscript.exe
Token: SeIncreaseQuotaPrivilege	2912	wscript.exe
Token: SeMachineAccountPrivilege	2912	wscript.exe
Token: SeTcbPrivilege	2912	wscript.exe
Token: SeSecurityPrivilege	2912	wscript.exe
Token: SeTakeOwnershipPrivilege	2912	wscript.exe
Token: SeLoadDriverPrivilege	2912	wscript.exe
Token: SeSystemProfilePrivilege	2912	wscript.exe
Token: SeSystemtimePrivilege	2912	wscript.exe
Token: SeProfSingleProcessPrivilege	2912	wscript.exe
Token: SeIncBasePriorityPrivilege	2912	wscript.exe
Token: SeCreatePagefilePrivilege	2912	wscript.exe
Token: SeCreatePermanentPrivilege	2912	wscript.exe
Token: SeBackupPrivilege	2912	wscript.exe
Token: SeRestorePrivilege	2912	wscript.exe
Token: SeShutdownPrivilege	2912	wscript.exe
Token: SeDebugPrivilege	2912	wscript.exe
Token: SeAuditPrivilege	2912	wscript.exe
Token: SeSystemEnvironmentPrivilege	2912	wscript.exe
Token: SeChangeNotifyPrivilege	2912	wscript.exe
Token: SeRemoteShutdownPrivilege	2912	wscript.exe
Token: SeUndockPrivilege	2912	wscript.exe
Token: SeSyncAgentPrivilege	2912	wscript.exe
Token: SeEnableDelegationPrivilege	2912	wscript.exe
Token: SeManageVolumePrivilege	2912	wscript.exe
Token: SeImpersonatePrivilege	2912	wscript.exe
Token: SeCreateGlobalPrivilege	2912	wscript.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeTakeOwnershipPrivilege	2488	msiexec.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeTakeOwnershipPrivilege	2488	msiexec.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeTakeOwnershipPrivilege	2488	msiexec.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeTakeOwnershipPrivilege	2488	msiexec.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeTakeOwnershipPrivilege	2488	msiexec.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeTakeOwnershipPrivilege	2488	msiexec.exe
Token: SeRestorePrivilege	2488	msiexec.exe
Token: SeTakeOwnershipPrivilege	2488	msiexec.exe
Token: SeShutdownPrivilege	1352	Explorer.EXE
Token: SeShutdownPrivilege	1352	Explorer.EXE
Token: SeShutdownPrivilege	1352	Explorer.EXE
Token: SeShutdownPrivilege	1352	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exerundll32.exe

description	pid	process	target process
PID 2488 wrote to memory of 2624	2488	msiexec.exe	MsiExec.exe
PID 2488 wrote to memory of 2624	2488	msiexec.exe	MsiExec.exe
PID 2488 wrote to memory of 2624	2488	msiexec.exe	MsiExec.exe
PID 2488 wrote to memory of 2624	2488	msiexec.exe	MsiExec.exe
PID 2488 wrote to memory of 2624	2488	msiexec.exe	MsiExec.exe
PID 2488 wrote to memory of 2624	2488	msiexec.exe	MsiExec.exe
PID 2488 wrote to memory of 2624	2488	msiexec.exe	MsiExec.exe
PID 2488 wrote to memory of 1656	2488	msiexec.exe	MSI35A7.tmp
PID 2488 wrote to memory of 1656	2488	msiexec.exe	MSI35A7.tmp
PID 2488 wrote to memory of 1656	2488	msiexec.exe	MSI35A7.tmp
PID 2488 wrote to memory of 1656	2488	msiexec.exe	MSI35A7.tmp
PID 2488 wrote to memory of 1656	2488	msiexec.exe	MSI35A7.tmp
PID 2488 wrote to memory of 1656	2488	msiexec.exe	MSI35A7.tmp
PID 2488 wrote to memory of 1656	2488	msiexec.exe	MSI35A7.tmp
PID 2952 wrote to memory of 1352	2952	rundll32.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Form_Ver-16-46-33.js
2⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\capisp.dll, remi
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A3A034F199D9C1ADDD56A7963376DE85
2⤵
- Loads dropped DLL
PID:2624

C:\Windows\Installer\MSI35A7.tmp
"C:\Windows\Installer\MSI35A7.tmp" C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Roaming\capisp.dll, remi
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1656

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5234d09c7c4e82f8512344337f92139e

SHA1
b0becab9f3275448458e1c2cab4d11e896ef43f1

SHA256
819e6ed52b48791530f601bd8218463c3e5c56b300210a3ffe0c3aeefd71cf6f

SHA512
2065336fe5caa59d890f14529c147404c31fe7921ec437d0d773789fe2cd7f55c3998682f11b587218d217ca9432b5abee63d9435a8d7787b3866a1259c9a01f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
89a701583e7470695c66a0e34db877a6

SHA1
ae08916a7d3dce964e5268405a2b49510d128276

SHA256
ac82b8e0526ac1bc1fde79f897b1dfe2780f31627296ac3570dafd26c4f1d532

SHA512
95295e838a1d82358e83630323f448ced9b51db190df9ad58f43c3e30cdaa9c56a0478bd839fb6202dd39cccbb464b09116470a8ebedceea01317d1e994a6776

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1145.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\capisp.dll
Filesize
1.2MB

MD5
70b599f67e97cb878ca7be88e069a82d

SHA1
768f8a179fee1f13505c7b772e543b19b29b14c8

SHA256
9b7bdb4cb71e84c5cff0923928bf7777a41cb5e0691810ae948304c151c0c1c5

SHA512
163c8e0b2676a27f1781e9fdec3c9994ba828c0085b9fdff9df4dd0112da122a5d7f6ca597af396f99c2afadbe438e1ab967dfba34451ee4ba3c59cd244b4985

Download Submit
C:\Windows\Installer\MSI26B3.tmp
Filesize
1.8MB

MD5
3645512add0c8cb24a88d2ffe3fe7620

SHA1
66dbfe6ffc1918f51b28af1abf55df0d1beaefe6

SHA256
d71bfab9cca5df6a28e12ba51fe5eaf0f9151514b3fd363264513347a8c5cf3a

SHA512
85151258ccb3b590716aed87c4a6a24ba74931aab0b378e279d9ab510fce94dfd26632d8ba44975e8136b1a9cc6c190e64c8b223f5f5e4f5b9cb3c6fb4a9429c

Download Submit
C:\Windows\Installer\MSI33AF.tmp
Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI35A7.tmp
Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
memory/1352-171-0x0000000002AE0000-0x0000000002AF3000-memory.dmp

Filesize
76KB

Download
memory/1352-168-0x0000000002AE0000-0x0000000002AF3000-memory.dmp

Filesize
76KB

Download
memory/1352-170-0x0000000002AE0000-0x0000000002AF3000-memory.dmp

Filesize
76KB

Download
memory/1656-114-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/2952-158-0x000007FFFFF70000-0x000007FFFFF71000-memory.dmp

Filesize
4KB

Download
memory/2952-167-0x000007FFFFF30000-0x000007FFFFF31000-memory.dmp

Filesize
4KB

Download
memory/2952-159-0x000007FFFFF60000-0x000007FFFFF61000-memory.dmp

Filesize
4KB

Download
memory/2952-124-0x00000000004A0000-0x00000000004EC000-memory.dmp

Filesize
304KB

Download
memory/2952-157-0x000007FFFFF80000-0x000007FFFFF81000-memory.dmp

Filesize
4KB

Download
memory/2952-163-0x000007FFFFF70000-0x000007FFFFF83000-memory.dmp

Filesize
76KB

Download
memory/2952-156-0x000007FFFFF90000-0x000007FFFFF91000-memory.dmp

Filesize
4KB

Download
memory/2952-123-0x000000033A710000-0x000000033A75A000-memory.dmp

Filesize
296KB

Download
memory/2952-120-0x000000033A710000-0x000000033A75A000-memory.dmp

Filesize
296KB

Download
memory/2952-133-0x000000033A710000-0x000000033A75A000-memory.dmp

Filesize
296KB

Download
memory/2952-166-0x000007FFFFF40000-0x000007FFFFF41000-memory.dmp

Filesize
4KB

Download
memory/2952-165-0x000007FFFFF50000-0x000007FFFFF51000-memory.dmp

Filesize
4KB

Download
memory/2952-164-0x000007FFFFF60000-0x000007FFFFF61000-memory.dmp

Filesize
4KB

Download
memory/2952-162-0x000007FFFFF90000-0x000007FFFFF91000-memory.dmp

Filesize
4KB

Download
memory/2952-161-0x000007FFFFF40000-0x000007FFFFF41000-memory.dmp

Filesize
4KB

Download
memory/2952-160-0x000007FFFFF50000-0x000007FFFFF51000-memory.dmp

Filesize
4KB

Download
memory/2952-121-0x0000000000460000-0x000000000049E000-memory.dmp

Filesize
248KB

Download
memory/2952-172-0x0000000180000000-0x000000018013A000-memory.dmp

Filesize
1.2MB

Download
memory/2952-183-0x00000000004A0000-0x00000000004EC000-memory.dmp

Filesize
304KB

Download