Resubmissions
29-06-2024 08:55
240629-kvv3laxdmn 628-06-2024 08:26
240628-kb466azdng 728-06-2024 04:33
240628-e6m88s1fkc 6Analysis
-
max time kernel
1669s -
max time network
1685s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-06-2024 04:33
Static task
static1
Behavioral task
behavioral1
Sample
chromeremotedesktophost.msi
Resource
win11-20240508-en
General
-
Target
chromeremotedesktophost.msi
-
Size
20.5MB
-
MD5
5f259c755b3dcbbbbc27f9513cddac61
-
SHA1
0e672bad7b67cc1f234b265f3af21976935c4903
-
SHA256
9cdd681fc86c1e816e652b0b5590d2e986b08bc26204e8048918a59c291051ce
-
SHA512
4c7f66962cecba4e753f3c996cc45bd102c6b7c6ab97bf85197091cfdb05ca82dd400f0888ead82927c61e3f45ea33e919a3a51da63cb5af1141a980f779fcb3
-
SSDEEP
393216:CQzX7/PFKRpAvIpgY6KKsIHNHSHY7nTMkJ5K6cOomwZCtgO5gAkUmZbXF:tzX7/cTHAK1uASTMkboRCtgO1kUmZbX
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in Program Files directory 17 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_assistance.json msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_assistance-firefox.json msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\CREDITS.txt msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_webauthn.exe msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_start_host.exe msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_desktop-firefox.json msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\icudtl.dat msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_open_url.exe msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_security_key.exe msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_host.exe msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_desktop.json msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\com.google.chrome.remote_webauthn.json msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_assistance_host_uiaccess.exe msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_core.dll msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remote_assistance_host.exe msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_desktop.exe msiexec.exe File created C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\remoting_native_messaging_host.exe msiexec.exe -
Drops file in Windows directory 21 IoCs
Processes:
msiexec.exeMsiExec.exedescription ioc process File opened for modification C:\Windows\Installer\e580dd6.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIFF9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1B1A.tmp msiexec.exe File created C:\Windows\Installer\{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46}\chromoting.ico msiexec.exe File created C:\Windows\SystemTemp\~DFEF4C2F177B5C26C7.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI12AC.tmp msiexec.exe File created C:\Windows\Installer\e580dd8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1BC6.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF31BA556B9EA427A8.TMP msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46} msiexec.exe File created C:\Windows\SystemTemp\~DF08EA730102F295EF.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI1019.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI10A8.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF0360571D0ED2FA28.TMP msiexec.exe File created C:\Windows\Installer\e580dd6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1068.tmp msiexec.exe File created C:\Windows\Installer\wix{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\Installer\{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46}\chromoting.ico msiexec.exe -
Loads dropped DLL 7 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exepid process 3392 MsiExec.exe 3648 MsiExec.exe 3648 MsiExec.exe 3648 MsiExec.exe 2904 MsiExec.exe 2904 MsiExec.exe 2904 MsiExec.exe -
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000c993a456edcb2280000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000c993a450000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000c993a45000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0c993a45000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000c993a4500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies data under HKEY_USERS 44 IoCs
Processes:
powershell.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}\ = "IRdpDesktopSession" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\0 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\FLAGS msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{52e6fd1a-f16e-49c0-aacb-5436a915448b}\RunAs = "NT AUTHORITY\\LocalService" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6a7699f0-ee43-43e7-aa30-a6738f9bd470} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}\ProxyStubClsid32\ = "{6a7699f0-ee43-43e7-aa30-a6738f9bd470}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\HELPDIR msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\ProductName = "Chrome Remote Desktop Host" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_core.dll" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}\ProxyStubClsid32 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\Version = "2097158422" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\ = "IRdpDesktopSessionEventHandler" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\ProxyStubClsid32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\ProductIcon = "C:\\Windows\\Installer\\{EF2787B1-0F5C-449C-86FF-6F4D28DE3C46}\\chromoting.ico" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{52e6fd1a-f16e-49c0-aacb-5436a915448b}\LaunchPermission = 010014807800000088000000140000003000000002001c000100000011001400040000000101000000000010002000000200480003000000000014000b000000010100000000000512000000000018000b00000001020000000000052000000020020000000014000b0000000101000000000005130000000102000000000005200000002002000001020000000000052000000020020000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B7872FEC5F0C94468FFF6D482EDC364 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList\PackageName = "chromeremotedesktophost.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\Application\ApplicationIcon = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_core.dll,-112" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\PackageCode = "4D8277E60212F634B9581C5B94A5D2F5" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}\TypeLib msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}\TypeLib\ = "{b6396c45-b0cc-456b-9f49-f12964ee6df4}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}\ProxyStubClsid32 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{52e6fd1a-f16e-49c0-aacb-5436a915448b}\AccessPermission = 010014807800000088000000140000003000000002001c000100000011001400040000000101000000000010002000000200480003000000000014000b000000010100000000000512000000000018000b00000001020000000000052000000020020000000014000b0000000101000000000005130000000102000000000005200000002002000001020000000000052000000020020000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}\ = "IRdpDesktopSession PSFactory" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B7872FEC5F0C94468FFF6D482EDC364\chromoting_host msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\ = "RdpDesktopSession Class" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\AppID = "{52e6fd1a-f16e-49c0-aacb-5436a915448b}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\TypeLib\ = "{b6396c45-b0cc-456b-9f49-f12964ee6df4}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\ = "IRdpDesktopSessionEventHandler PSFactory" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\FLAGS\ = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\DefaultIcon\ = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_core.dll,-112" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\LocalServer32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_core.dll" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a7699f0-ee43-43e7-aa30-a6738f9bd470} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3a22c946-f9f5-51e0-b7b1-ef8ea58a1f65}\LocalServer32\ = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\125.0.6422.31\\remoting_host.exe --type=rdp_desktop_session" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\ProxyStubClsid32\ = "{b59b96da-83cb-40ee-9b91-c377400fc3e3}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Typelib msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\0\win32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B7872FEC5F0C94468FFF6D482EDC364\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\Application msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exepowershell.exepid process 3752 msiexec.exe 3752 msiexec.exe 4804 powershell.exe 4804 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3732 msiexec.exe Token: SeIncreaseQuotaPrivilege 3732 msiexec.exe Token: SeSecurityPrivilege 3752 msiexec.exe Token: SeCreateTokenPrivilege 3732 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3732 msiexec.exe Token: SeLockMemoryPrivilege 3732 msiexec.exe Token: SeIncreaseQuotaPrivilege 3732 msiexec.exe Token: SeMachineAccountPrivilege 3732 msiexec.exe Token: SeTcbPrivilege 3732 msiexec.exe Token: SeSecurityPrivilege 3732 msiexec.exe Token: SeTakeOwnershipPrivilege 3732 msiexec.exe Token: SeLoadDriverPrivilege 3732 msiexec.exe Token: SeSystemProfilePrivilege 3732 msiexec.exe Token: SeSystemtimePrivilege 3732 msiexec.exe Token: SeProfSingleProcessPrivilege 3732 msiexec.exe Token: SeIncBasePriorityPrivilege 3732 msiexec.exe Token: SeCreatePagefilePrivilege 3732 msiexec.exe Token: SeCreatePermanentPrivilege 3732 msiexec.exe Token: SeBackupPrivilege 3732 msiexec.exe Token: SeRestorePrivilege 3732 msiexec.exe Token: SeShutdownPrivilege 3732 msiexec.exe Token: SeDebugPrivilege 3732 msiexec.exe Token: SeAuditPrivilege 3732 msiexec.exe Token: SeSystemEnvironmentPrivilege 3732 msiexec.exe Token: SeChangeNotifyPrivilege 3732 msiexec.exe Token: SeRemoteShutdownPrivilege 3732 msiexec.exe Token: SeUndockPrivilege 3732 msiexec.exe Token: SeSyncAgentPrivilege 3732 msiexec.exe Token: SeEnableDelegationPrivilege 3732 msiexec.exe Token: SeManageVolumePrivilege 3732 msiexec.exe Token: SeImpersonatePrivilege 3732 msiexec.exe Token: SeCreateGlobalPrivilege 3732 msiexec.exe Token: SeCreateTokenPrivilege 3732 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3732 msiexec.exe Token: SeLockMemoryPrivilege 3732 msiexec.exe Token: SeIncreaseQuotaPrivilege 3732 msiexec.exe Token: SeMachineAccountPrivilege 3732 msiexec.exe Token: SeTcbPrivilege 3732 msiexec.exe Token: SeSecurityPrivilege 3732 msiexec.exe Token: SeTakeOwnershipPrivilege 3732 msiexec.exe Token: SeLoadDriverPrivilege 3732 msiexec.exe Token: SeSystemProfilePrivilege 3732 msiexec.exe Token: SeSystemtimePrivilege 3732 msiexec.exe Token: SeProfSingleProcessPrivilege 3732 msiexec.exe Token: SeIncBasePriorityPrivilege 3732 msiexec.exe Token: SeCreatePagefilePrivilege 3732 msiexec.exe Token: SeCreatePermanentPrivilege 3732 msiexec.exe Token: SeBackupPrivilege 3732 msiexec.exe Token: SeRestorePrivilege 3732 msiexec.exe Token: SeShutdownPrivilege 3732 msiexec.exe Token: SeDebugPrivilege 3732 msiexec.exe Token: SeAuditPrivilege 3732 msiexec.exe Token: SeSystemEnvironmentPrivilege 3732 msiexec.exe Token: SeChangeNotifyPrivilege 3732 msiexec.exe Token: SeRemoteShutdownPrivilege 3732 msiexec.exe Token: SeUndockPrivilege 3732 msiexec.exe Token: SeSyncAgentPrivilege 3732 msiexec.exe Token: SeEnableDelegationPrivilege 3732 msiexec.exe Token: SeManageVolumePrivilege 3732 msiexec.exe Token: SeImpersonatePrivilege 3732 msiexec.exe Token: SeCreateGlobalPrivilege 3732 msiexec.exe Token: SeCreateTokenPrivilege 3732 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3732 msiexec.exe Token: SeLockMemoryPrivilege 3732 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 3732 msiexec.exe 3732 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid process target process PID 3752 wrote to memory of 3392 3752 msiexec.exe MsiExec.exe PID 3752 wrote to memory of 3392 3752 msiexec.exe MsiExec.exe PID 3752 wrote to memory of 3392 3752 msiexec.exe MsiExec.exe PID 3752 wrote to memory of 2704 3752 msiexec.exe srtasks.exe PID 3752 wrote to memory of 2704 3752 msiexec.exe srtasks.exe PID 3752 wrote to memory of 3648 3752 msiexec.exe MsiExec.exe PID 3752 wrote to memory of 3648 3752 msiexec.exe MsiExec.exe PID 3752 wrote to memory of 3648 3752 msiexec.exe MsiExec.exe PID 3752 wrote to memory of 2904 3752 msiexec.exe MsiExec.exe PID 3752 wrote to memory of 2904 3752 msiexec.exe MsiExec.exe PID 3752 wrote to memory of 2904 3752 msiexec.exe MsiExec.exe PID 2904 wrote to memory of 4804 2904 MsiExec.exe powershell.exe PID 2904 wrote to memory of 4804 2904 MsiExec.exe powershell.exe PID 2904 wrote to memory of 4804 2904 MsiExec.exe powershell.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\chromeremotedesktophost.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BD5B56BDF37DC549E71A334752E12C0C C2⤵
- Loads dropped DLL
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BDDE13D1D50412C9A82C541253F319E92⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 28F9CC3FA129C3003794A7B3F6C3993B E Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass New-Item -ItemType SymbolicLink -Path 'C:\Program Files (x86)\Google\Chrome Remote Desktop\CurrentVersion' -Target 'C:\Program Files (x86)\Google\Chrome Remote Desktop\125.0.6422.31\' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e580dd7.rbsFilesize
283KB
MD5a5a2f30d003c48f0054e2d609e22e1be
SHA10b72a63738bab21a90ffdbfc83fd77d0b87e2829
SHA256fb0d8d6e93e19df884a6d91f94027bb4611f8b359e75cab87a0d452b7457c68e
SHA512bc31c3b5ea2250e1c63630526e849535972f043bd48bd2e11a9f691d3112f24ba54d27c5b261b000b509c12b6d8e8e6e8d0a0477afabb0a7a7eacad14bd224d8
-
C:\Users\Admin\AppData\Local\Temp\MSIF3B6.tmpFilesize
168KB
MD5a0962dd193b82c1946dc67e140ddf895
SHA17f36c38d80b7c32e750e22907ac7e1f0df76e966
SHA256b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9
SHA512118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ghlifhn.ss4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\Installer\MSI1019.tmpFilesize
88KB
MD585fcf7b457b7194bbeb46db22fae05c3
SHA15eca64d0d4ab4599852a475a7dd25beb88ae1c27
SHA256e24376a9346c2d486ce7426ca3ddc73cd020bb7216f8e5a0b9b2cb23caddcf31
SHA51212d46c2d63d221adb288a89b2fe0b423d4ae7579c24c36d651a6ce9488bfdc669a1e8378309c28f7019c7cfc43fa87e99b4829cace97715c0b94ac9e2a758339
-
C:\Windows\Installer\e580dd6.msiFilesize
20.5MB
MD55f259c755b3dcbbbbc27f9513cddac61
SHA10e672bad7b67cc1f234b265f3af21976935c4903
SHA2569cdd681fc86c1e816e652b0b5590d2e986b08bc26204e8048918a59c291051ce
SHA5124c7f66962cecba4e753f3c996cc45bd102c6b7c6ab97bf85197091cfdb05ca82dd400f0888ead82927c61e3f45ea33e919a3a51da63cb5af1141a980f779fcb3
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
12.8MB
MD5ef422803d81253fc36f8bc952fa024f9
SHA1e389dd9c629f7f59796f20d5e94e257c67898b7f
SHA256642bec768a6195ffe364b7c6ea663f4f484771f645b717af1de06a0c969ab2f8
SHA51209175f596cfbda86ac6fa3c5d598842e358bdfa2bcc0524f4d99a0e017e8402f55e6aa86e837564a75dbaae4aca58457529c25f9a4fa03e2e1160c233f125e34
-
\??\Volume{453a990c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b73848be-b125-43fc-a4b9-1651df6344ad}_OnDiskSnapshotPropFilesize
6KB
MD57b14ab80f8a5653853114e0d83ae3ba2
SHA177773fc3076c6a49feb214a96dba8714bc5f5a34
SHA25617daa45c5998f25280f2cdd44947b9f73d62c08bbdc80ce3bfd25bebbcac3ac1
SHA512b1c5bf0485cf47f524a315744a1d50e36eba1b8ffc4ffa431740d3407001b7cfaff54af5d66c80c96488aded230ba75051786ff0387cd89eac79540ccc08de4f
-
memory/4804-52-0x0000000005E90000-0x0000000005EF6000-memory.dmpFilesize
408KB
-
memory/4804-51-0x0000000005E20000-0x0000000005E86000-memory.dmpFilesize
408KB
-
memory/4804-50-0x0000000005C80000-0x0000000005CA2000-memory.dmpFilesize
136KB
-
memory/4804-61-0x0000000005F00000-0x0000000006257000-memory.dmpFilesize
3.3MB
-
memory/4804-62-0x00000000063F0000-0x000000000640E000-memory.dmpFilesize
120KB
-
memory/4804-63-0x0000000006440000-0x000000000648C000-memory.dmpFilesize
304KB
-
memory/4804-64-0x00000000069B0000-0x0000000006A46000-memory.dmpFilesize
600KB
-
memory/4804-65-0x00000000068F0000-0x000000000690A000-memory.dmpFilesize
104KB
-
memory/4804-66-0x0000000006940000-0x0000000006962000-memory.dmpFilesize
136KB
-
memory/4804-67-0x0000000007BB0000-0x0000000008156000-memory.dmpFilesize
5.6MB
-
memory/4804-49-0x0000000005610000-0x0000000005C3A000-memory.dmpFilesize
6.2MB
-
memory/4804-48-0x0000000004F40000-0x0000000004F76000-memory.dmpFilesize
216KB