c74eddf5ac23f4861b1f6ff67ab1532fd82d403dc3754df3e4d7d36bd73e490f

Analysis

max time kernel
1200s
max time network
372s
platform
windows10_x64
resource
win10v20210408
submitted
14-07-2021 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COMPRO.SEDEX-5.TIZOLPLIAXWUJUDLIJJLSNXSDAFMVG?.msi
Size

282KB
MD5

4c4b518cd235c9be37cd09c672f67a2f
SHA1

fd35655bb7e9555862cba72211baad18e3389872
SHA256

56629c6ce6d6975476fb7c10135882bafa55a04576e80d28cb8e0817e052e4d6
SHA512

e2c9e12ab2bb446e9650b95bfd5907f9fc7a37d2da4db8400ba5b2390968082030368825e21eb9334fc7ce81e92b2c4937ba569ac80d5c69af50f1f523e4c0a2

Score

9^/10

bootkit evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 1 IoCs

Processes:

MsiExec.exe

flow pid process

10 1568 MsiExec.exe
Executes dropped EXE 1 IoCs

Processes:

DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

pid process

1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

flow	pid	process
10	1568	MsiExec.exe

pid	process
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

Drops startup file 1 IoCs

Processes:

MsiExec.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YECXPSDSQT.lnk MsiExec.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YECXPSDSQT.lnk	MsiExec.exe

Loads dropped DLL 5 IoCs

Processes:

MsiExec.exeDHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

pid	process
1568	MsiExec.exe
1568	MsiExec.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\Avira.OE.NativeCore.dll	themida
C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\Avira.OE.NativeCore.dll	themida
behavioral1/memory/1156-175-0x000000006C240000-0x000000006E4D2000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MsiExec.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\Microsoft\Windows\CurrentVersion\Run	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\YECXPSDSQT = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\YECXPSDSQT.lnk"	MsiExec.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ipinfo.io
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

pid process

1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

flow	ioc
17	ipinfo.io

description	ioc	process
File opened for modification	\??\PhysicalDrive0	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

pid	process
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI988D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A464F5F1-1FB0-4DC8-8F86-339084D9ADBB}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9168.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9AB1.tmp	msiexec.exe
File created	C:\Windows\Installer\f7490cc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7490cc.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

OpenWith.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2228 NOTEPAD.EXE

pid	process
2228	NOTEPAD.EXE

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exepowershell.exeDHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

pid	process
3676	msiexec.exe
3676	msiexec.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exeDHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

pid process

3712 OpenWith.exe
1156 DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

msiexec.exemsiexec.exepowershell.exeAUDIODG.EXEDHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

description	pid	process
Token: SeShutdownPrivilege	1484	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1484	msiexec.exe
Token: SeSecurityPrivilege	3676	msiexec.exe
Token: SeCreateTokenPrivilege	1484	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1484	msiexec.exe
Token: SeLockMemoryPrivilege	1484	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1484	msiexec.exe
Token: SeMachineAccountPrivilege	1484	msiexec.exe
Token: SeTcbPrivilege	1484	msiexec.exe
Token: SeSecurityPrivilege	1484	msiexec.exe
Token: SeTakeOwnershipPrivilege	1484	msiexec.exe
Token: SeLoadDriverPrivilege	1484	msiexec.exe
Token: SeSystemProfilePrivilege	1484	msiexec.exe
Token: SeSystemtimePrivilege	1484	msiexec.exe
Token: SeProfSingleProcessPrivilege	1484	msiexec.exe
Token: SeIncBasePriorityPrivilege	1484	msiexec.exe
Token: SeCreatePagefilePrivilege	1484	msiexec.exe
Token: SeCreatePermanentPrivilege	1484	msiexec.exe
Token: SeBackupPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	1484	msiexec.exe
Token: SeShutdownPrivilege	1484	msiexec.exe
Token: SeDebugPrivilege	1484	msiexec.exe
Token: SeAuditPrivilege	1484	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1484	msiexec.exe
Token: SeChangeNotifyPrivilege	1484	msiexec.exe
Token: SeRemoteShutdownPrivilege	1484	msiexec.exe
Token: SeUndockPrivilege	1484	msiexec.exe
Token: SeSyncAgentPrivilege	1484	msiexec.exe
Token: SeEnableDelegationPrivilege	1484	msiexec.exe
Token: SeManageVolumePrivilege	1484	msiexec.exe
Token: SeImpersonatePrivilege	1484	msiexec.exe
Token: SeCreateGlobalPrivilege	1484	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeRestorePrivilege	3676	msiexec.exe
Token: SeTakeOwnershipPrivilege	3676	msiexec.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: 33	2508	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2508	AUDIODG.EXE
Token: 33	1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
Token: SeIncBasePriorityPrivilege	1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
Token: 33	1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
Token: SeIncBasePriorityPrivilege	1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
Token: 33	1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
Token: SeIncBasePriorityPrivilege	1156	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msiexec.exeMsiExec.exe

pid process

1484 msiexec.exe
1568 MsiExec.exe
1484 msiexec.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

MsiExec.exe

pid process

1568 MsiExec.exe

pid	process
1484	msiexec.exe
1568	MsiExec.exe
1484	msiexec.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

OpenWith.exe

pid	process
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe
3712	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exeMsiExec.exeOpenWith.exepowershell.execmd.execmd.exe

description	pid	process	target process
PID 3676 wrote to memory of 1568	3676	msiexec.exe	MsiExec.exe
PID 3676 wrote to memory of 1568	3676	msiexec.exe	MsiExec.exe
PID 3676 wrote to memory of 1568	3676	msiexec.exe	MsiExec.exe
PID 1568 wrote to memory of 1152	1568	MsiExec.exe	powershell.exe
PID 1568 wrote to memory of 1152	1568	MsiExec.exe	powershell.exe
PID 1568 wrote to memory of 1152	1568	MsiExec.exe	powershell.exe
PID 3712 wrote to memory of 2228	3712	OpenWith.exe	NOTEPAD.EXE
PID 3712 wrote to memory of 2228	3712	OpenWith.exe	NOTEPAD.EXE
PID 1152 wrote to memory of 1156	1152	powershell.exe	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
PID 1152 wrote to memory of 1156	1152	powershell.exe	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
PID 1152 wrote to memory of 1156	1152	powershell.exe	DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
PID 576 wrote to memory of 2436	576	cmd.exe	xcopy.exe
PID 576 wrote to memory of 2436	576	cmd.exe	xcopy.exe
PID 2952 wrote to memory of 1568	2952	cmd.exe	zmstage.exe
PID 2952 wrote to memory of 1568	2952	cmd.exe	zmstage.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\COMPRO.SEDEX-5.TIZOLPLIAXWUJUDLIJJLSNXSDAFMVG_.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1484

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 94A2633D9A3D5655E909ABF7F4CAC435
2⤵
- Blocklisted process makes network request
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cd\;cd 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup';Start-Sleep -s 60;Invoke-Item 'YECXPSDSQT.lnk'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
"C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\system32\xcopy.exe
xcopy payload.dll payload.dat
2⤵
PID:2436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\752221487\payload.dat
2⤵
- Opens file in notepad (likely ransom note)
PID:2228

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x310
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Local\Temp\752221487\zmstage.exe
zmstage.exe
2⤵
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI48a63.LOG
MD5
e6a2c968cfcd69702da6f68c6b54597f

SHA1
30432805e6aad2ddb74be04c5bb2811a33adbd97

SHA256
16ad8c7be806989a721312e60ce529dd770a003cd4546511dc16b6007a5e1bf8

SHA512
0ef3b74cb931e3d194a870e04e9d04daf017a30648406c9a4984fbf64c04c99352eae36fc84a442279b6d80bf539e7977cae967d9093573b5a73ecb1775486bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YECXPSDSQT.lnk
MD5
40a23750d365cefe1d6958f98c6278d8

SHA1
0c861fff697d927f7ee8819e3ae269875b18050c

SHA256
b8242f151d96a49989c335890e9bf940e6e0580139aeaa29890ae7aeaf8deb1d

SHA512
19853ed3cc118959e82492a4ffc7bda4df44f5da4e70d3091d5e1590a4cd605ae6bcd4674bcbed9e4047fb592eabb4bc287de3ce4273488d7254f00f9a5d5581

Download Submit
C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\Avira.OE.NativeCore.dll
MD5
759bbd553496e0fad10ed1e89f83ecf9

SHA1
240a2c2c465660e46f19de5bd5cb58a6f3a2d92a

SHA256
568829dea29381ac4f997a1db9625e6619511b6849b1ddd0338a2a41f2710f72

SHA512
186abbcf425b0d8f64c38aeaceac208df001321a49814642441bc236d14b8a82f3ebcb8e1eff839eef6ad0f00ba4388e4eb46bf5b43c8b3582f7573625a377ef

Download Submit
C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
MD5
8cbb75febfb4b0b7c3b6d3613386220c

SHA1
ba5493b08354aee85151b7bbd15150a1c3f03d1d

SHA256
f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a

SHA512
8cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd

Download Submit
C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\DHDQFZZKCHAMQRQQEETFCWRKAUQXOPGZYIGñ.exe
MD5
8cbb75febfb4b0b7c3b6d3613386220c

SHA1
ba5493b08354aee85151b7bbd15150a1c3f03d1d

SHA256
f495d7c5c98457febc42ec96a959293788f6915e4245899d3bb1808ab84f0d9a

SHA512
8cb5f08f9e21fb6648f364869366ad09908be9e0317f95708a9e1931d30855cdfab199464bf5d72675bc1e166e8ce4645e6d0dca0d8d1c78428fbc77d4dd25fd

Download Submit
C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\MSVCP120.dll
MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
C:\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\MSVCR120.dll
MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
C:\Windows\Installer\MSI9168.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
C:\Windows\Installer\MSI988D.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\Avira.OE.NativeCore.dll
MD5
759bbd553496e0fad10ed1e89f83ecf9

SHA1
240a2c2c465660e46f19de5bd5cb58a6f3a2d92a

SHA256
568829dea29381ac4f997a1db9625e6619511b6849b1ddd0338a2a41f2710f72

SHA512
186abbcf425b0d8f64c38aeaceac208df001321a49814642441bc236d14b8a82f3ebcb8e1eff839eef6ad0f00ba4388e4eb46bf5b43c8b3582f7573625a377ef

Download Submit
\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\msvcp120.dll
MD5
fd5cabbe52272bd76007b68186ebaf00

SHA1
efd1e306c1092c17f6944cc6bf9a1bfad4d14613

SHA256
87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608

SHA512
1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

Download Submit
\Users\Public\Downloads\AFKYIYKYGWIFCSZGCWPY\msvcr120.dll
MD5
034ccadc1c073e4216e9466b720f9849

SHA1
f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1

SHA256
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f

SHA512
5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

Download Submit
\Windows\Installer\MSI9168.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
\Windows\Installer\MSI988D.tmp
MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit
memory/1152-132-0x0000000006DF2000-0x0000000006DF3000-memory.dmp

Filesize
4KB

Download
memory/1152-134-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

Filesize
4KB

Download
memory/1152-138-0x0000000008470000-0x0000000008471000-memory.dmp

Filesize
4KB

Download
memory/1152-139-0x00000000084C0000-0x00000000084C1000-memory.dmp

Filesize
4KB

Download
memory/1152-144-0x00000000091F0000-0x00000000091F1000-memory.dmp

Filesize
4KB

Download
memory/1152-145-0x0000000009110000-0x0000000009111000-memory.dmp

Filesize
4KB

Download
memory/1152-146-0x0000000009180000-0x0000000009181000-memory.dmp

Filesize
4KB

Download
memory/1152-147-0x0000000009820000-0x0000000009821000-memory.dmp

Filesize
4KB

Download
memory/1152-152-0x000000000A3A0000-0x000000000A3A1000-memory.dmp

Filesize
4KB

Download
memory/1152-173-0x0000000006DF3000-0x0000000006DF4000-memory.dmp

Filesize
4KB

Download
memory/1152-136-0x0000000007D30000-0x0000000007D31000-memory.dmp

Filesize
4KB

Download
memory/1152-135-0x0000000007A60000-0x0000000007A61000-memory.dmp

Filesize
4KB

Download
memory/1152-126-0x0000000000000000-mapping.dmp

Download
memory/1152-137-0x0000000008140000-0x0000000008141000-memory.dmp

Filesize
4KB

Download
memory/1152-133-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/1152-131-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/1152-130-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/1152-129-0x0000000004920000-0x0000000004921000-memory.dmp

Filesize
4KB

Download
memory/1156-164-0x0000000000000000-mapping.dmp

Download
memory/1156-174-0x0000000077860000-0x00000000779EE000-memory.dmp

Filesize
1.6MB

Download
memory/1156-175-0x000000006C240000-0x000000006E4D2000-memory.dmp

Filesize
34.6MB

Download
memory/1156-177-0x000000006C241000-0x000000006C6E7000-memory.dmp

Filesize
4.6MB

Download
memory/1156-178-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1568-119-0x0000000000000000-mapping.dmp

Download
memory/1568-181-0x0000000000000000-mapping.dmp

Download
memory/2228-153-0x0000000000000000-mapping.dmp

Download
memory/2436-176-0x0000000000000000-mapping.dmp

Download