77178a444840db24cd1398ba699419627ae1ab61bdecda746abd3dd415bccd44

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-en-20211208
submitted
18-12-2021 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77178a444840db24cd1398ba699419627ae1ab61bdecda746abd3dd415bccd44.msi
Size

578KB
MD5

d1c43bb1c9758eee8d2643731af9be7f
SHA1

0614681917d21a1d06492583561643599d12d5ac
SHA256

77178a444840db24cd1398ba699419627ae1ab61bdecda746abd3dd415bccd44
SHA512

880ca382078957b3b27c289a9696ceac0add7140b11bfa1bd5335d92361682d43ed3d6c6166433dc90e6e7ecb20dffbb6e4bccd887c6cd15fd2478875ba12039

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 2 IoCs

Processes:

MsiExec.exe

flow pid process

3 268 MsiExec.exe
5 268 MsiExec.exe
Executes dropped EXE 1 IoCs

Processes:

RszzzYXCq.exe

pid process

1904 RszzzYXCq.exe

flow	pid	process
3	268	MsiExec.exe
5	268	MsiExec.exe

pid	process
1904	RszzzYXCq.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RszzzYXCq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RszzzYXCq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RszzzYXCq.exe

Drops startup file 1 IoCs

Processes:

MsiExec.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QSLGMZESLH.lnk MsiExec.exe
Loads dropped DLL 6 IoCs

Processes:

MsiExec.exepowershell.exeRszzzYXCq.exe

pid process

268 MsiExec.exe
268 MsiExec.exe
268 MsiExec.exe
1100 powershell.exe
1904 RszzzYXCq.exe
1904 RszzzYXCq.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QSLGMZESLH.lnk	MsiExec.exe

pid	process
268	MsiExec.exe
268	MsiExec.exe
268	MsiExec.exe
1100	powershell.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\AxKoSdLJ8b3Pkz\imgengine.dll	themida
\AxKoSdLJ8b3Pkz\imgengine.dll	themida
behavioral1/memory/1904-77-0x0000000000400000-0x0000000002245000-memory.dmp	themida
behavioral1/memory/1904-78-0x0000000000400000-0x0000000002245000-memory.dmp	themida
behavioral1/memory/1904-79-0x0000000000400000-0x0000000002245000-memory.dmp	themida
behavioral1/memory/1904-80-0x0000000000400000-0x0000000002245000-memory.dmp	themida
behavioral1/memory/1904-81-0x0000000000400000-0x0000000002245000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MsiExec.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\software\Microsoft\Windows\CurrentVersion\Run	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\QSLGMZESLH = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\QSLGMZESLH.lnk"	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\nimdA = "\"C:\\Users\\Admin\\AppData\\Local\\Bezerk_Sorry!Â®\\qubEcAo.exe\""	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RszzzYXCq.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RszzzYXCq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RszzzYXCq.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

RszzzYXCq.exe

pid process

1904 RszzzYXCq.exe

pid	process
1904	RszzzYXCq.exe

Drops file in Windows directory 9 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f75cec4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF31.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID377.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7DB.tmp	msiexec.exe
File created	C:\Windows\Installer\f75cec4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2CA.tmp	msiexec.exe
File created	C:\Windows\Installer\f75cec6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f75cec6.ipi	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RszzzYXCq.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RszzzYXCq.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RszzzYXCq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	RszzzYXCq.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	RszzzYXCq.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RszzzYXCq.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

msiexec.exepowershell.exeRszzzYXCq.exe

pid	process
1268	msiexec.exe
1268	msiexec.exe
1100	powershell.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe
1904	RszzzYXCq.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RszzzYXCq.exe

pid process

1904 RszzzYXCq.exe

pid	process
1904	RszzzYXCq.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

msiexec.exemsiexec.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	1376	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1376	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeSecurityPrivilege	1268	msiexec.exe
Token: SeCreateTokenPrivilege	1376	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1376	msiexec.exe
Token: SeLockMemoryPrivilege	1376	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1376	msiexec.exe
Token: SeMachineAccountPrivilege	1376	msiexec.exe
Token: SeTcbPrivilege	1376	msiexec.exe
Token: SeSecurityPrivilege	1376	msiexec.exe
Token: SeTakeOwnershipPrivilege	1376	msiexec.exe
Token: SeLoadDriverPrivilege	1376	msiexec.exe
Token: SeSystemProfilePrivilege	1376	msiexec.exe
Token: SeSystemtimePrivilege	1376	msiexec.exe
Token: SeProfSingleProcessPrivilege	1376	msiexec.exe
Token: SeIncBasePriorityPrivilege	1376	msiexec.exe
Token: SeCreatePagefilePrivilege	1376	msiexec.exe
Token: SeCreatePermanentPrivilege	1376	msiexec.exe
Token: SeBackupPrivilege	1376	msiexec.exe
Token: SeRestorePrivilege	1376	msiexec.exe
Token: SeShutdownPrivilege	1376	msiexec.exe
Token: SeDebugPrivilege	1376	msiexec.exe
Token: SeAuditPrivilege	1376	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1376	msiexec.exe
Token: SeChangeNotifyPrivilege	1376	msiexec.exe
Token: SeRemoteShutdownPrivilege	1376	msiexec.exe
Token: SeUndockPrivilege	1376	msiexec.exe
Token: SeSyncAgentPrivilege	1376	msiexec.exe
Token: SeEnableDelegationPrivilege	1376	msiexec.exe
Token: SeManageVolumePrivilege	1376	msiexec.exe
Token: SeImpersonatePrivilege	1376	msiexec.exe
Token: SeCreateGlobalPrivilege	1376	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeRestorePrivilege	1268	msiexec.exe
Token: SeTakeOwnershipPrivilege	1268	msiexec.exe
Token: SeDebugPrivilege	1100	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msiexec.exeMsiExec.exeRszzzYXCq.exe

pid process

1376 msiexec.exe
268 MsiExec.exe
1376 msiexec.exe
1904 RszzzYXCq.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

MsiExec.exe

pid process

268 MsiExec.exe

pid	process
1376	msiexec.exe
268	MsiExec.exe
1376	msiexec.exe
1904	RszzzYXCq.exe

pid	process
268	MsiExec.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

msiexec.exeMsiExec.exepowershell.exeRszzzYXCq.execmd.exe

description	pid	process	target process
PID 1268 wrote to memory of 268	1268	msiexec.exe	MsiExec.exe
PID 1268 wrote to memory of 268	1268	msiexec.exe	MsiExec.exe
PID 1268 wrote to memory of 268	1268	msiexec.exe	MsiExec.exe
PID 1268 wrote to memory of 268	1268	msiexec.exe	MsiExec.exe
PID 1268 wrote to memory of 268	1268	msiexec.exe	MsiExec.exe
PID 1268 wrote to memory of 268	1268	msiexec.exe	MsiExec.exe
PID 1268 wrote to memory of 268	1268	msiexec.exe	MsiExec.exe
PID 268 wrote to memory of 1100	268	MsiExec.exe	powershell.exe
PID 268 wrote to memory of 1100	268	MsiExec.exe	powershell.exe
PID 268 wrote to memory of 1100	268	MsiExec.exe	powershell.exe
PID 268 wrote to memory of 1100	268	MsiExec.exe	powershell.exe
PID 1100 wrote to memory of 1904	1100	powershell.exe	RszzzYXCq.exe
PID 1100 wrote to memory of 1904	1100	powershell.exe	RszzzYXCq.exe
PID 1100 wrote to memory of 1904	1100	powershell.exe	RszzzYXCq.exe
PID 1100 wrote to memory of 1904	1100	powershell.exe	RszzzYXCq.exe
PID 1904 wrote to memory of 1280	1904	RszzzYXCq.exe	cmd.exe
PID 1904 wrote to memory of 1280	1904	RszzzYXCq.exe	cmd.exe
PID 1904 wrote to memory of 1280	1904	RszzzYXCq.exe	cmd.exe
PID 1280 wrote to memory of 972	1280	cmd.exe	reg.exe
PID 1280 wrote to memory of 972	1280	cmd.exe	reg.exe
PID 1280 wrote to memory of 972	1280	cmd.exe	reg.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\77178a444840db24cd1398ba699419627ae1ab61bdecda746abd3dd415bccd44.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1376

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C7E9FC57A4C471C1C1032474180E8C15
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cd\;cd 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup';Start-Sleep -s 6;Invoke-Item 'QSLGMZESLH.lnk'
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\AxKoSdLJ8b3Pkz\RszzzYXCq.exe
      "C:\AxKoSdLJ8b3Pkz\RszzzYXCq.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Loads dropped DLL
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "nimdA" /t REG_SZ /F /D "\"C:\Users\Admin\AppData\Local\Bezerk_Sorry!Â®\qubEcAo.exe\"" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1280
      - C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "nimdA" /t REG_SZ /F /D "\"C:\Users\Admin\AppData\Local\Bezerk_Sorry!Â®\qubEcAo.exe\""
        6⤵
        Adds Run key to start application
        
        PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AxKoSdLJ8b3Pkz\RszzzYXCq.exe

MD5
53b00fffa618fe5ce3a1c84cc81f5c3e

SHA1
8dfd75408c7683082af6030b3318cd8401264b7d

SHA256
353133e9989fd0610b1696f24648c1eadb66b08f8b31bdf573ec2af84457598d

SHA512
f1cd162e0c0354af9f54b8836b35b286d63a40cbdc255e7f6beda2e94be8de3c68c15acad18aaadfceadaf0a8a8f41c28f4dacc0c27d1c7ac6e5b4bbf4cca968

Download Submit
C:\AxKoSdLJ8b3Pkz\RszzzYXCq.exe

MD5
53b00fffa618fe5ce3a1c84cc81f5c3e

SHA1
8dfd75408c7683082af6030b3318cd8401264b7d

SHA256
353133e9989fd0610b1696f24648c1eadb66b08f8b31bdf573ec2af84457598d

SHA512
f1cd162e0c0354af9f54b8836b35b286d63a40cbdc255e7f6beda2e94be8de3c68c15acad18aaadfceadaf0a8a8f41c28f4dacc0c27d1c7ac6e5b4bbf4cca968

Download Submit
C:\AxKoSdLJ8b3Pkz\imgengine.dll

MD5
ef7de8e17a46bbb875ff5b48a5111f75

SHA1
1758ad8c4574dc8aba71ef4e541dd78579853826

SHA256
4563e5ab64572adb62bc0e4e6c472b4c6485c9e5af3aa40dc17d84170c442e82

SHA512
0a7a0316856c766fb0ec8dae0519acb480d3e1c738c4a2ba442cb8cc5e67b920839ade09bc69e54eb406bb4575cae9fd1958512c25a826e134d4d036b744fd80

Download Submit
C:\AxKoSdLJ8b3Pkz\sptdintf.dll

MD5
5b91b8ef0dd74486bcaa38004417e565

SHA1
01c5cfc191ca8006b43f355ee41a35ad49c34fd4

SHA256
7353ea393051b369f92e230459d6904f88938e1ef94562aaa86342b9aaea7762

SHA512
aedbfb925e23e216dd0b03e6e26c1852ecfdee6a79662ce327e4213cda8d97eac2d9dc4d86f65a287c1346ec1d57573135711f941fd98acecdfa6215ec4b3ab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
f21068572217524e157da39370ffe71e

SHA1
32a4fd9901f970913f17d74a4003198c0aeb07f1

SHA256
72dd30f7f897002a6ead8ea7b7b02e33414aca26bacde9aedf0e664fa12ab0c6

SHA512
634967f70658ffc6c2bb1072d5595eb12606104a6602979eb2b68a970d1f4b3228bfc86e298062096560a3f5c4c3dad953c3f55bdd54178ec7bb04cf3617ac75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QSLGMZESLH.lnk

MD5
84849502e68528aa63acd62ff61aa032

SHA1
c708eebb376800739ca65bf0f0707d2084b1f9e4

SHA256
bb32719b8bf4ba82c2c4f3f4ecdf0732175ce20c9c8b9340118e431d3d5a2645

SHA512
fb9df064eaa859dff855236441db8dd100a46bf1c2f9581e9efe22a13e4e75f679dacd42a8d7653de6bdaa258b4660f42e766e3774bc271980dba9af67e4e07c

Download Submit
C:\Windows\Installer\MSICF31.tmp

MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
C:\Windows\Installer\MSID2CA.tmp

MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
C:\Windows\Installer\MSID377.tmp

MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
\AxKoSdLJ8b3Pkz\RszzzYXCq.exe

MD5
53b00fffa618fe5ce3a1c84cc81f5c3e

SHA1
8dfd75408c7683082af6030b3318cd8401264b7d

SHA256
353133e9989fd0610b1696f24648c1eadb66b08f8b31bdf573ec2af84457598d

SHA512
f1cd162e0c0354af9f54b8836b35b286d63a40cbdc255e7f6beda2e94be8de3c68c15acad18aaadfceadaf0a8a8f41c28f4dacc0c27d1c7ac6e5b4bbf4cca968

Download Submit
\AxKoSdLJ8b3Pkz\imgengine.dll

MD5
ef7de8e17a46bbb875ff5b48a5111f75

SHA1
1758ad8c4574dc8aba71ef4e541dd78579853826

SHA256
4563e5ab64572adb62bc0e4e6c472b4c6485c9e5af3aa40dc17d84170c442e82

SHA512
0a7a0316856c766fb0ec8dae0519acb480d3e1c738c4a2ba442cb8cc5e67b920839ade09bc69e54eb406bb4575cae9fd1958512c25a826e134d4d036b744fd80

Download Submit
\AxKoSdLJ8b3Pkz\sptdintf.dll

MD5
5b91b8ef0dd74486bcaa38004417e565

SHA1
01c5cfc191ca8006b43f355ee41a35ad49c34fd4

SHA256
7353ea393051b369f92e230459d6904f88938e1ef94562aaa86342b9aaea7762

SHA512
aedbfb925e23e216dd0b03e6e26c1852ecfdee6a79662ce327e4213cda8d97eac2d9dc4d86f65a287c1346ec1d57573135711f941fd98acecdfa6215ec4b3ab1

Download Submit
\Windows\Installer\MSICF31.tmp

MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
\Windows\Installer\MSID2CA.tmp

MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
\Windows\Installer\MSID377.tmp

MD5
c18bc0b736979d22eeb22085d2023d28

SHA1
dc6bf871db4ec59b16fdaf505f49cb6ede36cea6

SHA256
2646d5432ff0b4ec3e39e21f4cf250bc80e6af01f2466ec97a21c4026d1958d9

SHA512
0b06fff2c4d2a465e339d1acc839d3fcfaddfc8358ee66842aa2330917d49c2abfd60c53c853e508a30dd19cb77cbc3eba7a14cab29c50fc28aadf5de062e575

Download Submit
memory/268-58-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/268-57-0x0000000000000000-mapping.dmp

Download
memory/972-86-0x0000000000000000-mapping.dmp

Download
memory/1100-67-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/1100-65-0x0000000000000000-mapping.dmp

Download
memory/1280-85-0x0000000000000000-mapping.dmp

Download
memory/1376-55-0x000007FEFB5B1000-0x000007FEFB5B3000-memory.dmp

Filesize
8KB

Download
memory/1904-71-0x0000000000000000-mapping.dmp

Download
memory/1904-80-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download
memory/1904-81-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download
memory/1904-83-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1904-79-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download
memory/1904-78-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download
memory/1904-77-0x0000000000400000-0x0000000002245000-memory.dmp

Filesize
30.3MB

Download