Analysis
-
max time kernel
92s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-03-2024 18:08
Static task
static1
Behavioral task
behavioral1
Sample
Checkm8.info Software.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Checkm8.info Software.exe
Resource
win10v2004-20240226-en
General
-
Target
Checkm8.info Software.exe
-
Size
152.7MB
-
MD5
a5b6acf1acb70f2cdf0539d0701d103c
-
SHA1
269ef4e0f732bc5f0d2ee3fc28fa6351ee0cc901
-
SHA256
df8bc2dfd6961766452c508d84917c40c109b8920d9c617b08cb62dc7c6668da
-
SHA512
6404e5329e59062bbb650d74e6b9545dfc509748dd253096255372c0f25714b03201a1eab8270cbdcfbe20ea3ca8f0cdfd83fd74dafef15029384dec7dc32b55
-
SSDEEP
3145728:D9CQPQmwzUK+vcNuD/AA8sSC23nLxtEvw7cftKUX1bDXADDe0/wDe0/0XUme:DjPpvAOSJ3nL7Evw7cVdRADDe04De0S4
Malware Config
Signatures
-
Manipulates Digital Signatures 1 TTPs 3 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
certutil.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Checkm8.info Software.exeMSI9EF8.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation Checkm8.info Software.exe Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation MSI9EF8.tmp -
Executes dropped EXE 1 IoCs
Processes:
MSI9EF8.tmppid Process 1036 MSI9EF8.tmp -
Loads dropped DLL 28 IoCs
Processes:
MsiExec.exeCheckm8.info Software.exeMsiExec.exeMsiExec.exepid Process 392 MsiExec.exe 392 MsiExec.exe 392 MsiExec.exe 392 MsiExec.exe 392 MsiExec.exe 392 MsiExec.exe 392 MsiExec.exe 392 MsiExec.exe 392 MsiExec.exe 392 MsiExec.exe 392 MsiExec.exe 392 MsiExec.exe 392 MsiExec.exe 1480 Checkm8.info Software.exe 216 MsiExec.exe 216 MsiExec.exe 216 MsiExec.exe 216 MsiExec.exe 216 MsiExec.exe 216 MsiExec.exe 216 MsiExec.exe 216 MsiExec.exe 216 MsiExec.exe 216 MsiExec.exe 1316 MsiExec.exe 216 MsiExec.exe 392 MsiExec.exe 392 MsiExec.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/files/0x0008000000023247-321.dat agile_net behavioral2/files/0x0008000000023247-328.dat agile_net -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exeCheckm8.info Software.exeCheckm8.info Software.exedescription ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: Checkm8.info Software.exe File opened (read-only) \??\H: Checkm8.info Software.exe File opened (read-only) \??\H: Checkm8.info Software.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: Checkm8.info Software.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: Checkm8.info Software.exe File opened (read-only) \??\O: Checkm8.info Software.exe File opened (read-only) \??\A: Checkm8.info Software.exe File opened (read-only) \??\R: Checkm8.info Software.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: Checkm8.info Software.exe File opened (read-only) \??\M: Checkm8.info Software.exe File opened (read-only) \??\Q: Checkm8.info Software.exe File opened (read-only) \??\O: Checkm8.info Software.exe File opened (read-only) \??\W: Checkm8.info Software.exe File opened (read-only) \??\B: Checkm8.info Software.exe File opened (read-only) \??\J: Checkm8.info Software.exe File opened (read-only) \??\K: Checkm8.info Software.exe File opened (read-only) \??\L: Checkm8.info Software.exe File opened (read-only) \??\R: Checkm8.info Software.exe File opened (read-only) \??\Y: Checkm8.info Software.exe File opened (read-only) \??\N: Checkm8.info Software.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: Checkm8.info Software.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: Checkm8.info Software.exe File opened (read-only) \??\V: Checkm8.info Software.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: Checkm8.info Software.exe File opened (read-only) \??\W: Checkm8.info Software.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: Checkm8.info Software.exe File opened (read-only) \??\T: Checkm8.info Software.exe File opened (read-only) \??\U: Checkm8.info Software.exe File opened (read-only) \??\Z: Checkm8.info Software.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: Checkm8.info Software.exe File opened (read-only) \??\K: Checkm8.info Software.exe File opened (read-only) \??\S: Checkm8.info Software.exe File opened (read-only) \??\G: Checkm8.info Software.exe File opened (read-only) \??\T: Checkm8.info Software.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: Checkm8.info Software.exe File opened (read-only) \??\J: Checkm8.info Software.exe File opened (read-only) \??\Z: Checkm8.info Software.exe File opened (read-only) \??\P: Checkm8.info Software.exe File opened (read-only) \??\S: Checkm8.info Software.exe File opened (read-only) \??\U: Checkm8.info Software.exe File opened (read-only) \??\M: Checkm8.info Software.exe File opened (read-only) \??\P: Checkm8.info Software.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exedescription ioc Process File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\CoreADI64.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\CoreVideo.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\OutlookChangeNotifierAddIn.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Newtonsoft.Json.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\boot\lzma msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\amd64\winusbcoinstaller2.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\dpscat.exe msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x64\usbaapl64.inf msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\amd64\libusb0_x86.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\APSDaemon_main.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\pcre.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\readline.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x86\usbaapl.inf msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libcrypto-1_1-x64.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libusb0.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ssl-46.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\ucrtbased.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\icudt62.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ideviceactivation.exe msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ideviceinfo.exe msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicepair.exe msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\usbmuxd.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\amd64\libusbK.sys msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\amd64\WdfCoInstaller01011.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\libusb0.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x64\USBAAPL64.CAT msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ApplePushService.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\AppleVersions.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicename.exe msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libxml2.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\plist_test.exe msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\jose-jwt.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\bz2.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\getopt.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicedebug.exe msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\pthreadVC2.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Shaman.CurlSharp.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libcache.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libicuin.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevice_id.exe msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libicuuc.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\boot\boot.tar.lzma msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\AppleMobileDeviceService_main.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\irecovery.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libdispatch.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\WdfCoInstaller01011.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\Foundation.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicebackup.exe msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\ideviceenterrecovery.exe msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libexslt.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\usbaapl\x64\usbaapl64.sys msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libusb-1.0.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicecrashreport.exe msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicediagnostics.exe msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\MobileDevice.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\AgileDotNet.VMRuntime.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\libusb0_x86.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\libcrypto-1_1-x64.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\amd64\libusb0.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\winusbcoinstaller2.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicerestore.exe msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\idevicescreenshot.exe msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\libs\zlib1.dll msiexec.exe File created C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\drivers\libusbk\x86\libusb0.sys msiexec.exe -
Drops file in Windows directory 23 IoCs
Processes:
msiexec.exedescription ioc Process File created C:\Windows\Installer\{E489471F-69DE-4243-9B3A-838F081C29D8}\Checkm8.infoSoftware.exe msiexec.exe File created C:\Windows\Installer\e579710.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI9A2E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A7E.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{E489471F-69DE-4243-9B3A-838F081C29D8} msiexec.exe File opened for modification C:\Windows\Installer\MSI9EF8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9A4E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9E1C.tmp msiexec.exe File opened for modification C:\Windows\Installer\{E489471F-69DE-4243-9B3A-838F081C29D8}\Checkm8.infoSoftware.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI9FA5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA13C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI97BC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9ABD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9ACE.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9D5F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9EA9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA97B.tmp msiexec.exe File created C:\Windows\Installer\e579712.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAA76.tmp msiexec.exe File opened for modification C:\Windows\Installer\e579710.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000042283678384db7f50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000422836780000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090042283678000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d42283678000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004228367800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe -
Modifies registry class 26 IoCs
Processes:
msiexec.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F174984EED963424B9A338F880C1928D\A918597FE054CCCB65ABDBA0AD8F63C msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\ProductIcon = "C:\\Windows\\Installer\\{E489471F-69DE-4243-9B3A-838F081C29D8}\\Checkm8.infoSoftware.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F174984EED963424B9A338F880C1928D\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\Version = "67567617" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Checkm8.info\\Checkm8.info Software 4.7.1\\install\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Checkm8.info\\Checkm8.info Software 4.7.1\\install\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\PackageCode = "772D0FED4005D9F4DAC8675692E4DCB6" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4FBD7DFEF531EE246A95B5DD8F9D05D9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList\Media\1 = "Disk1;Disk1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F174984EED963424B9A338F880C1928D msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\AuthorizedLUAApp = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4FBD7DFEF531EE246A95B5DD8F9D05D9\F174984EED963424B9A338F880C1928D msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\ProductName = "Checkm8.info Software" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F174984EED963424B9A338F880C1928D\C4FE6FD5B7C4D07B3A313E754A9A6A8 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F174984EED963424B9A338F880C1928D\SourceList\PackageName = "Checkm8.info Software.msi" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid Process 1176 msiexec.exe 1176 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exeCheckm8.info Software.exedescription pid Process Token: SeSecurityPrivilege 1176 msiexec.exe Token: SeCreateTokenPrivilege 1480 Checkm8.info Software.exe Token: SeAssignPrimaryTokenPrivilege 1480 Checkm8.info Software.exe Token: SeLockMemoryPrivilege 1480 Checkm8.info Software.exe Token: SeIncreaseQuotaPrivilege 1480 Checkm8.info Software.exe Token: SeMachineAccountPrivilege 1480 Checkm8.info Software.exe Token: SeTcbPrivilege 1480 Checkm8.info Software.exe Token: SeSecurityPrivilege 1480 Checkm8.info Software.exe Token: SeTakeOwnershipPrivilege 1480 Checkm8.info Software.exe Token: SeLoadDriverPrivilege 1480 Checkm8.info Software.exe Token: SeSystemProfilePrivilege 1480 Checkm8.info Software.exe Token: SeSystemtimePrivilege 1480 Checkm8.info Software.exe Token: SeProfSingleProcessPrivilege 1480 Checkm8.info Software.exe Token: SeIncBasePriorityPrivilege 1480 Checkm8.info Software.exe Token: SeCreatePagefilePrivilege 1480 Checkm8.info Software.exe Token: SeCreatePermanentPrivilege 1480 Checkm8.info Software.exe Token: SeBackupPrivilege 1480 Checkm8.info Software.exe Token: SeRestorePrivilege 1480 Checkm8.info Software.exe Token: SeShutdownPrivilege 1480 Checkm8.info Software.exe Token: SeDebugPrivilege 1480 Checkm8.info Software.exe Token: SeAuditPrivilege 1480 Checkm8.info Software.exe Token: SeSystemEnvironmentPrivilege 1480 Checkm8.info Software.exe Token: SeChangeNotifyPrivilege 1480 Checkm8.info Software.exe Token: SeRemoteShutdownPrivilege 1480 Checkm8.info Software.exe Token: SeUndockPrivilege 1480 Checkm8.info Software.exe Token: SeSyncAgentPrivilege 1480 Checkm8.info Software.exe Token: SeEnableDelegationPrivilege 1480 Checkm8.info Software.exe Token: SeManageVolumePrivilege 1480 Checkm8.info Software.exe Token: SeImpersonatePrivilege 1480 Checkm8.info Software.exe Token: SeCreateGlobalPrivilege 1480 Checkm8.info Software.exe Token: SeCreateTokenPrivilege 1480 Checkm8.info Software.exe Token: SeAssignPrimaryTokenPrivilege 1480 Checkm8.info Software.exe Token: SeLockMemoryPrivilege 1480 Checkm8.info Software.exe Token: SeIncreaseQuotaPrivilege 1480 Checkm8.info Software.exe Token: SeMachineAccountPrivilege 1480 Checkm8.info Software.exe Token: SeTcbPrivilege 1480 Checkm8.info Software.exe Token: SeSecurityPrivilege 1480 Checkm8.info Software.exe Token: SeTakeOwnershipPrivilege 1480 Checkm8.info Software.exe Token: SeLoadDriverPrivilege 1480 Checkm8.info Software.exe Token: SeSystemProfilePrivilege 1480 Checkm8.info Software.exe Token: SeSystemtimePrivilege 1480 Checkm8.info Software.exe Token: SeProfSingleProcessPrivilege 1480 Checkm8.info Software.exe Token: SeIncBasePriorityPrivilege 1480 Checkm8.info Software.exe Token: SeCreatePagefilePrivilege 1480 Checkm8.info Software.exe Token: SeCreatePermanentPrivilege 1480 Checkm8.info Software.exe Token: SeBackupPrivilege 1480 Checkm8.info Software.exe Token: SeRestorePrivilege 1480 Checkm8.info Software.exe Token: SeShutdownPrivilege 1480 Checkm8.info Software.exe Token: SeDebugPrivilege 1480 Checkm8.info Software.exe Token: SeAuditPrivilege 1480 Checkm8.info Software.exe Token: SeSystemEnvironmentPrivilege 1480 Checkm8.info Software.exe Token: SeChangeNotifyPrivilege 1480 Checkm8.info Software.exe Token: SeRemoteShutdownPrivilege 1480 Checkm8.info Software.exe Token: SeUndockPrivilege 1480 Checkm8.info Software.exe Token: SeSyncAgentPrivilege 1480 Checkm8.info Software.exe Token: SeEnableDelegationPrivilege 1480 Checkm8.info Software.exe Token: SeManageVolumePrivilege 1480 Checkm8.info Software.exe Token: SeImpersonatePrivilege 1480 Checkm8.info Software.exe Token: SeCreateGlobalPrivilege 1480 Checkm8.info Software.exe Token: SeCreateTokenPrivilege 1480 Checkm8.info Software.exe Token: SeAssignPrimaryTokenPrivilege 1480 Checkm8.info Software.exe Token: SeLockMemoryPrivilege 1480 Checkm8.info Software.exe Token: SeIncreaseQuotaPrivilege 1480 Checkm8.info Software.exe Token: SeMachineAccountPrivilege 1480 Checkm8.info Software.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Checkm8.info Software.exepid Process 1480 Checkm8.info Software.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
msiexec.exeCheckm8.info Software.exeMSI9EF8.tmpdescription pid Process procid_target PID 1176 wrote to memory of 392 1176 msiexec.exe 92 PID 1176 wrote to memory of 392 1176 msiexec.exe 92 PID 1176 wrote to memory of 392 1176 msiexec.exe 92 PID 1480 wrote to memory of 5112 1480 Checkm8.info Software.exe 96 PID 1480 wrote to memory of 5112 1480 Checkm8.info Software.exe 96 PID 1480 wrote to memory of 5112 1480 Checkm8.info Software.exe 96 PID 1176 wrote to memory of 4660 1176 msiexec.exe 99 PID 1176 wrote to memory of 4660 1176 msiexec.exe 99 PID 1176 wrote to memory of 216 1176 msiexec.exe 101 PID 1176 wrote to memory of 216 1176 msiexec.exe 101 PID 1176 wrote to memory of 216 1176 msiexec.exe 101 PID 1176 wrote to memory of 1036 1176 msiexec.exe 102 PID 1176 wrote to memory of 1036 1176 msiexec.exe 102 PID 1176 wrote to memory of 1036 1176 msiexec.exe 102 PID 1036 wrote to memory of 2336 1036 MSI9EF8.tmp 103 PID 1036 wrote to memory of 2336 1036 MSI9EF8.tmp 103 PID 1036 wrote to memory of 2336 1036 MSI9EF8.tmp 103 PID 1176 wrote to memory of 1316 1176 msiexec.exe 105 PID 1176 wrote to memory of 1316 1176 msiexec.exe 105 PID 1176 wrote to memory of 1316 1176 msiexec.exe 105 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe"C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe"C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe" /i "C:\Users\Admin\AppData\Roaming\Checkm8.info\Checkm8.info Software 4.7.1\install\Checkm8.info Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Checkm8.info\Checkm8.info Software" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Checkm8.info Software" SECONDSEQUENCE="1" CLIENTPROCESSID="1480" AI_MORE_CMD_LINE=12⤵
- Enumerates connected drives
PID:5112
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BD49349032AB90093502E8CA3CDA94E9 C2⤵
- Loads dropped DLL
PID:392
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4660
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DFCA3F5A85B994EAB48DFD1B0147455D2⤵
- Loads dropped DLL
PID:216
-
-
C:\Windows\Installer\MSI9EF8.tmp"C:\Windows\Installer\MSI9EF8.tmp" /RunAsAdmin /HideWindow "C:\Windows\SysWOW64\certutil.exe" -addstore "Root" C:\Users\Admin\AppData\Local\Temp\simple.cer2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\certutil.exe"C:\Windows\SysWOW64\certutil.exe" -addstore "Root" C:\Users\Admin\AppData\Local\Temp\simple.cer3⤵
- Manipulates Digital Signatures
PID:2336
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6630498F59D52E88991F2D47BA4A8D98 E Global\MSI00002⤵
- Loads dropped DLL
PID:1316
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD510082e05f14d8d54f8a6c8031de624a2
SHA19f2673db73d9e734adc0cad65b171909b4035e34
SHA25628e1470d2abc5bc558cfcb0bebbdaddd6cd0f97f73bdd27122eaad902bd1b7f5
SHA512216f8dbc45f4d598c1e62e200f52b487fd1db9a0ff54a98caaaa49d2176625656bb83f4e60177b3effe00265b89513df9414ad16d0fdd58776d318471ca76889
-
Filesize
3.3MB
MD5642830c52513d475ee8d8a1a6a9d6070
SHA1e041aa66d3f130f3a944ce3f399bcb9b5a6d44f7
SHA2561a94c162122cabdd2540dd9fa20072594894edade4a7a2e2b70b30145cf6ef7d
SHA512f6a10eb2179ef4ec67ae383a56dee611a1ffec3b58a225441b3731a0819a985fd7d7e7e9e107468f68ebc776122373f70c61ca6051fcbde595b08e183c20fb4d
-
Filesize
2.7MB
MD5e07ef4a93adc7b34c1fe8679c1061946
SHA1186f09239c1c9fdaed250fc5f2f362f86ed4f3ba
SHA256ef7312cf24d0e533691cd04057e305b79892fad6914cb43fec187a48541ff332
SHA512a173aa95e005388986a3538f7cfb8c399542094b80336e7c8ac8086b0ef696c47381fc2150b2d985347b087f1ec082999d99216a390bba018b7ae1111c8b66d3
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Checkm8.info Software\Checkm8.info Software.lnk
Filesize2KB
MD52f4e775a2c5dcaee85315aaf2297289a
SHA111c8fd38f8655efa2ac4d44a8f2554e9b4a32645
SHA25698dbb109125c66650a56e1cff1155bb8c552d2b5ec4b5f1ec46062611c8ed91e
SHA5122ea2e0af6db3967d9ca1c0adff92f2de8fb5ac4f9a7132f614de29f4b2820c2941a95e178962db627041c3742517a08623f621a741bb782fad8cc1ca6f892b73
-
Filesize
22KB
MD5495a895d0a2feeba59737c745aa3f8ce
SHA148d5ea108fe612904ad80dc9e4296107d566131b
SHA25626fb568a4bf976c45eae8d0c948a6ec2361bd0c027d1c325eb2d4319febaafb6
SHA5127c11b9b9e14691b074ac507b1f37ba1ea107ef6fa617fc309dc29cc93b896486dc2bf575bc91334435457ac7fe4fa214c902c6c3d615093674c1828f9db2ba17
-
Filesize
9KB
MD5d1880a8297f8f1ff8cb4ee2dc1058a17
SHA19fedea64be231c77c8c10b0bc6e4224632fd8dc3
SHA256893454cc12eb3b298cf50e5915f890c86a314fce41ca3062c524ebb83349161f
SHA512cb1f50427d04628f102eafc239ada43d72bc7371cbf86d4311f4a47e9223b511a375c92b22748d54a88586b4f0436cb328c992f424c6873c9a1a5b88fdfad699
-
Filesize
374KB
MD55e33a5224c4d523a2517ba8a96aaff42
SHA112e41a9380cc890053b5c7e19769c76bfa1608d4
SHA256d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c
SHA512bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1
-
Filesize
831KB
MD50cca4ccd0c4a2712301f4488180404b7
SHA1ee44cd435225b02709bb4b904e97d630d4ebe7df
SHA256fbae7c3613e76953e08e58b4c48c9eb9cb2bcbca977cf4a04d614016d9b73cb6
SHA512362e20be4d993111a6b469c8bd5cf8aeb167ed4e3bb1f0685f4dc81cb906b60d77f38a34fb2a0734484a424e8d550bcfd70170b40fda950e44b131713a2b2553
-
Filesize
533KB
MD52b6fa5bfa4831df74de91db162bfaad1
SHA183c0bf7bbdecd65bcae1757a6a400ed8606cf8ab
SHA256005e3260c33fb8c8033dec123d4e71613523fc5d11b32c93c74e86a35c876740
SHA512fc4739b9fc23fb13765c107aa61ea57ae965d329874c4a57a62b980bb363939c53d8a966c0bc9bb92a794ebe6e3b52672bb403f684a273bce7193164d19ecc1c
-
Filesize
200KB
MD5eb6c9388e07bc78ab4503a4f81f7928e
SHA15e835188376fb2e1a1fd641009cb03e675acd475
SHA2565ff1e9d42d26f6b6324a5a4400c99d62d1c84a323c4f71bb2098e6478206d677
SHA51265e65d5b7fccc243bb8d0787c9cc9a6b59780ee76d3e2800b8005412788093c476ebd19b1a1e326581ad77e22ca93080f453a2aedfcc008755b494afc30ca41d
-
Filesize
4.8MB
MD577d6c08c6448071b47f02b41fa18ed37
SHA1e7fdb62abdb6d4131c00398f92bc72a3b9b34668
SHA256047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b
SHA512e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd
-
Filesize
76KB
MD5fdce43712079c189e993ff27df2911bc
SHA16f0465aeedb699de995e1c3b25f8f902bc05545f
SHA25647267b3ddec6deeb0b018afbde2b99d17350329a52f0ae49f66b5edc5fcc4366
SHA512c09215b7d0f567ed20e08c8b16a6738f07c7631e25f4bcf68f4d072016f509378eb1e9b4d519afa1e19c0aa11d104051d8c47732e39bc48d78be8f5d5696fc71
-
Filesize
774B
MD54cdd2cf4c808076df09707ba72575a18
SHA1cc9545c6ff2707b14018698e4d393a54475e6944
SHA2560ed5ded8ba4300affef23a9ceed5e0c1de2303c2dc30b12e80be6eb9c5d02712
SHA51249422b97a06ab4d01fc92f049670125fc82bfc0124688e793aed1f6ab3fb513685714596e7f8fcb7634d3d1bddde5bf09417634f3da8db42cef062807d52bdba
-
C:\Users\Admin\AppData\Roaming\Checkm8.info\Checkm8.info Software 4.7.1\install\Checkm8.info Software.msi
Filesize2.8MB
MD530c152f87f12ab86a690f12d6c426fbb
SHA17672e0681df44cd40370d5bc9dbc3a787df829a6
SHA2568eb7d687c3f364b997dceb9a88238baf9f9d4222994df7988513fba6b9ddda7a
SHA512db7642ee854a4ee4f9d738ff85ea726ab0d097157f6aa4c9731a54a89caab34293b4955c7705a863efe467bc38fe2e6084166e44aa87e92f700810a57725cccf
-
C:\Users\Admin\AppData\Roaming\Checkm8.info\Checkm8.info Software 4.7.1\install\Checkm8.info Software1.cab
Filesize8.6MB
MD51059a5c067618f5d3808347b85eeaaa9
SHA116072db6591f520836efb03f472f15ae22d96d1b
SHA2568f9fc9df3c12319a123d09e5bbf0f980cc7699698176f4fb7c319cd82f14b80c
SHA5124fc721453ea2f96c00358d8850e0632a8dff2e921fc7f029d083eac8beae2b49e2fe874431ccb96c1d6f4e9af89614783c43286c8a446ff0a760e24774150a32
-
Filesize
2KB
MD5862142eec666f0e194a3dc1aacffc2a5
SHA162bd64cb71368d8f246413d9ff86d57644702603
SHA256650b95f1ebb25cbe83bef97f75a90bcbeda282e94b688fbacc9096aec26ca019
SHA512c85231ed5d0cf3d29c9865e1ed4655e6d1d9106da02ebbd259c56b391cd69ad37517312e6ec2d68e36dd72a5f9e8e60c5178ed03ddf693577d8e8e7e688d8359
-
Filesize
275KB
MD5dcb6b94b4a41fabdbdbb6fe2a362681d
SHA1efd8d4c271178a6cc37a265f287abfbc6ea91e13
SHA2567a370cdf28500d571d1562a9ddb4977f6a837a7b095de9a7c469c7079923da95
SHA5125dc3fda6012667cdf6f9a5ba96b01a4d74b0d4dc1f53ce2ad36296d79591c8eb34ec787ced4862b768523c3fa69ffef4b88ff653774357d7d5a052efde3bd87d
-
Filesize
396KB
MD579f3b2b5594d100ca5bd27ca85939224
SHA16cea8cc4638baee738e7174f33ee6281e5c4c059
SHA256bc20f45927b68af1c6f4ce602bad6350756cacc74398901e654e93511a43e6d7
SHA51279b1a330425c3c39f00f319b26ac57dc361510c722a26842e29769e07287f23766d8cbe5603bd16d494735cb78b2a49a87964fff2043e7b92a2799bd0bf76c8c
-
Filesize
23.7MB
MD5d3dff0247176ba3e6b861fac60f7fea2
SHA1809da7e52f413e67bca3ac40ce3a7297e2ae1388
SHA2561b3f8a623f4a7aa00ddccf5ce01bdf7868927588a0eda396384c3e6ca505b5ad
SHA51289888f47021b51e2fb03b42095e37dab20153c242a779e941255016fe41761add01abbf0963cd86e5172adcf6295f5be27066c7b16f4f9eccff5b910b4d587c1
-
\??\Volume{78362842-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{eb4e9959-f44b-4621-a74f-f00bae37fc94}_OnDiskSnapshotProp
Filesize6KB
MD5811a8ba0081d5ab241d277c603af4a37
SHA1d217a3da04b8d9292ab415d89b1dd184fe7323ed
SHA25607304d693ffa65508f6abd6aa9aac91766e1909581e85ec1352e0ee061851cc8
SHA512968213df44786aa4fae2068f8c968b8dfd1d2557387ff1caffea03dde3fcc02c81f181f57511cb069afe1eac0bd40b5572af95e7177206b59a97212943a62a25