outsteel | cce564eb25a80549d746c180832d0b3d45dcd4419d9454470bfd7517868d0e10

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cce564eb25a80549d746c180832d0b3d45dcd4419d9454470bfd7517868d0e10.msi
Size

1.2MB
MD5

efec7686f695867bd45a4d2ccaf964d5
SHA1

04af410cffd8f4b7ef0270ccae11ce6e01cc4633
SHA256

cce564eb25a80549d746c180832d0b3d45dcd4419d9454470bfd7517868d0e10
SHA512

9a98a05aaaae6d6fd916f6716cf581534dd17d1bbac10ff2b0b96cb138297bdd6aaa9523600d11c3b5fe77c37df1b5b2216ac5206a8c1797c14687e222fd9ab1
SSDEEP

24576:ItWcpVLS2kQom+sOASY1IUwr6vkyFBebNvjV:ypdS2TDhmY66Beb5

Score

10^/10

outsteel zgrat discovery rat spyware stealer

Malware Config

Signatures

Detect ZGRat V2 1 IoCs

resource	yara_rule
behavioral1/memory/1188-75-0x00000000008F0000-0x000000000092A000-memory.dmp	family_zgrat_v2

OutSteel
OutSteel is a file uploader and document stealer written in AutoIT.
stealer outsteel
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1352	ICACLS.EXE
872	ICACLS.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\e:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\l:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\q:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\z:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\r:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\s:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\y:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\g:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\v:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\x:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\k:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\t:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\i:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\p:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\o:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\j:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\m:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\n:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\u:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\w:	BbevNayvqJPVQfqy.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

AutoIT Executable 13 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3028-83-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/3028-87-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/3028-88-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/3028-89-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/3028-100-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/3028-106-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/3028-116-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/3028-120-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/3028-132-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/3028-137-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/3028-148-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/3028-152-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe
behavioral1/memory/3028-170-0x0000000000400000-0x00000000004E2000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1188 set thread context of 3028	1188	BbevNayvqJPVQfqy.exe	41

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f762701.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f762701.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4442.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f762702.ipi	msiexec.exe
File created	C:\Windows\Installer\f762702.ipi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI4452.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE

Executes dropped EXE 5 IoCs

pid	Process
1188	BbevNayvqJPVQfqy.exe
2200	BbevNayvqJPVQfqy.exe
2060	BbevNayvqJPVQfqy.exe
2056	BbevNayvqJPVQfqy.exe
3028	BbevNayvqJPVQfqy.exe

Loads dropped DLL 11 IoCs

pid	Process
1844	MsiExec.exe
1844	MsiExec.exe
1844	MsiExec.exe
1844	MsiExec.exe
1844	MsiExec.exe
1844	MsiExec.exe
1188	BbevNayvqJPVQfqy.exe
1188	BbevNayvqJPVQfqy.exe
1188	BbevNayvqJPVQfqy.exe
1188	BbevNayvqJPVQfqy.exe
1844	MsiExec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2712	msiexec.exe
2712	msiexec.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2336	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2336	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeSecurityPrivilege	2712	msiexec.exe
Token: SeCreateTokenPrivilege	2336	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2336	msiexec.exe
Token: SeLockMemoryPrivilege	2336	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2336	msiexec.exe
Token: SeMachineAccountPrivilege	2336	msiexec.exe
Token: SeTcbPrivilege	2336	msiexec.exe
Token: SeSecurityPrivilege	2336	msiexec.exe
Token: SeTakeOwnershipPrivilege	2336	msiexec.exe
Token: SeLoadDriverPrivilege	2336	msiexec.exe
Token: SeSystemProfilePrivilege	2336	msiexec.exe
Token: SeSystemtimePrivilege	2336	msiexec.exe
Token: SeProfSingleProcessPrivilege	2336	msiexec.exe
Token: SeIncBasePriorityPrivilege	2336	msiexec.exe
Token: SeCreatePagefilePrivilege	2336	msiexec.exe
Token: SeCreatePermanentPrivilege	2336	msiexec.exe
Token: SeBackupPrivilege	2336	msiexec.exe
Token: SeRestorePrivilege	2336	msiexec.exe
Token: SeShutdownPrivilege	2336	msiexec.exe
Token: SeDebugPrivilege	2336	msiexec.exe
Token: SeAuditPrivilege	2336	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2336	msiexec.exe
Token: SeChangeNotifyPrivilege	2336	msiexec.exe
Token: SeRemoteShutdownPrivilege	2336	msiexec.exe
Token: SeUndockPrivilege	2336	msiexec.exe
Token: SeSyncAgentPrivilege	2336	msiexec.exe
Token: SeEnableDelegationPrivilege	2336	msiexec.exe
Token: SeManageVolumePrivilege	2336	msiexec.exe
Token: SeImpersonatePrivilege	2336	msiexec.exe
Token: SeCreateGlobalPrivilege	2336	msiexec.exe
Token: SeBackupPrivilege	2484	vssvc.exe
Token: SeRestorePrivilege	2484	vssvc.exe
Token: SeAuditPrivilege	2484	vssvc.exe
Token: SeBackupPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2576	DrvInst.exe
Token: SeLoadDriverPrivilege	2576	DrvInst.exe
Token: SeLoadDriverPrivilege	2576	DrvInst.exe
Token: SeLoadDriverPrivilege	2576	DrvInst.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeDebugPrivilege	1188	BbevNayvqJPVQfqy.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2336	msiexec.exe
2336	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 1844	2712	msiexec.exe	32
PID 2712 wrote to memory of 1844	2712	msiexec.exe	32
PID 2712 wrote to memory of 1844	2712	msiexec.exe	32
PID 2712 wrote to memory of 1844	2712	msiexec.exe	32
PID 2712 wrote to memory of 1844	2712	msiexec.exe	32
PID 2712 wrote to memory of 1844	2712	msiexec.exe	32
PID 2712 wrote to memory of 1844	2712	msiexec.exe	32
PID 1844 wrote to memory of 1352	1844	MsiExec.exe	33
PID 1844 wrote to memory of 1352	1844	MsiExec.exe	33
PID 1844 wrote to memory of 1352	1844	MsiExec.exe	33
PID 1844 wrote to memory of 1352	1844	MsiExec.exe	33
PID 1844 wrote to memory of 2096	1844	MsiExec.exe	35
PID 1844 wrote to memory of 2096	1844	MsiExec.exe	35
PID 1844 wrote to memory of 2096	1844	MsiExec.exe	35
PID 1844 wrote to memory of 2096	1844	MsiExec.exe	35
PID 1844 wrote to memory of 1188	1844	MsiExec.exe	37
PID 1844 wrote to memory of 1188	1844	MsiExec.exe	37
PID 1844 wrote to memory of 1188	1844	MsiExec.exe	37
PID 1844 wrote to memory of 1188	1844	MsiExec.exe	37
PID 1188 wrote to memory of 2200	1188	BbevNayvqJPVQfqy.exe	38
PID 1188 wrote to memory of 2200	1188	BbevNayvqJPVQfqy.exe	38
PID 1188 wrote to memory of 2200	1188	BbevNayvqJPVQfqy.exe	38
PID 1188 wrote to memory of 2200	1188	BbevNayvqJPVQfqy.exe	38
PID 1188 wrote to memory of 2060	1188	BbevNayvqJPVQfqy.exe	39
PID 1188 wrote to memory of 2060	1188	BbevNayvqJPVQfqy.exe	39
PID 1188 wrote to memory of 2060	1188	BbevNayvqJPVQfqy.exe	39
PID 1188 wrote to memory of 2060	1188	BbevNayvqJPVQfqy.exe	39
PID 1188 wrote to memory of 2056	1188	BbevNayvqJPVQfqy.exe	40
PID 1188 wrote to memory of 2056	1188	BbevNayvqJPVQfqy.exe	40
PID 1188 wrote to memory of 2056	1188	BbevNayvqJPVQfqy.exe	40
PID 1188 wrote to memory of 2056	1188	BbevNayvqJPVQfqy.exe	40
PID 1188 wrote to memory of 3028	1188	BbevNayvqJPVQfqy.exe	41
PID 1188 wrote to memory of 3028	1188	BbevNayvqJPVQfqy.exe	41
PID 1188 wrote to memory of 3028	1188	BbevNayvqJPVQfqy.exe	41
PID 1188 wrote to memory of 3028	1188	BbevNayvqJPVQfqy.exe	41
PID 1188 wrote to memory of 3028	1188	BbevNayvqJPVQfqy.exe	41
PID 1188 wrote to memory of 3028	1188	BbevNayvqJPVQfqy.exe	41
PID 1188 wrote to memory of 3028	1188	BbevNayvqJPVQfqy.exe	41
PID 1188 wrote to memory of 3028	1188	BbevNayvqJPVQfqy.exe	41
PID 1188 wrote to memory of 3028	1188	BbevNayvqJPVQfqy.exe	41
PID 1188 wrote to memory of 3028	1188	BbevNayvqJPVQfqy.exe	41
PID 1188 wrote to memory of 3028	1188	BbevNayvqJPVQfqy.exe	41
PID 1844 wrote to memory of 872	1844	MsiExec.exe	42
PID 1844 wrote to memory of 872	1844	MsiExec.exe	42
PID 1844 wrote to memory of 872	1844	MsiExec.exe	42
PID 1844 wrote to memory of 872	1844	MsiExec.exe	42
PID 3028 wrote to memory of 1072	3028	BbevNayvqJPVQfqy.exe	44
PID 3028 wrote to memory of 1072	3028	BbevNayvqJPVQfqy.exe	44
PID 3028 wrote to memory of 1072	3028	BbevNayvqJPVQfqy.exe	44
PID 3028 wrote to memory of 1072	3028	BbevNayvqJPVQfqy.exe	44
PID 3028 wrote to memory of 108	3028	BbevNayvqJPVQfqy.exe	46
PID 3028 wrote to memory of 108	3028	BbevNayvqJPVQfqy.exe	46
PID 3028 wrote to memory of 108	3028	BbevNayvqJPVQfqy.exe	46
PID 3028 wrote to memory of 108	3028	BbevNayvqJPVQfqy.exe	46
PID 3028 wrote to memory of 988	3028	BbevNayvqJPVQfqy.exe	48
PID 3028 wrote to memory of 988	3028	BbevNayvqJPVQfqy.exe	48
PID 3028 wrote to memory of 988	3028	BbevNayvqJPVQfqy.exe	48
PID 3028 wrote to memory of 988	3028	BbevNayvqJPVQfqy.exe	48
PID 3028 wrote to memory of 992	3028	BbevNayvqJPVQfqy.exe	50
PID 3028 wrote to memory of 992	3028	BbevNayvqJPVQfqy.exe	50
PID 3028 wrote to memory of 992	3028	BbevNayvqJPVQfqy.exe	50
PID 3028 wrote to memory of 992	3028	BbevNayvqJPVQfqy.exe	50
PID 3028 wrote to memory of 1604	3028	BbevNayvqJPVQfqy.exe	52
PID 3028 wrote to memory of 1604	3028	BbevNayvqJPVQfqy.exe	52

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cce564eb25a80549d746c180832d0b3d45dcd4419d9454470bfd7517868d0e10.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2336

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57D0DF17F366666E2756A1F985FC76C2
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1352
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2096
- - C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\files\BbevNayvqJPVQfqy.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\files\BbevNayvqJPVQfqy.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\files\BbevNayvqJPVQfqy.exe
      C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\files\BbevNayvqJPVQfqy.exe
      4⤵
      Executes dropped EXE
      PID:2200
  - - C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\files\BbevNayvqJPVQfqy.exe
      C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\files\BbevNayvqJPVQfqy.exe
      4⤵
      Executes dropped EXE
      PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\files\BbevNayvqJPVQfqy.exe
      C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\files\BbevNayvqJPVQfqy.exe
      4⤵
      Executes dropped EXE
      PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\files\BbevNayvqJPVQfqy.exe
      C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\files\BbevNayvqJPVQfqy.exe
      4⤵
      Enumerates connected drives
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A
        5⤵
        
        PID:1072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A
        5⤵
        
        PID:108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A
        5⤵
        
        PID:988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
        5⤵
        
        PID:992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A
        5⤵
        
        PID:772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A
        5⤵
        
        PID:808
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A
        5⤵
        
        PID:1928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A
        5⤵
        
        PID:2960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A
        5⤵
        
        PID:1956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A
        5⤵
        
        PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A
        5⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A
        5⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A
        5⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A
        5⤵
        
        PID:2384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A
        5⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A
        5⤵
        
        PID:2480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A
        5⤵
        
        PID:2920
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000394" "00000000000005AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\files.cab

Filesize
752KB

MD5
2e806bafbbbe71cc9a1d7edae31d0c08

SHA1
e3e63d8e6632bab379564da97806d9838303cfef

SHA256
969646f8e2cee5b0920e467e9031d3b729ddc6e25a3e7e0b596c6629b0c5194f

SHA512
9dc685914a7dd93b7d934108220217ac8785698bc562880500cac3f7d46d7ad328cb166400155250c98927b1fe078dc399d0806b5580d5b6457e8afc6b45e02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\files\BbevNayvqJPVQfqy.exe

Filesize
938KB

MD5
d7510192dd826e6c63266ba412c4a8c6

SHA1
e51431ab4448d503db3d154d1da7bec25eb5aaac

SHA256
ffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28

SHA512
d73107b3f061d95a10f3e2ae025bfccad587866d4ccca8a71b31d51f34119d5127ed313a96ef3fe3421939ae871575d5e7ff7fd28eb9b2ddb3eef7f29c528ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\msiwrapper.ini

Filesize
470B

MD5
79c6e888f6029c67a04080d440303395

SHA1
4b00516eac6c98bd799d0033e575ba190cc26b79

SHA256
78c61146f73b74f4b110359cbc27ee49060a58a1651875d69005b16e9e2344f3

SHA512
2b849d10679ac8daa13e9356376b6260bcd16eeaa4a464c7571d7db7486ca49f6d49a4775f43b9a03e4c9855f022e92a8c8628923d17467cbcd8d047526a2282

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\msiwrapper.ini

Filesize
740B

MD5
30cc8cdbcdcebefae1546227a7d7b1b2

SHA1
2840a338fb9bcc78ace930a6b3ee6535fbba7177

SHA256
02e65dc3ed995cbc4cacb5ad6ac45766cc97ac4f8da6ac7f8d93e664dcfbc517

SHA512
a9126c18d8fe7fa3baec70eceb818297ccd9ecdfd8bada580ed7d42b1b88fed54b68826ed2e7003f055d33262bf85f6b21117208f04a0cec46285708e123b909

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\msiwrapper.ini

Filesize
1KB

MD5
e7e4fe82bd59a642e23db910aa797ea4

SHA1
a487baf3c0af3b07342e435e5381c05549241f73

SHA256
3b2e81ac6cdb09ed1f42d79d9b56fdfead56cdae9f09043f40a98fdd6ee8a0bc

SHA512
98c0aad77f7f18b605d56daa9a57426b2963cb2200e49ceb03c963f0fae249f0d55246be8b8c42a855844b72d369ca2df169fc938e532a14ec8756db9a95d932

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\msiwrapper.ini

Filesize
1KB

MD5
907444359e2773b00eaf97f2614ecceb

SHA1
62d09a6d41228a728dbd0d135e35b42f53200015

SHA256
a88619529f6ae0f2defc59f0394f4b3ee928564a56d1ac6a5fe59d26597845e1

SHA512
64011d2e6fd13c4433dd05c4e5cc848878b687381532f1e5ea78dc170f762911cfb5415d382cb7365e58d0e01c9c9ecf47ece6a229142b2dc4b54493833de866

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-070d953c-8419-4290-8d4f-84949b24111e\msiwrapper.ini

Filesize
1KB

MD5
7951a383923ecfe8ae1214499ec6f5b2

SHA1
5c8da901f4bf6bcf810befdcd666d354f530e7fa

SHA256
15f6a71b659460afc8786af096ec77ec840ebd38c1d8e423f5e60d832a8674bc

SHA512
10a7d44d206b7ef9dce46c95a7bdb74cde4c56bd316893b77bd220885a19cf7c7e91d9d69b336b673f1f0aa4be098585a30846d120078a77528f098642664ba3

Download Submit
C:\Windows\Installer\MSI27AC.tmp

Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
memory/1188-86-0x0000000072E30000-0x000000007351E000-memory.dmp

Filesize
6.9MB

Download
memory/1188-73-0x0000000072E30000-0x000000007351E000-memory.dmp

Filesize
6.9MB

Download
memory/1188-75-0x00000000008F0000-0x000000000092A000-memory.dmp

Filesize
232KB

Download
memory/1188-74-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1188-72-0x00000000002B0000-0x000000000039E000-memory.dmp

Filesize
952KB

Download
memory/3028-100-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3028-88-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3028-89-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3028-87-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3028-83-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3028-106-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3028-116-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3028-120-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3028-132-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3028-137-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3028-148-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3028-152-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/3028-170-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download