5f595a8f033c0ae514c89b50152c7f3e9e76c83f049c123b86839bb10291b663

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

107.3MB
MD5

7876ef0bc54742f85d6c2c32a64e7633
SHA1

21c995c9cda9920045d9c0f296ee9388ec1b1e35
SHA256

5f595a8f033c0ae514c89b50152c7f3e9e76c83f049c123b86839bb10291b663
SHA512

783de6ab24da6c314d5dae295e0c06ad1674c53eebcb87b9ea5ab9476e351db74c4adc0baaa34a3605922b535ed0e6a0456f0aa294387525155ffb9319fd2200
SSDEEP

3145728:9LHMgpmAf8ZY60oC5wWWg1fu8Xvhp+f+k:hF0ZYjoQRfuMvj+f+k

Score

10^/10

evasion execution trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3004	powershell.exe
3004	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2308	MSI4986.tmp

Loads dropped DLL 7 IoCs

pid	Process
2672	MsiExec.exe
2672	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe
1552	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	Setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	Setup.exe
File opened (read-only)	\??\T:	Setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	Setup.exe
File opened (read-only)	\??\Z:	Setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	Setup.exe
File opened (read-only)	\??\H:	Setup.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	Setup.exe
File opened (read-only)	\??\S:	Setup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	Setup.exe
File opened (read-only)	\??\L:	Setup.exe
File opened (read-only)	\??\U:	Setup.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	Setup.exe
File opened (read-only)	\??\Q:	Setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	Setup.exe
File opened (read-only)	\??\X:	Setup.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	Setup.exe
File opened (read-only)	\??\W:	Setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	Setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	Setup.exe
File opened (read-only)	\??\M:	Setup.exe
File opened (read-only)	\??\Y:	Setup.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4986.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f763ec5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f763ec5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F32.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f763ec8.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI404E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI410A.tmp	msiexec.exe
File created	C:\Windows\Installer\f763ec8.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f763eca.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI3F81.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3FFF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44A3.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\SourceList\PackageName = "Setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8FD23AA752F80094B9787359458104E6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8FD23AA752F80094B9787359458104E6\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\ProductName = "Setup"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\PackageCode = "25F95E732E5D01042A210FD4373AE0C1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E50156C5D2B270247A56A5FD1F137E51	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E50156C5D2B270247A56A5FD1F137E51\8FD23AA752F80094B9787359458104E6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\Setup\\Setup 1.0.0\\install\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\SourceList\Media\1 = "Disk1;Disk1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8FD23AA752F80094B9787359458104E6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\Setup\\Setup 1.0.0\\install\\"	msiexec.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2940	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	msiexec.exe
2156	msiexec.exe
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp
2308	MSI4986.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2156	msiexec.exe
Token: SeTakeOwnershipPrivilege	2156	msiexec.exe
Token: SeSecurityPrivilege	2156	msiexec.exe
Token: SeCreateTokenPrivilege	1784	Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1784	Setup.exe
Token: SeLockMemoryPrivilege	1784	Setup.exe
Token: SeIncreaseQuotaPrivilege	1784	Setup.exe
Token: SeMachineAccountPrivilege	1784	Setup.exe
Token: SeTcbPrivilege	1784	Setup.exe
Token: SeSecurityPrivilege	1784	Setup.exe
Token: SeTakeOwnershipPrivilege	1784	Setup.exe
Token: SeLoadDriverPrivilege	1784	Setup.exe
Token: SeSystemProfilePrivilege	1784	Setup.exe
Token: SeSystemtimePrivilege	1784	Setup.exe
Token: SeProfSingleProcessPrivilege	1784	Setup.exe
Token: SeIncBasePriorityPrivilege	1784	Setup.exe
Token: SeCreatePagefilePrivilege	1784	Setup.exe
Token: SeCreatePermanentPrivilege	1784	Setup.exe
Token: SeBackupPrivilege	1784	Setup.exe
Token: SeRestorePrivilege	1784	Setup.exe
Token: SeShutdownPrivilege	1784	Setup.exe
Token: SeDebugPrivilege	1784	Setup.exe
Token: SeAuditPrivilege	1784	Setup.exe
Token: SeSystemEnvironmentPrivilege	1784	Setup.exe
Token: SeChangeNotifyPrivilege	1784	Setup.exe
Token: SeRemoteShutdownPrivilege	1784	Setup.exe
Token: SeUndockPrivilege	1784	Setup.exe
Token: SeSyncAgentPrivilege	1784	Setup.exe
Token: SeEnableDelegationPrivilege	1784	Setup.exe
Token: SeManageVolumePrivilege	1784	Setup.exe
Token: SeImpersonatePrivilege	1784	Setup.exe
Token: SeCreateGlobalPrivilege	1784	Setup.exe
Token: SeCreateTokenPrivilege	1784	Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1784	Setup.exe
Token: SeLockMemoryPrivilege	1784	Setup.exe
Token: SeIncreaseQuotaPrivilege	1784	Setup.exe
Token: SeMachineAccountPrivilege	1784	Setup.exe
Token: SeTcbPrivilege	1784	Setup.exe
Token: SeSecurityPrivilege	1784	Setup.exe
Token: SeTakeOwnershipPrivilege	1784	Setup.exe
Token: SeLoadDriverPrivilege	1784	Setup.exe
Token: SeSystemProfilePrivilege	1784	Setup.exe
Token: SeSystemtimePrivilege	1784	Setup.exe
Token: SeProfSingleProcessPrivilege	1784	Setup.exe
Token: SeIncBasePriorityPrivilege	1784	Setup.exe
Token: SeCreatePagefilePrivilege	1784	Setup.exe
Token: SeCreatePermanentPrivilege	1784	Setup.exe
Token: SeBackupPrivilege	1784	Setup.exe
Token: SeRestorePrivilege	1784	Setup.exe
Token: SeShutdownPrivilege	1784	Setup.exe
Token: SeDebugPrivilege	1784	Setup.exe
Token: SeAuditPrivilege	1784	Setup.exe
Token: SeSystemEnvironmentPrivilege	1784	Setup.exe
Token: SeChangeNotifyPrivilege	1784	Setup.exe
Token: SeRemoteShutdownPrivilege	1784	Setup.exe
Token: SeUndockPrivilege	1784	Setup.exe
Token: SeSyncAgentPrivilege	1784	Setup.exe
Token: SeEnableDelegationPrivilege	1784	Setup.exe
Token: SeManageVolumePrivilege	1784	Setup.exe
Token: SeImpersonatePrivilege	1784	Setup.exe
Token: SeCreateGlobalPrivilege	1784	Setup.exe
Token: SeCreateTokenPrivilege	1784	Setup.exe
Token: SeAssignPrimaryTokenPrivilege	1784	Setup.exe
Token: SeLockMemoryPrivilege	1784	Setup.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1784	Setup.exe
2840	msiexec.exe
2840	msiexec.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2672	2156	msiexec.exe	29
PID 2156 wrote to memory of 2672	2156	msiexec.exe	29
PID 2156 wrote to memory of 2672	2156	msiexec.exe	29
PID 2156 wrote to memory of 2672	2156	msiexec.exe	29
PID 2156 wrote to memory of 2672	2156	msiexec.exe	29
PID 2156 wrote to memory of 2672	2156	msiexec.exe	29
PID 2156 wrote to memory of 2672	2156	msiexec.exe	29
PID 1784 wrote to memory of 2840	1784	Setup.exe	30
PID 1784 wrote to memory of 2840	1784	Setup.exe	30
PID 1784 wrote to memory of 2840	1784	Setup.exe	30
PID 1784 wrote to memory of 2840	1784	Setup.exe	30
PID 1784 wrote to memory of 2840	1784	Setup.exe	30
PID 1784 wrote to memory of 2840	1784	Setup.exe	30
PID 1784 wrote to memory of 2840	1784	Setup.exe	30
PID 2156 wrote to memory of 1552	2156	msiexec.exe	34
PID 2156 wrote to memory of 1552	2156	msiexec.exe	34
PID 2156 wrote to memory of 1552	2156	msiexec.exe	34
PID 2156 wrote to memory of 1552	2156	msiexec.exe	34
PID 2156 wrote to memory of 1552	2156	msiexec.exe	34
PID 2156 wrote to memory of 1552	2156	msiexec.exe	34
PID 2156 wrote to memory of 1552	2156	msiexec.exe	34
PID 2156 wrote to memory of 2308	2156	msiexec.exe	36
PID 2156 wrote to memory of 2308	2156	msiexec.exe	36
PID 2156 wrote to memory of 2308	2156	msiexec.exe	36
PID 2156 wrote to memory of 2308	2156	msiexec.exe	36
PID 2156 wrote to memory of 2308	2156	msiexec.exe	36
PID 2156 wrote to memory of 2308	2156	msiexec.exe	36
PID 2156 wrote to memory of 2308	2156	msiexec.exe	36
PID 2956 wrote to memory of 2540	2956	WScript.exe	38
PID 2956 wrote to memory of 2540	2956	WScript.exe	38
PID 2956 wrote to memory of 2540	2956	WScript.exe	38
PID 2540 wrote to memory of 2660	2540	cmd.exe	40
PID 2540 wrote to memory of 2660	2540	cmd.exe	40
PID 2540 wrote to memory of 2660	2540	cmd.exe	40
PID 2540 wrote to memory of 3004	2540	cmd.exe	41
PID 2540 wrote to memory of 3004	2540	cmd.exe	41
PID 2540 wrote to memory of 3004	2540	cmd.exe	41
PID 2540 wrote to memory of 2940	2540	cmd.exe	42
PID 2540 wrote to memory of 2940	2540	cmd.exe	42
PID 2540 wrote to memory of 2940	2540	cmd.exe	42

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Setup\Setup 1.0.0\install\Setup.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1719722571 "
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:2840

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9652FC63A79F46F399574ED0A40005D4 C
  2⤵
  - Loads dropped DLL
  PID:2672
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3160D924A54D24B7B2A389A8DD2EDB26
  2⤵
  - Loads dropped DLL
  PID:1552
- C:\Windows\Installer\MSI4986.tmp
  "C:\Windows\Installer\MSI4986.tmp" "C:\Users\Admin\AppData\Roaming\Setup\Data\Update.vbs"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2796

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003BC" "00000000000005B0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2740

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Setup\Data\Update.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c .\NET_Framework_4.8.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:2660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Microsoft', 'C:\Users\Admin\AppData\Roaming\Setup\Data\'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3004
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f763ec9.rbs

Filesize
26KB

MD5
57720abd620db5f1802cb3b329a4f1ce

SHA1
73cd52a7516328499124651a7ed6ccd40a3b2536

SHA256
5b7cbb3883f0482522dcb9c0f309747963f4a6fe81e619eb9e73da1a07b18f61

SHA512
f48623feb3376f9bdf67014dd9550e97a08cf53c6664d61ec27b8ce9c56f13d4620ca9e207ad8dbb31acc602185bebae04637b40e842242c044cf0bceae68d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI20CA.tmp

Filesize
588KB

MD5
a9941233b9415b479d3b4f3732161eab

SHA1
cb2d99af52b3b1c712943b13e45d85c80c732e57

SHA256
ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2

SHA512
cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2138.tmp

Filesize
1.1MB

MD5
821a9095657d59c7cd66c28b3fd50ace

SHA1
aef8a82d7d3df689af403bd0ccab7ed04ec77609

SHA256
d5411a4c65860343b846d5503686181d3487cc324fc0562b4e5f3cd1662b80fe

SHA512
a885068d950307f1abcf08df41d3476174f02641105707ef3b81515d84f0f305de84f6ea900421d250011ebfd4f3afc1498cc4f3b14040e536ccb27ff6214c06

Download Submit
C:\Users\Admin\AppData\Roaming\Setup\Data\NET_Framework_4.8.bat

Filesize
1KB

MD5
a99053f87114a2ce310288fc606510f8

SHA1
92fccff0ffe082449de6df41f3078603e9a16e38

SHA256
b2b27a2bddab7c1e0595ec13ea485960d550eb5b11522035ccb8eff6f996dc13

SHA512
6fa9cf48efec1037aefc67a55b7222518fd5356c45e37568cdc73c013a2a9f1388b672107fecddccf5cb830975cd5fa2e28a58f0f350d0cb40206406c3976b96

Download Submit
C:\Users\Admin\AppData\Roaming\Setup\Data\Update.vbs

Filesize
2KB

MD5
62793da42354f77ce5a1caf0fa173bb2

SHA1
65df3fea039e0dcd4d744fd52ba40d83f93fb923

SHA256
ef951321e2048726cb486f22d30224085af1bd18e8010dca7c0858c53e4b35ee

SHA512
59aa206e6985a620f45160e99cfff10ddbbf20921626231f32ee980a2714b69f679e42142dbdc8d20a59630548dca20e3a37faca6a90be63dccf2d7db7323188

Download Submit
C:\Users\Admin\AppData\Roaming\Setup\LiveTrafficClient.exe

Filesize
608KB

MD5
f604c1944c8bdcda531a5283510c66e5

SHA1
f2afbfc9aa8818e74f0285154aa1060ddb2ae249

SHA256
db567a488d1fa78b3a200eb7a7e563a54a19de7b4ef98f0341c1394a296d66e1

SHA512
89b9faf70c8cce7d6abd819f2c9ec09f5da8083e3608163fc4374295cd2d701c53bfdb009bfe3e07ec49b9420490d527fb0a8639b5333396577e3f5903973381

Download Submit
C:\Users\Admin\AppData\Roaming\Setup\Setup 1.0.0\install\Setup.msi

Filesize
3.3MB

MD5
456b7837d1dd27caeb726929207aa879

SHA1
5ad8c1c6821c363bfc4f2bf650879a9227b13f76

SHA256
64e0fac63d3b93faca97dc7e36405ceef9c6b2b776fa0d30d238fdb7c3835dd8

SHA512
049236441ea7f75d8840a84d861ba380cd2eaf4bf08b05be7bb8a540d7397f27f4c3b977bb6c7e9c2867ef30e3006d0a663978d8868637b7ff8708f014a2e485

Download Submit
C:\Windows\Installer\MSI410A.tmp

Filesize
709KB

MD5
9863ad412fa5529d5a712ef228ac6e2b

SHA1
bda741fd705277c29379b01100a162e922f76583

SHA256
502ccbe31fe0f984a2fa0610ee6385a3e478cd866e19208e229b6ef8fcfb2934

SHA512
8f64b1ac2423eb6ebbd2853a985711c030f54279599382b3cbc3de4ebb90a98a0273172a85d65e5e78cae419e928fb787715ea9f2c8285662c89b25d6b584cb0

Download Submit
C:\Windows\Installer\MSI4986.tmp

Filesize
419KB

MD5
1458a72d86b87e1329cfc549b98d1e4d

SHA1
00d73b4e31b7395ee4bccab5b456d1d91c407ab9

SHA256
e6368dad109c3710e17a2b6c123baff05b424a3653b5c094e7621af37a8c824b

SHA512
4a7a32f1ae336b2377d3ea476481e8fe4bfaaaf12488cf024e7150dd26a4148ded762442f665ea4a69169d458adf8dc717a73ff4c8bcd6f34e3a6fd4536b1e46

Download Submit
memory/1784-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2308-223-0x0000000000120000-0x0000000000122000-memory.dmp

Filesize
8KB

Download
memory/3004-231-0x0000000002DE0000-0x0000000002DE8000-memory.dmp

Filesize
32KB

Download
memory/3004-230-0x000000001BC40000-0x000000001BF22000-memory.dmp

Filesize
2.9MB

Download