Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23/08/2024, 14:25
Static task
static1
Behavioral task
behavioral1
Sample
GoogleChorme.msi
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
GoogleChorme.msi
Resource
win10v2004-20240802-en
General
-
Target
GoogleChorme.msi
-
Size
31.3MB
-
MD5
46c0158715bf937ebbbd3f0f4160df53
-
SHA1
4025bb5c7dab4c20f43e27ef59fb7b0d59f20b5e
-
SHA256
03f9c6613c68094f94d2099b0f5b61afb7e308d70a19b3bc26a2c4d9a65a33f0
-
SHA512
13a7e0d01d3a79fdd309a447ad130fe3597737dc001ed816f6541f60079b4ee6f36b4d7842fa8672eca94b693925baab6ddb8f84839ad5bf7f0eea3e72f18357
-
SSDEEP
786432:NOGXRTW9sglw5UbThI9/tCSRwWpe4jbdQ6nF7z:NRaRw5UbdMFKcjbdQCd
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\Mylnk\\dick.lnk" reg.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2792 MsiExec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: tracerpt.exe File opened (read-only) \??\Q: tracerpt.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: tracerpt.exe File opened (read-only) \??\X: tracerpt.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: tracerpt.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: tracerpt.exe File opened (read-only) \??\T: tracerpt.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: tracerpt.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: tracerpt.exe File opened (read-only) \??\Y: tracerpt.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: tracerpt.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: tracerpt.exe File opened (read-only) \??\K: tracerpt.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: tracerpt.exe File opened (read-only) \??\V: tracerpt.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: tracerpt.exe File opened (read-only) \??\H: tracerpt.exe File opened (read-only) \??\L: tracerpt.exe File opened (read-only) \??\R: tracerpt.exe File opened (read-only) \??\Z: tracerpt.exe File opened (read-only) \??\H: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1092 set thread context of 1008 1092 Agghosts.exe 39 -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Chrome Setup\Chrome Setup\新建文件夹.zip msiexec.exe File created C:\Program Files (x86)\Chrome Setup\Chrome Setup\Ensup.log msiexec.exe File created C:\Program Files (x86)\Chrome Setup\Chrome Setup\MFCLibrary1.dll msiexec.exe File created C:\Program Files (x86)\Chrome Setup\Chrome Setup\新建文件夹 - 副本.zip msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f77626b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI62F7.tmp msiexec.exe File created C:\Windows\Installer\f77626c.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\f77626e.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f77626b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI647E.tmp msiexec.exe File opened for modification C:\Windows\Installer\f77626c.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe -
Executes dropped EXE 1 IoCs
pid Process 1092 Agghosts.exe -
Loads dropped DLL 9 IoCs
pid Process 2692 MsiExec.exe 2692 MsiExec.exe 2692 MsiExec.exe 2692 MsiExec.exe 2792 MsiExec.exe 2792 MsiExec.exe 2792 MsiExec.exe 1092 Agghosts.exe 1092 Agghosts.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2368 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agghosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tracerpt.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe -
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\75982FC9AA6ED1845AE851D668F8D56F msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\SourceList\PackageName = "GoogleChorme.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\PackageCode = "A4796DC423A423C4DB93C6B5B56D5CE5" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\75982FC9AA6ED1845AE851D668F8D56F\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\ProductName = "Chrome Setup" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\Language = "4100" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\35364E2F472F3BB4EB2B21965E12F7B5 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\35364E2F472F3BB4EB2B21965E12F7B5\75982FC9AA6ED1845AE851D668F8D56F msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75982FC9AA6ED1845AE851D668F8D56F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2076 msiexec.exe 2076 msiexec.exe 2792 MsiExec.exe 2792 MsiExec.exe 2792 MsiExec.exe 2792 MsiExec.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe 1008 tracerpt.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2368 msiexec.exe Token: SeIncreaseQuotaPrivilege 2368 msiexec.exe Token: SeRestorePrivilege 2076 msiexec.exe Token: SeTakeOwnershipPrivilege 2076 msiexec.exe Token: SeSecurityPrivilege 2076 msiexec.exe Token: SeCreateTokenPrivilege 2368 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2368 msiexec.exe Token: SeLockMemoryPrivilege 2368 msiexec.exe Token: SeIncreaseQuotaPrivilege 2368 msiexec.exe Token: SeMachineAccountPrivilege 2368 msiexec.exe Token: SeTcbPrivilege 2368 msiexec.exe Token: SeSecurityPrivilege 2368 msiexec.exe Token: SeTakeOwnershipPrivilege 2368 msiexec.exe Token: SeLoadDriverPrivilege 2368 msiexec.exe Token: SeSystemProfilePrivilege 2368 msiexec.exe Token: SeSystemtimePrivilege 2368 msiexec.exe Token: SeProfSingleProcessPrivilege 2368 msiexec.exe Token: SeIncBasePriorityPrivilege 2368 msiexec.exe Token: SeCreatePagefilePrivilege 2368 msiexec.exe Token: SeCreatePermanentPrivilege 2368 msiexec.exe Token: SeBackupPrivilege 2368 msiexec.exe Token: SeRestorePrivilege 2368 msiexec.exe Token: SeShutdownPrivilege 2368 msiexec.exe Token: SeDebugPrivilege 2368 msiexec.exe Token: SeAuditPrivilege 2368 msiexec.exe Token: SeSystemEnvironmentPrivilege 2368 msiexec.exe Token: SeChangeNotifyPrivilege 2368 msiexec.exe Token: SeRemoteShutdownPrivilege 2368 msiexec.exe Token: SeUndockPrivilege 2368 msiexec.exe Token: SeSyncAgentPrivilege 2368 msiexec.exe Token: SeEnableDelegationPrivilege 2368 msiexec.exe Token: SeManageVolumePrivilege 2368 msiexec.exe Token: SeImpersonatePrivilege 2368 msiexec.exe Token: SeCreateGlobalPrivilege 2368 msiexec.exe Token: SeCreateTokenPrivilege 2368 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2368 msiexec.exe Token: SeLockMemoryPrivilege 2368 msiexec.exe Token: SeIncreaseQuotaPrivilege 2368 msiexec.exe Token: SeMachineAccountPrivilege 2368 msiexec.exe Token: SeTcbPrivilege 2368 msiexec.exe Token: SeSecurityPrivilege 2368 msiexec.exe Token: SeTakeOwnershipPrivilege 2368 msiexec.exe Token: SeLoadDriverPrivilege 2368 msiexec.exe Token: SeSystemProfilePrivilege 2368 msiexec.exe Token: SeSystemtimePrivilege 2368 msiexec.exe Token: SeProfSingleProcessPrivilege 2368 msiexec.exe Token: SeIncBasePriorityPrivilege 2368 msiexec.exe Token: SeCreatePagefilePrivilege 2368 msiexec.exe Token: SeCreatePermanentPrivilege 2368 msiexec.exe Token: SeBackupPrivilege 2368 msiexec.exe Token: SeRestorePrivilege 2368 msiexec.exe Token: SeShutdownPrivilege 2368 msiexec.exe Token: SeDebugPrivilege 2368 msiexec.exe Token: SeAuditPrivilege 2368 msiexec.exe Token: SeSystemEnvironmentPrivilege 2368 msiexec.exe Token: SeChangeNotifyPrivilege 2368 msiexec.exe Token: SeRemoteShutdownPrivilege 2368 msiexec.exe Token: SeUndockPrivilege 2368 msiexec.exe Token: SeSyncAgentPrivilege 2368 msiexec.exe Token: SeEnableDelegationPrivilege 2368 msiexec.exe Token: SeManageVolumePrivilege 2368 msiexec.exe Token: SeImpersonatePrivilege 2368 msiexec.exe Token: SeCreateGlobalPrivilege 2368 msiexec.exe Token: SeCreateTokenPrivilege 2368 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2368 msiexec.exe 2368 msiexec.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2792 MsiExec.exe 1008 tracerpt.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2076 wrote to memory of 2692 2076 msiexec.exe 31 PID 2076 wrote to memory of 2692 2076 msiexec.exe 31 PID 2076 wrote to memory of 2692 2076 msiexec.exe 31 PID 2076 wrote to memory of 2692 2076 msiexec.exe 31 PID 2076 wrote to memory of 2692 2076 msiexec.exe 31 PID 2076 wrote to memory of 2692 2076 msiexec.exe 31 PID 2076 wrote to memory of 2692 2076 msiexec.exe 31 PID 2076 wrote to memory of 2792 2076 msiexec.exe 35 PID 2076 wrote to memory of 2792 2076 msiexec.exe 35 PID 2076 wrote to memory of 2792 2076 msiexec.exe 35 PID 2076 wrote to memory of 2792 2076 msiexec.exe 35 PID 2076 wrote to memory of 2792 2076 msiexec.exe 35 PID 2076 wrote to memory of 2792 2076 msiexec.exe 35 PID 2076 wrote to memory of 2792 2076 msiexec.exe 35 PID 2792 wrote to memory of 2148 2792 MsiExec.exe 37 PID 2792 wrote to memory of 2148 2792 MsiExec.exe 37 PID 2792 wrote to memory of 2148 2792 MsiExec.exe 37 PID 2792 wrote to memory of 2148 2792 MsiExec.exe 37 PID 1092 wrote to memory of 1008 1092 Agghosts.exe 39 PID 1092 wrote to memory of 1008 1092 Agghosts.exe 39 PID 1092 wrote to memory of 1008 1092 Agghosts.exe 39 PID 1092 wrote to memory of 1008 1092 Agghosts.exe 39 PID 1092 wrote to memory of 1008 1092 Agghosts.exe 39 PID 1008 wrote to memory of 1764 1008 tracerpt.exe 41 PID 1008 wrote to memory of 1764 1008 tracerpt.exe 41 PID 1008 wrote to memory of 1764 1008 tracerpt.exe 41 PID 1008 wrote to memory of 1764 1008 tracerpt.exe 41 PID 1008 wrote to memory of 1764 1008 tracerpt.exe 41 PID 1008 wrote to memory of 1764 1008 tracerpt.exe 41 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\GoogleChorme.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2368
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADA5B6B243C1DB285C22CEA456ECC04E C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2692
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 71814C5FD049F3AA1BE9A715BADC81BB2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\Mylnk\dick.lnk" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2148
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2708
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D4" "00000000000003C8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1824
-
C:\ptueis\Agghosts.exe"C:\ptueis\Agghosts.exe" 671⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\tracerpt.exe"C:\Windows\SysWOW64\tracerpt.exe"2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵PID:1764
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD57eeeb7ceaeae4baf4c9c01f4be9f83de
SHA11b7444aa7e83087e8c78d94e91fdb2cfddb4b261
SHA256769f6d5811c6f80619144deb90e82310f0ecf19ff21694ee831418af6da3d474
SHA512598fdbeea6e571918fee042ee6f415fbda36bd4cad85fc9fd7483cb426d98a72ea468732fe45c2154bc95f7e22ce4ab7a325db5bf7dc2c535492d86895fe63c7
-
Filesize
5.2MB
MD51d7cc3187499f8dadc7905cc0d136db6
SHA1f929e95efd9a5deb9ab1c2774ef53697db78fc0f
SHA2566db9f0016f4908dfe4ee908b8e6e46ccac74bb725b43191ee85b4a3d2c41daed
SHA512745771ee686e79dd9452d790a0d279df85e345b3bacc6d362e30f26ee6f7496e63de05b9dfdf8280865e869b5462019e3ac2a8d9d9a33dd8c4cc7802023ae6c8
-
Filesize
1.8MB
MD53c3876000b72164b046c783937ebbf60
SHA11ab7a188590ccd11abc0ba7b55f1c495ca0e6607
SHA2564294b39d25fc61b0163ea3bcb56de6b4f5fe423d50186686661e364cdec4fb9a
SHA512696181bce27076e4e442f36a129dc35b1fd095a49c2576914fab48f572c735d08724f124f7647360030b54e6d3809c89e8c275d31c89ff5edc4d2a7c9242d6e5
-
Filesize
550KB
MD5bda991d64e27606ac1d3abb659a0b33b
SHA1a87ee1430f86effa5488ae654704c40aca3424c6
SHA256ffea8222126b77f8da93e27edbadeb8b97fb023ef0d6a51522c35688f66283ca
SHA51294fe1eadd4b4325fc1a8c769180c6ecf92e2dbf9f8262d6746fada603929977f3d40100ba84cffb4074c6900a2b2d307355e6a5116e6f16d9d3173fa17ad461f
-
Filesize
31.3MB
MD546c0158715bf937ebbbd3f0f4160df53
SHA14025bb5c7dab4c20f43e27ef59fb7b0d59f20b5e
SHA25603f9c6613c68094f94d2099b0f5b61afb7e308d70a19b3bc26a2c4d9a65a33f0
SHA51213a7e0d01d3a79fdd309a447ad130fe3597737dc001ed816f6541f60079b4ee6f36b4d7842fa8672eca94b693925baab6ddb8f84839ad5bf7f0eea3e72f18357
-
Filesize
1KB
MD54714b8fd760072cb8ba2c795bcd54b99
SHA1385a49127225a0e826b8e5ca1a9fc11565911c6e
SHA2566b1433f1569e524a37b029b2e77c824c988c645a18074e865c5b6881ece6fdca
SHA5129e6bac25de1cb751ac17fd7f1a9f074ded0427c7d23a945f655b2f0a7f8be81b296662b57f4a90bcce7b86a53c7c48ace9213d16f5ccc16c5fb92518ea4dae20
-
Filesize
218KB
MD50ea5c7021018a45083ea4eb31f0fc34d
SHA1d636419a870e4774feb272b73e5c9d57dae9485e
SHA256b80d53a3d3ae6db48a7b1835aedb52e85291f35d55b61aa363994217b890dc8a
SHA512a26e6461361b84da71396bdf8227c0d70f84589b92dd33c6549e1e035c4f5cfa778b4ca22b9ebfc380bd593a43260b53cb4b8f6ccb66381bdc64deb7755f9d79
-
Filesize
77KB
MD5f107a3c7371c4543bd3908ba729dd2db
SHA1af8e7e8f446de74db2f31d532e46eab8bbf41e0a
SHA25600df0901c101254525a219d93ff1830da3a20d3f14bc323354d8d5fee5854ec0
SHA512fd776f8ceaac498f4f44819794c0fa89224712a8c476819ffc76ba4c7ff4caa9b360b9d299d9df7965387e5bbcb330f316f53759b5146a73b27a5f2e964c3530
-
Filesize
111KB
MD5a9b40e0b76aa5a292cb6052c6c2fd81d
SHA1e15bba9e662ef45350720218617d563620c76823
SHA256f5017d72f3b829a55971f877ebaa257f5e9791ae253ae23111cc45628477c36c
SHA512ad49410a233614128a103ae55155665f563b67daa7411c42bf314a6a6d1c2cb61e4428d9049d0d3209d44a1b5eef1cab00541b6bb41dcf575ff9e7e406a2f23f