Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
31-08-2024 14:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Driver_x32.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
Driver_x32.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
Behavioral task
behavioral3
Sample
Installer-master-BlackMythWukong.msi
Resource
win7-20240704-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral4
Sample
Installer-master-BlackMythWukong.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
Installer-master-BlackMythWukong.msi
-
Size
43.8MB
-
MD5
4cbea3318f7107adb73e10fd8de96abf
-
SHA1
c6db50f856e92e5b0fa2f4b3855cbd58aa408fc1
-
SHA256
395c44cce9624a5750c97c313b5ede45ea36dd623bc71f7d1bf2e4964492dcd4
-
SHA512
724291101a4859c8e700ff762e48f6e2ded60fed23bfd64be7c438552c885b22d35b693ec03c2d234afe60d9defdc39ada77fedd9d3c881710935aa4e4f9b931
-
SSDEEP
786432:H8JJ5v6bZ0no3r27KIvSOcaVWfoyI4aEK0Gpqq++mFIjqEKrdLi9VMkryQs:HC5i10noy7KS/RVLCqpP++mF+gLBf
Score
7/10
Malware Config
Signatures
-
Modifies file permissions 1 TTPs 2 IoCs
Processes:
ICACLS.EXEICACLS.EXEpid Process 1612 ICACLS.EXE 2588 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Windows directory 17 IoCs
Processes:
msiexec.exeDrvInst.exeEXPAND.EXEdescription ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIEB0A.tmp msiexec.exe File created C:\Windows\Installer\f76e9e5.msi msiexec.exe File created C:\Windows\Installer\{D2331EC5-01E6-4564-8DF3-B5D283A6767A}\ProductIcon msiexec.exe File opened for modification C:\Windows\Installer\f76e9e3.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f76e9e2.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f76e9e2.msi msiexec.exe File created C:\Windows\Installer\f76e9e3.ipi msiexec.exe File opened for modification C:\Windows\Logs\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\Logs\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\MSI5BD7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5BD8.tmp msiexec.exe File opened for modification C:\Windows\Installer\{D2331EC5-01E6-4564-8DF3-B5D283A6767A}\ProductIcon msiexec.exe File opened for modification C:\Windows\Installer\MSI5C96.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
visapro.exepid Process 2936 visapro.exe -
Loads dropped DLL 7 IoCs
Processes:
MsiExec.exepid Process 1908 MsiExec.exe 1908 MsiExec.exe 1908 MsiExec.exe 1908 MsiExec.exe 1908 MsiExec.exe 1908 MsiExec.exe 1908 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeMsiExec.exeICACLS.EXEEXPAND.EXEvisapro.exeICACLS.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXPAND.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language visapro.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE -
Modifies data under HKEY_USERS 46 IoCs
Processes:
DrvInst.exemsiexec.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe -
Modifies registry class 23 IoCs
Processes:
msiexec.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\46220738AE59D5E4AB54B1D1B1FB8DDD msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\PackageCode = "9A2E48350F64A1B45933A053B36967DF" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\ProductIcon = "C:\\Windows\\Installer\\{D2331EC5-01E6-4564-8DF3-B5D283A6767A}\\ProductIcon" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\46220738AE59D5E4AB54B1D1B1FB8DDD\5CE1332D6E104654D83F5B2D386A67A7 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5CE1332D6E104654D83F5B2D386A67A7 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\SourceList\PackageName = "Installer-master-BlackMythWukong.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5CE1332D6E104654D83F5B2D386A67A7\ProductFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\ProductName = "Intel High-Definition (HD) Graphics Driver - Kaby Lake/Sky Lake/Gemini Lake - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\Version = "131111" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CE1332D6E104654D83F5B2D386A67A7\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid Process 2488 msiexec.exe 2488 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid Process Token: SeShutdownPrivilege 1252 msiexec.exe Token: SeIncreaseQuotaPrivilege 1252 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeSecurityPrivilege 2488 msiexec.exe Token: SeCreateTokenPrivilege 1252 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1252 msiexec.exe Token: SeLockMemoryPrivilege 1252 msiexec.exe Token: SeIncreaseQuotaPrivilege 1252 msiexec.exe Token: SeMachineAccountPrivilege 1252 msiexec.exe Token: SeTcbPrivilege 1252 msiexec.exe Token: SeSecurityPrivilege 1252 msiexec.exe Token: SeTakeOwnershipPrivilege 1252 msiexec.exe Token: SeLoadDriverPrivilege 1252 msiexec.exe Token: SeSystemProfilePrivilege 1252 msiexec.exe Token: SeSystemtimePrivilege 1252 msiexec.exe Token: SeProfSingleProcessPrivilege 1252 msiexec.exe Token: SeIncBasePriorityPrivilege 1252 msiexec.exe Token: SeCreatePagefilePrivilege 1252 msiexec.exe Token: SeCreatePermanentPrivilege 1252 msiexec.exe Token: SeBackupPrivilege 1252 msiexec.exe Token: SeRestorePrivilege 1252 msiexec.exe Token: SeShutdownPrivilege 1252 msiexec.exe Token: SeDebugPrivilege 1252 msiexec.exe Token: SeAuditPrivilege 1252 msiexec.exe Token: SeSystemEnvironmentPrivilege 1252 msiexec.exe Token: SeChangeNotifyPrivilege 1252 msiexec.exe Token: SeRemoteShutdownPrivilege 1252 msiexec.exe Token: SeUndockPrivilege 1252 msiexec.exe Token: SeSyncAgentPrivilege 1252 msiexec.exe Token: SeEnableDelegationPrivilege 1252 msiexec.exe Token: SeManageVolumePrivilege 1252 msiexec.exe Token: SeImpersonatePrivilege 1252 msiexec.exe Token: SeCreateGlobalPrivilege 1252 msiexec.exe Token: SeBackupPrivilege 2080 vssvc.exe Token: SeRestorePrivilege 2080 vssvc.exe Token: SeAuditPrivilege 2080 vssvc.exe Token: SeBackupPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2908 DrvInst.exe Token: SeLoadDriverPrivilege 2908 DrvInst.exe Token: SeLoadDriverPrivilege 2908 DrvInst.exe Token: SeLoadDriverPrivilege 2908 DrvInst.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeRestorePrivilege 2488 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 1252 msiexec.exe 1252 msiexec.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid Process procid_target PID 2488 wrote to memory of 1908 2488 msiexec.exe 35 PID 2488 wrote to memory of 1908 2488 msiexec.exe 35 PID 2488 wrote to memory of 1908 2488 msiexec.exe 35 PID 2488 wrote to memory of 1908 2488 msiexec.exe 35 PID 2488 wrote to memory of 1908 2488 msiexec.exe 35 PID 2488 wrote to memory of 1908 2488 msiexec.exe 35 PID 2488 wrote to memory of 1908 2488 msiexec.exe 35 PID 1908 wrote to memory of 1612 1908 MsiExec.exe 36 PID 1908 wrote to memory of 1612 1908 MsiExec.exe 36 PID 1908 wrote to memory of 1612 1908 MsiExec.exe 36 PID 1908 wrote to memory of 1612 1908 MsiExec.exe 36 PID 1908 wrote to memory of 1064 1908 MsiExec.exe 38 PID 1908 wrote to memory of 1064 1908 MsiExec.exe 38 PID 1908 wrote to memory of 1064 1908 MsiExec.exe 38 PID 1908 wrote to memory of 1064 1908 MsiExec.exe 38 PID 1908 wrote to memory of 2936 1908 MsiExec.exe 40 PID 1908 wrote to memory of 2936 1908 MsiExec.exe 40 PID 1908 wrote to memory of 2936 1908 MsiExec.exe 40 PID 1908 wrote to memory of 2936 1908 MsiExec.exe 40 PID 1908 wrote to memory of 2588 1908 MsiExec.exe 41 PID 1908 wrote to memory of 2588 1908 MsiExec.exe 41 PID 1908 wrote to memory of 2588 1908 MsiExec.exe 41 PID 1908 wrote to memory of 2588 1908 MsiExec.exe 41 PID 1908 wrote to memory of 2556 1908 MsiExec.exe 43 PID 1908 wrote to memory of 2556 1908 MsiExec.exe 43 PID 1908 wrote to memory of 2556 1908 MsiExec.exe 43 PID 1908 wrote to memory of 2556 1908 MsiExec.exe 43 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Installer-master-BlackMythWukong.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1252
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C129A81CA73205D054895F5E034DB18C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a66ce737-a906-4f30-ad2e-33b989347a54\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1612
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1064
-
-
C:\Users\Admin\AppData\Local\Temp\MW-a66ce737-a906-4f30-ad2e-33b989347a54\files\visapro.exe"C:\Users\Admin\AppData\Local\Temp\MW-a66ce737-a906-4f30-ad2e-33b989347a54\files\visapro.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a66ce737-a906-4f30-ad2e-33b989347a54\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2588
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-a66ce737-a906-4f30-ad2e-33b989347a54\files"3⤵
- System Location Discovery: System Language Discovery
PID:2556
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000588" "00000000000003BC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5452c1f53ecde79ccf03ad09ebcf92fc9
SHA19845815e5f8df353e880ea10acc62a22efbb811f
SHA256ab81391c4b06f86325cc288e1a986034c7f08dea5a259b2550ae669bef348ef7
SHA5129448f206baef22ec6956dffdddc78c8688e37926ade325c49ae4c720ba31cc828f0b43a52d7ab1caa12b08a67df639aa3dc15dbfca191a666bf0f6d9cecd2428
-
Filesize
43.4MB
MD59f1ce12a6a16d2755d486fdbd2c0f506
SHA18082354009566d640b028f1266e0e3bfd2fc333d
SHA2560bd8fb2d6b28c93dcf4c3badffae9041287221a2db276ff872a78221ac1e0f31
SHA512bd8d0308e4504c92f9e59f46bafe90ff278218ad858736e32ade76c9d48ff9db83572d972dbd7f269a2d11913c2b2c0e2b6a2c7f37dc5f27d7be45dc323cdbfb
-
Filesize
49.6MB
MD553a23a0592e5aab08e0fa996497337f4
SHA17c843871ef5debb284915c6c7628d96563e3693e
SHA256d3f7809ae8ccc194787198cc370952ab22a9b74bcae1e249f840c18798205bc1
SHA512d21aaae60d62b2c9a1bf52fa4464cefc777ca81e9122aca8989afcf0676f81e39af8f3df405c4cc3b8c68f8a1bcb94adcb60a718f80d63084bb79323f775d321
-
Filesize
1KB
MD548563eee266da713171ed9b384d23211
SHA15c2dfffd7413cf90582c7a33930adb621f0a07e4
SHA25603b448c11e26cfbf230a095b788c8e93ef38ba96db921cd7395c8d39e037f90a
SHA512f2f246ca9a3a100098901f76e03f74684706f1bf84e6c663ecc869a87b5831976f36ae0e1deb916d864fea95b0d69cad7190e018a3f23f70f2cff0ea3029262b
-
Filesize
1KB
MD5d5d742be27a45074a5cb75a6c0b1e23a
SHA16cdd29242df6fdab251a188b88a5d373ef66d0ef
SHA25608d7a882afad69390092b6d7e3bef0970c4a365442ad34393f885d275fdcbd49
SHA512448108a96cbd123368cadfd48f44e1f4a67dc76e73268695e1aa758cf7a57bdd35345d781a1f987e54206da61e7447e05b9af5afd3431e38365a0e61d6ae646d
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108