fa027c15cf301bc64327eff17dc8290e09c8b6ce3cf6f07a604bf9c328334ceb

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReadOnlyInstaller.msi
Size

4.1MB
MD5

d22df2c75a529bfb101aa8434f855358
SHA1

02e59f189a863d8fc8fea73fb52b7d9542f214c5
SHA256

2407a69d5dc0409a465a0378f5345a7a13bd5aa7e5f4561a0fb9987a9fe7a21a
SHA512

87d1b41f1aebee51d1a48f335ecb341c62886258f53c1ca133f2fdb116074767ccedb9dcb21f912649253fa1657d687329c578c60864388d57d70bf58332c0be
SSDEEP

49152:rMfVBwVPCsC6uh2ZVZ/c/yEn6z/LX+RbS2MNFoo:reVzsC6uh2ZX/czn4LuRZMNFo

Score

6^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\NoExplorer = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\ = "WeCareReminder"	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIA48B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA889.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIA2C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA47A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6C2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA625.tmp	msiexec.exe
File created	C:\Windows\Installer\f76a25a.msi	msiexec.exe
File created	C:\Windows\Installer\{53FCBAC9-8D76-4755-A558-DE9F2E072A9B}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA76F.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76a257.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{53FCBAC9-8D76-4755-A558-DE9F2E072A9B}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a258.ipi	msiexec.exe
File created	C:\Windows\Installer\f76a257.msi	msiexec.exe
File created	C:\Windows\Installer\f76a258.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA5A6.tmp	msiexec.exe

Loads dropped DLL 8 IoCs

pid	Process
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
492	MsiExec.exe
492	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1992	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}\AppName = "ReminderHelper.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}\AppPath = "C:\\ProgramData\\WeCareReminder"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}\Policy = "3"	msiexec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9CABCF3567D855745A85EDF9E270A2B9	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{4FBBF769-ECEB-420A-B536-133B1D505C36}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\0\win32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\0\win32\ = "C:\\ProgramData\\WeCareReminder\\IEHelperv2.5.0.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\ = "IWeCareReminder"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BD8F57F8F34D45D40B74EC25EE00D72E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\ProgID\ = "IEHelperv250.WeCareReminder.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelperv250.WeCareReminder.1\ = "WeCareReminder Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelperv250.WeCareReminder.1\CLSID\ = "{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}\ = "PSFactoryBuffer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BD8F57F8F34D45D40B74EC25EE00D72E\9CABCF3567D855745A85EDF9E270A2B9	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\TypeLib\ = "{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\ = "IEHelperv250 1.0 Type Library"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9CABCF3567D855745A85EDF9E270A2B9\Complete	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\InprocServer32\ = "C:\\ProgramData\\WeCareReminder\\IEHelperv2.5.0.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\IEHelperv2.5.0.DLL	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\VersionIndependentProgID\ = "IEHelperv250.WeCareReminder"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}\InProcServer32\ = "C:\\ProgramData\\WeCareReminder\\IEHelperv2.5.0PS.dll"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\ProductIcon = "C:\\Windows\\Installer\\{53FCBAC9-8D76-4755-A558-DE9F2E072A9B}\\icon.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}\InProcServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4FBBF769-ECEB-420A-B536-133B1D505C36}\ = "IEHelperv250"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\IEHelperv250.WeCareReminder	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\NumMethods\ = "7"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\IEHelperv250.WeCareReminder.1\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\TypeLib\ = "{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\HELPDIR	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\IEHelperv250.WeCareReminder.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}\InProcServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelperv250.WeCareReminder.1\CLSID\ = "IEHelperv250.WeCareReminder.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\ProductName = "ASPCA Tri Reminder by We-Care.com v4.0.9.5"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\PackageCode = "D3DE6BC5719B03D4DA4E0F429472C917"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelperv250.WeCareReminder\ = "WeCareReminder Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\IEHelperv250.WeCareReminder.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\0\win32	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\AppID = "{4FBBF769-ECEB-420A-B536-133B1D505C36}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\ProxyStubClsid32	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2224	msiexec.exe
2224	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1992	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeSecurityPrivilege	2224	msiexec.exe
Token: SeCreateTokenPrivilege	1992	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1992	msiexec.exe
Token: SeLockMemoryPrivilege	1992	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1992	msiexec.exe
Token: SeMachineAccountPrivilege	1992	msiexec.exe
Token: SeTcbPrivilege	1992	msiexec.exe
Token: SeSecurityPrivilege	1992	msiexec.exe
Token: SeTakeOwnershipPrivilege	1992	msiexec.exe
Token: SeLoadDriverPrivilege	1992	msiexec.exe
Token: SeSystemProfilePrivilege	1992	msiexec.exe
Token: SeSystemtimePrivilege	1992	msiexec.exe
Token: SeProfSingleProcessPrivilege	1992	msiexec.exe
Token: SeIncBasePriorityPrivilege	1992	msiexec.exe
Token: SeCreatePagefilePrivilege	1992	msiexec.exe
Token: SeCreatePermanentPrivilege	1992	msiexec.exe
Token: SeBackupPrivilege	1992	msiexec.exe
Token: SeRestorePrivilege	1992	msiexec.exe
Token: SeShutdownPrivilege	1992	msiexec.exe
Token: SeDebugPrivilege	1992	msiexec.exe
Token: SeAuditPrivilege	1992	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1992	msiexec.exe
Token: SeChangeNotifyPrivilege	1992	msiexec.exe
Token: SeRemoteShutdownPrivilege	1992	msiexec.exe
Token: SeUndockPrivilege	1992	msiexec.exe
Token: SeSyncAgentPrivilege	1992	msiexec.exe
Token: SeEnableDelegationPrivilege	1992	msiexec.exe
Token: SeManageVolumePrivilege	1992	msiexec.exe
Token: SeImpersonatePrivilege	1992	msiexec.exe
Token: SeCreateGlobalPrivilege	1992	msiexec.exe
Token: SeBackupPrivilege	2904	vssvc.exe
Token: SeRestorePrivilege	2904	vssvc.exe
Token: SeAuditPrivilege	2904	vssvc.exe
Token: SeBackupPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2644	DrvInst.exe
Token: SeRestorePrivilege	2644	DrvInst.exe
Token: SeRestorePrivilege	2644	DrvInst.exe
Token: SeRestorePrivilege	2644	DrvInst.exe
Token: SeRestorePrivilege	2644	DrvInst.exe
Token: SeRestorePrivilege	2644	DrvInst.exe
Token: SeRestorePrivilege	2644	DrvInst.exe
Token: SeLoadDriverPrivilege	2644	DrvInst.exe
Token: SeLoadDriverPrivilege	2644	DrvInst.exe
Token: SeLoadDriverPrivilege	2644	DrvInst.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe
Token: SeTakeOwnershipPrivilege	2224	msiexec.exe
Token: SeRestorePrivilege	2224	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1992	msiexec.exe
1992	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2120	2224	msiexec.exe	34
PID 2224 wrote to memory of 2120	2224	msiexec.exe	34
PID 2224 wrote to memory of 2120	2224	msiexec.exe	34
PID 2224 wrote to memory of 2120	2224	msiexec.exe	34
PID 2224 wrote to memory of 2120	2224	msiexec.exe	34
PID 2224 wrote to memory of 2120	2224	msiexec.exe	34
PID 2224 wrote to memory of 2120	2224	msiexec.exe	34
PID 2224 wrote to memory of 492	2224	msiexec.exe	35
PID 2224 wrote to memory of 492	2224	msiexec.exe	35
PID 2224 wrote to memory of 492	2224	msiexec.exe	35
PID 2224 wrote to memory of 492	2224	msiexec.exe	35
PID 2224 wrote to memory of 492	2224	msiexec.exe	35
PID 2224 wrote to memory of 492	2224	msiexec.exe	35
PID 2224 wrote to memory of 492	2224	msiexec.exe	35

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ReadOnlyInstaller.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1992

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F853C1A36E3285A0B6E929818C3CDDDB
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2120
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADA863E0C481DF1C03B729FC3327C043 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000498" "00000000000005A4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76a259.rbs

Filesize
15KB

MD5
c5cc2f42ebe0106359d85445315d7b90

SHA1
4fd578b1daad4f3083eb3860773ed70c6674481e

SHA256
2d135eda2e9aacba263e0e615695a9c3de295dc7cdfa2a9b8baf33b1bffd6754

SHA512
051a93ab7c687ab7dd190a2af02577dd1f6045dd9f2f546cba2578cdf7042f3ea11c89dea6616fb33b2511d664a259f59eddecaa210b7779a4e2a0768348e092

Download Submit
C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll

Filesize
351KB

MD5
0fe576e71ea69f96403e2e0da19224d2

SHA1
e18f33a6351d361dc52393b22be21ecd70d2bb6c

SHA256
71220bcd8cb555b45894f372073ccf7fbbe6b031f93fffefc998b4b86683e8a3

SHA512
5969675b5a0da9a2b3b01a4045162228b54a8b93ff8b0de3325e3caccf51ede84ce8faa096cc9e5d074057d3f19208fed8d04b9ec845fd924217ab7d24c389c2

Download Submit
C:\ProgramData\WeCareReminder\IEHelperv2.5.0PS.dll

Filesize
8KB

MD5
51199103a7420833194cf7ef0b445cb0

SHA1
263c18b4b570f23d4d68facb02001cbbda53d3c1

SHA256
c2071ee529f7192fe28c5cf5db936172df1c3239db48c19cc34b2fed0edfbb87

SHA512
eefeb91c0414062d369a5989a9bcd8cad7563457a457f934978550fbfd260ab03a6ba580b07ed019d615329850a102fd37d9cb340d5cf9205eb123564c3d2cee

Download Submit
C:\ProgramData\WeCareReminder\MerchantHash.txt

Filesize
69KB

MD5
bd809567d090192f0008c168c85af711

SHA1
c7b9bb1a7b200ee45326eb675f3de9fa2bbb79ad

SHA256
008f6725d6a7a46fdacc3e403b07ff0baead31bb6dcff02ddd0e7b60dec89275

SHA512
e561282e05605f1b1903abc094ba2a0ba3b0238d75ad9a63cf89a039f5d3719924a3e7c25cdc602dbf30f7f51a611ccd285cd413af4aae88f2be701f7d0ce00b

Download Submit
C:\ProgramData\WeCareReminder\ReminderHelper.exe

Filesize
421KB

MD5
85b79d3792d5e54243a57860708150f6

SHA1
ed6b30bc527c410e22f381c841787256572e8dcb

SHA256
556a2a6c291747c90a11b393c99850e458c2f5e05984267a2c9a86319374aa52

SHA512
3f86cc5dfbec76318aaeb7852727a36e05d0848b86cce043661a9363dea7ac9bdec1312ee48cc02e3aa0db9b0ad2a27d3a245e8ff2ec02bf4f6cb01e5ea4ea9a

Download Submit
C:\ProgramData\WeCareReminder\WCAutoUpdate.exe

Filesize
361KB

MD5
9f24baf8c2e86325bbf55f2b759110f0

SHA1
2e59e39f9a315c6f935205353cfecf15279bd7c4

SHA256
23c4b9b252e5e3bb35a0f79c3aaab771e74d63ddf890e73c0a2df1d41b4c8962

SHA512
4c2761d4514d65cff32bbc6584cd7e41a381661a6fe2f5e0f3578320bc0f3b439509c0846014c05d06eaea3b5fa187c9bd473729b271f2da6eec9de1b0079ff6

Download Submit
C:\ProgramData\WeCareReminder\wecarereminder@bryan\MerchHash.txt

Filesize
67KB

MD5
4ebdb9daf2a2347abb66e879c379ffe9

SHA1
25a0b263876154fc4a6ecaacd3d7f220ca89d1eb

SHA256
e5f09c80425f7635a35d7c333948ed0703f79b082e5d372a75ad0cadea874f77

SHA512
b4a4203a2fbbab69702519cf4f3ffdec460f544869e3695612c942288c52c4955d4f8906dc446dc7f82a57dd3488363def4c3aafb2cb486378c932a62ffdafa1

Download Submit
C:\ProgramData\WeCareReminder\wecarereminder@bryan\ltvid.xml

Filesize
17B

MD5
a8720047341ec8cc2cd007174a47d15d

SHA1
c41cc5792191c7d3c61f60ce631c9060c413607d

SHA256
d743260adcc25654646a48f8e9aecb9eead72e5c0e70b55152a0b3a85bfb97f5

SHA512
6d0641d391db67d6ca741af1f4032d3f6a1176a973d6195daa77c12a87ff159d5fb04cd58ce4efe7ec5eba39ca0a1fdde9fb67e496e46ffa5143d6ded6932785

Download Submit
C:\ProgramData\WeCareReminder\wecarereminderro.crx

Filesize
60KB

MD5
806b38d5fcf069ce2ab7c62fc5b718ff

SHA1
b5089599ae401d56a4e7dab16521d27e3d4bf6e8

SHA256
9233647ee7da8f51e2ce0feb26754f3999604b6fdafc176ee4741870383d7eba

SHA512
f88ef660fae82dcced6af099322e34b30cd0dd8fc463cf13167cf55869eb296dd22608bbb21b6e4ae307d0f38680efa137b0e275533cddd81fdbecb3aff8ba26

Download Submit
C:\Windows\Installer\MSIA2C5.tmp

Filesize
71KB

MD5
f0bd6ca35743dccfc7391e34e420aa01

SHA1
36aaf6d8fea8ef64e037105f9052bddd2ce766dc

SHA256
2f89572c57731df39e46daef5e3d5b674ebc1fbc00559b12b247f98cdd395720

SHA512
0699009cfcb170455c8d719816cd769300a825af363e439898a11c48be902f12fd131a3a573e84d32060bbbd10e2880b818d27fed68d9c6e6dc8c040dcdf9da0

Download Submit
C:\Windows\Installer\MSIA48B.tmp

Filesize
148KB

MD5
14c01c848d8452005734858a64b6784b

SHA1
d3d81fcd1267095880218ef09b92220248905ea8

SHA256
fa9b83479f1b955790325dc557624185a8c72df3e31870dae075437146858185

SHA512
8334c467c470c13b0245425d3bc1ba9676a04e1e015bec56122504d622e7e3858d5ad7950d09c155f3666a90b7d3c7b40f324d0786553d6e81711b7f38cf1d57

Download Submit
C:\Windows\Installer\MSIA76F.tmp

Filesize
614KB

MD5
216e90a88afc241d627d1821fa1e2bea

SHA1
dc5b5e8e2e04287ed58a33534dd6a2e380f09ac9

SHA256
012ea8cb8499e7adf1c74347dcebaa826ab93b2cbf826f2657a55a562fff9f08

SHA512
52af53a4bb3d6d7995a1550db628d6dd4582f05a9e9f59a57059a8e4e3b2a57214ed35d5638a4ce3497716f225726da382b2fd7d4fb7d312baf0ef8cac67dbe0

Download Submit
C:\Windows\Installer\MSIA889.tmp

Filesize
57KB

MD5
cd2231225c7369222c962470d10f02e7

SHA1
692f38d45166240fd7cc5c125abdcf953bb1e848

SHA256
37947dc3944578597680197ce53206122aa98e9728d4d3e9bbdcaacd2150f8c8

SHA512
526ba8440150e2096f4e32bcc3bd1b58ac1ab05eedc6e69d64b93cd546cdec97e6df02919c15b4a3746dd09a84f72299e607d6e4c52a27e21604038e5beebb8e

Download Submit
C:\Windows\Installer\f76a257.msi

Filesize
4.1MB

MD5
d22df2c75a529bfb101aa8434f855358

SHA1
02e59f189a863d8fc8fea73fb52b7d9542f214c5

SHA256
2407a69d5dc0409a465a0378f5345a7a13bd5aa7e5f4561a0fb9987a9fe7a21a

SHA512
87d1b41f1aebee51d1a48f335ecb341c62886258f53c1ca133f2fdb116074767ccedb9dcb21f912649253fa1657d687329c578c60864388d57d70bf58332c0be

Download Submit