fa027c15cf301bc64327eff17dc8290e09c8b6ce3cf6f07a604bf9c328334ceb

Analysis

max time kernel
92s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReadOnlyInstaller.msi
Size

4.1MB
MD5

d22df2c75a529bfb101aa8434f855358
SHA1

02e59f189a863d8fc8fea73fb52b7d9542f214c5
SHA256

2407a69d5dc0409a465a0378f5345a7a13bd5aa7e5f4561a0fb9987a9fe7a21a
SHA512

87d1b41f1aebee51d1a48f335ecb341c62886258f53c1ca133f2fdb116074767ccedb9dcb21f912649253fa1657d687329c578c60864388d57d70bf58332c0be
SSDEEP

49152:rMfVBwVPCsC6uh2ZVZ/c/yEn6z/LX+RbS2MNFoo:reVzsC6uh2ZX/czn4LuRZMNFo

Score

6^/10

adware discovery persistence privilege_escalation stealer

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\ = "WeCareReminder"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\NoExplorer = "1"	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57cb7e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cb7e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE70.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{53FCBAC9-8D76-4755-A558-DE9F2E072A9B}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF3C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFAA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDE1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE20.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDD0.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cb80.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID048.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBFB.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{53FCBAC9-8D76-4755-A558-DE9F2E072A9B}	msiexec.exe
File created	C:\Windows\Installer\{53FCBAC9-8D76-4755-A558-DE9F2E072A9B}\icon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFF9.tmp	msiexec.exe

Loads dropped DLL 8 IoCs

pid	Process
2696	MsiExec.exe
2696	MsiExec.exe
2696	MsiExec.exe
2696	MsiExec.exe
752	MsiExec.exe
752	MsiExec.exe
2696	MsiExec.exe
2696	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3044	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9aa8484b1ca68e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9aa84840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9aa8484000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9aa8484000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9aa848400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}\AppName = "ReminderHelper.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}\AppPath = "C:\\ProgramData\\WeCareReminder"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}\Policy = "3"	msiexec.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\0\win32	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{4FBBF769-ECEB-420A-B536-133B1D505C36}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\InprocServer32\ = "C:\\ProgramData\\WeCareReminder\\IEHelperv2.5.0.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\NumMethods\ = "7"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\ = "IEHelperv250 1.0 Type Library"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BD8F57F8F34D45D40B74EC25EE00D72E\9CABCF3567D855745A85EDF9E270A2B9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\VersionIndependentProgID\ = "IEHelperv250.WeCareReminder"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelperv250.WeCareReminder\ = "WeCareReminder Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\TypeLib\ = "{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\IEHelperv2.5.0.DLL	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\AppID = "{4FBBF769-ECEB-420A-B536-133B1D505C36}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\ = "WeCareReminder Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\ = "IWeCareReminder"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\SourceList\PackageName = "ReadOnlyInstaller.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\HELPDIR\ = "C:\\ProgramData\\WeCareReminder\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\Version = "67108873"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\ProgID\ = "IEHelperv250.WeCareReminder.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\IEHelperv250.WeCareReminder.1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}\InProcServer32\ = "C:\\ProgramData\\WeCareReminder\\IEHelperv2.5.0PS.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9CABCF3567D855745A85EDF9E270A2B9\Complete	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\ProductName = "ASPCA Tri Reminder by We-Care.com v4.0.9.5"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\ProductIcon = "C:\\Windows\\Installer\\{53FCBAC9-8D76-4755-A558-DE9F2E072A9B}\\icon.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\IEHelperv250.WeCareReminder.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelperv250.WeCareReminder.1\CLSID\ = "{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\HELPDIR	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BD8F57F8F34D45D40B74EC25EE00D72E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4FBBF769-ECEB-420A-B536-133B1D505C36}\ = "IEHelperv250"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\IEHelperv250.WeCareReminder	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9CABCF3567D855745A85EDF9E270A2B9\PackageCode = "D3DE6BC5719B03D4DA4E0F429472C917"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelperv250.WeCareReminder.1\CurVer\ = "{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\0\win32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9CABCF3567D855745A85EDF9E270A2B9	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHelperv250.WeCareReminder.1\CLSID\ = "IEHelperv250.WeCareReminder.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}\InProcServer32\ThreadingModel = "Both"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2852	msiexec.exe
2852	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3044	msiexec.exe
Token: SeSecurityPrivilege	2852	msiexec.exe
Token: SeCreateTokenPrivilege	3044	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3044	msiexec.exe
Token: SeLockMemoryPrivilege	3044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3044	msiexec.exe
Token: SeMachineAccountPrivilege	3044	msiexec.exe
Token: SeTcbPrivilege	3044	msiexec.exe
Token: SeSecurityPrivilege	3044	msiexec.exe
Token: SeTakeOwnershipPrivilege	3044	msiexec.exe
Token: SeLoadDriverPrivilege	3044	msiexec.exe
Token: SeSystemProfilePrivilege	3044	msiexec.exe
Token: SeSystemtimePrivilege	3044	msiexec.exe
Token: SeProfSingleProcessPrivilege	3044	msiexec.exe
Token: SeIncBasePriorityPrivilege	3044	msiexec.exe
Token: SeCreatePagefilePrivilege	3044	msiexec.exe
Token: SeCreatePermanentPrivilege	3044	msiexec.exe
Token: SeBackupPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	3044	msiexec.exe
Token: SeShutdownPrivilege	3044	msiexec.exe
Token: SeDebugPrivilege	3044	msiexec.exe
Token: SeAuditPrivilege	3044	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3044	msiexec.exe
Token: SeChangeNotifyPrivilege	3044	msiexec.exe
Token: SeRemoteShutdownPrivilege	3044	msiexec.exe
Token: SeUndockPrivilege	3044	msiexec.exe
Token: SeSyncAgentPrivilege	3044	msiexec.exe
Token: SeEnableDelegationPrivilege	3044	msiexec.exe
Token: SeManageVolumePrivilege	3044	msiexec.exe
Token: SeImpersonatePrivilege	3044	msiexec.exe
Token: SeCreateGlobalPrivilege	3044	msiexec.exe
Token: SeBackupPrivilege	4780	vssvc.exe
Token: SeRestorePrivilege	4780	vssvc.exe
Token: SeAuditPrivilege	4780	vssvc.exe
Token: SeBackupPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeBackupPrivilege	1112	srtasks.exe
Token: SeRestorePrivilege	1112	srtasks.exe
Token: SeSecurityPrivilege	1112	srtasks.exe
Token: SeTakeOwnershipPrivilege	1112	srtasks.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3044	msiexec.exe
3044	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 1112	2852	msiexec.exe	98
PID 2852 wrote to memory of 1112	2852	msiexec.exe	98
PID 2852 wrote to memory of 2696	2852	msiexec.exe	100
PID 2852 wrote to memory of 2696	2852	msiexec.exe	100
PID 2852 wrote to memory of 2696	2852	msiexec.exe	100
PID 2852 wrote to memory of 752	2852	msiexec.exe	101
PID 2852 wrote to memory of 752	2852	msiexec.exe	101
PID 2852 wrote to memory of 752	2852	msiexec.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ReadOnlyInstaller.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3418ABC20AE9481E065B67EF79A346B1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2696
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 72202750527680AF692B9716D24778E3 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57cb7f.rbs

Filesize
16KB

MD5
52ca3c16db4883a4663e94b3de9c89c9

SHA1
7b36850f06254c5f5d7457675236308ea10bb3a3

SHA256
ca4dc98220e57b939ca0e73270bd0a0668cbe088bde5eebf9f0c6db5980b2eab

SHA512
ddc72290f6e255bf4ab3dc94f77f962f837478d3b56b7ef9c25004ad9c323e69bbcfd36e4973c05ea72f4939bb5f3e26086c188f65a4a59f5100cc3bddc03bbc

Download Submit
C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll

Filesize
351KB

MD5
0fe576e71ea69f96403e2e0da19224d2

SHA1
e18f33a6351d361dc52393b22be21ecd70d2bb6c

SHA256
71220bcd8cb555b45894f372073ccf7fbbe6b031f93fffefc998b4b86683e8a3

SHA512
5969675b5a0da9a2b3b01a4045162228b54a8b93ff8b0de3325e3caccf51ede84ce8faa096cc9e5d074057d3f19208fed8d04b9ec845fd924217ab7d24c389c2

Download Submit
C:\ProgramData\WeCareReminder\IEHelperv2.5.0PS.dll

Filesize
8KB

MD5
51199103a7420833194cf7ef0b445cb0

SHA1
263c18b4b570f23d4d68facb02001cbbda53d3c1

SHA256
c2071ee529f7192fe28c5cf5db936172df1c3239db48c19cc34b2fed0edfbb87

SHA512
eefeb91c0414062d369a5989a9bcd8cad7563457a457f934978550fbfd260ab03a6ba580b07ed019d615329850a102fd37d9cb340d5cf9205eb123564c3d2cee

Download Submit
C:\ProgramData\WeCareReminder\MerchantHash.txt

Filesize
69KB

MD5
bd809567d090192f0008c168c85af711

SHA1
c7b9bb1a7b200ee45326eb675f3de9fa2bbb79ad

SHA256
008f6725d6a7a46fdacc3e403b07ff0baead31bb6dcff02ddd0e7b60dec89275

SHA512
e561282e05605f1b1903abc094ba2a0ba3b0238d75ad9a63cf89a039f5d3719924a3e7c25cdc602dbf30f7f51a611ccd285cd413af4aae88f2be701f7d0ce00b

Download Submit
C:\ProgramData\WeCareReminder\ReminderHelper.exe

Filesize
421KB

MD5
85b79d3792d5e54243a57860708150f6

SHA1
ed6b30bc527c410e22f381c841787256572e8dcb

SHA256
556a2a6c291747c90a11b393c99850e458c2f5e05984267a2c9a86319374aa52

SHA512
3f86cc5dfbec76318aaeb7852727a36e05d0848b86cce043661a9363dea7ac9bdec1312ee48cc02e3aa0db9b0ad2a27d3a245e8ff2ec02bf4f6cb01e5ea4ea9a

Download Submit
C:\ProgramData\WeCareReminder\WCAutoUpdate.exe

Filesize
361KB

MD5
9f24baf8c2e86325bbf55f2b759110f0

SHA1
2e59e39f9a315c6f935205353cfecf15279bd7c4

SHA256
23c4b9b252e5e3bb35a0f79c3aaab771e74d63ddf890e73c0a2df1d41b4c8962

SHA512
4c2761d4514d65cff32bbc6584cd7e41a381661a6fe2f5e0f3578320bc0f3b439509c0846014c05d06eaea3b5fa187c9bd473729b271f2da6eec9de1b0079ff6

Download Submit
C:\ProgramData\WeCareReminder\wecarereminder@bryan\MerchHash.txt

Filesize
67KB

MD5
4ebdb9daf2a2347abb66e879c379ffe9

SHA1
25a0b263876154fc4a6ecaacd3d7f220ca89d1eb

SHA256
e5f09c80425f7635a35d7c333948ed0703f79b082e5d372a75ad0cadea874f77

SHA512
b4a4203a2fbbab69702519cf4f3ffdec460f544869e3695612c942288c52c4955d4f8906dc446dc7f82a57dd3488363def4c3aafb2cb486378c932a62ffdafa1

Download Submit
C:\ProgramData\WeCareReminder\wecarereminder@bryan\ltvid.xml

Filesize
38B

MD5
412875ed5cb06bcb246f02292b9fe282

SHA1
eb87f133170d9d8d2b30b05745f733a3179d7c8c

SHA256
34cddcb681a4b0b568cc0ab60ab6266719f0ff8a0bdaf6945bcd112fa737178d

SHA512
23bcc3e0c9f0cfbb0ae01c44f858f2de860d4503c97c776b82a384e3e66a7ab8c6e00b1cf730e5c410fb204795f4177f6e0c242a0b7ae17a2b9860324724909c

Download Submit
C:\ProgramData\WeCareReminder\wecarereminderro.crx

Filesize
60KB

MD5
806b38d5fcf069ce2ab7c62fc5b718ff

SHA1
b5089599ae401d56a4e7dab16521d27e3d4bf6e8

SHA256
9233647ee7da8f51e2ce0feb26754f3999604b6fdafc176ee4741870383d7eba

SHA512
f88ef660fae82dcced6af099322e34b30cd0dd8fc463cf13167cf55869eb296dd22608bbb21b6e4ae307d0f38680efa137b0e275533cddd81fdbecb3aff8ba26

Download Submit
C:\Windows\Installer\MSICBFB.tmp

Filesize
71KB

MD5
f0bd6ca35743dccfc7391e34e420aa01

SHA1
36aaf6d8fea8ef64e037105f9052bddd2ce766dc

SHA256
2f89572c57731df39e46daef5e3d5b674ebc1fbc00559b12b247f98cdd395720

SHA512
0699009cfcb170455c8d719816cd769300a825af363e439898a11c48be902f12fd131a3a573e84d32060bbbd10e2880b818d27fed68d9c6e6dc8c040dcdf9da0

Download Submit
C:\Windows\Installer\MSICDE1.tmp

Filesize
148KB

MD5
14c01c848d8452005734858a64b6784b

SHA1
d3d81fcd1267095880218ef09b92220248905ea8

SHA256
fa9b83479f1b955790325dc557624185a8c72df3e31870dae075437146858185

SHA512
8334c467c470c13b0245425d3bc1ba9676a04e1e015bec56122504d622e7e3858d5ad7950d09c155f3666a90b7d3c7b40f324d0786553d6e81711b7f38cf1d57

Download Submit
C:\Windows\Installer\MSICFF9.tmp

Filesize
614KB

MD5
216e90a88afc241d627d1821fa1e2bea

SHA1
dc5b5e8e2e04287ed58a33534dd6a2e380f09ac9

SHA256
012ea8cb8499e7adf1c74347dcebaa826ab93b2cbf826f2657a55a562fff9f08

SHA512
52af53a4bb3d6d7995a1550db628d6dd4582f05a9e9f59a57059a8e4e3b2a57214ed35d5638a4ce3497716f225726da382b2fd7d4fb7d312baf0ef8cac67dbe0

Download Submit
C:\Windows\Installer\MSID048.tmp

Filesize
57KB

MD5
cd2231225c7369222c962470d10f02e7

SHA1
692f38d45166240fd7cc5c125abdcf953bb1e848

SHA256
37947dc3944578597680197ce53206122aa98e9728d4d3e9bbdcaacd2150f8c8

SHA512
526ba8440150e2096f4e32bcc3bd1b58ac1ab05eedc6e69d64b93cd546cdec97e6df02919c15b4a3746dd09a84f72299e607d6e4c52a27e21604038e5beebb8e

Download Submit
C:\Windows\Installer\e57cb7e.msi

Filesize
4.1MB

MD5
d22df2c75a529bfb101aa8434f855358

SHA1
02e59f189a863d8fc8fea73fb52b7d9542f214c5

SHA256
2407a69d5dc0409a465a0378f5345a7a13bd5aa7e5f4561a0fb9987a9fe7a21a

SHA512
87d1b41f1aebee51d1a48f335ecb341c62886258f53c1ca133f2fdb116074767ccedb9dcb21f912649253fa1657d687329c578c60864388d57d70bf58332c0be

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
d098e39796e8f01765092325bb6685dd

SHA1
83820eaf15fd0396f5b2fc23d37d68d5bfdcf253

SHA256
6045f7b9559a21923e92826c6e7dac3a663b19f1935242417b183d361adda4b6

SHA512
7ab44a291db617818a3b8cbde038596bc644ae1279e0fba495948cc60aa3012b538c26c37f74d1fd389758f08014be02e4b89cc48ed13d3f988b5a3d0b78902b

Download Submit
\??\Volume{8484aac9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{35cc6f8b-3437-4475-85da-09e064fa84e7}_OnDiskSnapshotProp

Filesize
6KB

MD5
518717cce99c2fa22626dd50bc00b5ac

SHA1
ee855984949ad2b3d9f672a171c91e7a50a5d357

SHA256
7433b13c90403bb7ffcb8859b22eb2ce402369d01d921c229278d1dd0c1e210c

SHA512
b51e67cdd1b161a9d196d9b53b8dcaeb0b013f7d4c49cce4e28d9b1fe45abf2dee3d59519b74faaca5326436f04c363bdb0ad3b64461810acf23c44e6ab86287

Download Submit