745ae5ef809909bdda166d758a529907f4175f3131c451717ca22a536eec57a9

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-09-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WPS Office_104693057_401556.msi
Size

13.0MB
MD5

a8f0f41ccc09254856bc1bbd2151a15d
SHA1

4926bf9e1ca27835ee5a077565979111614c3e25
SHA256

745ae5ef809909bdda166d758a529907f4175f3131c451717ca22a536eec57a9
SHA512

8371939ad373cb6b6a5bf2cc20158fd60e7ebf91bdc67e8326d63d12aac7efd2600296e52ef1b5ef7acaa8f061a343e3ad45b5f7c1f8ff72f2113ce1f0815524
SSDEEP

393216:oGS3skS0F5Ky7pfJY/+LXwwhCtZRZ5bz/ueWr8bf:oG8S0F5N7pfJu2XwwhYZRDbz/uFUf

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\CommunicateSupervisorGentle\svml_dispmd2.dll	msiexec.exe
File created	C:\Program Files\CommunicateSupervisorGentle\TAMBkPWjDlUR.exe	msiexec.exe
File created	C:\Program Files\CommunicateSupervisorGentle\QRdpObipxd29.exe	TAMBkPWjDlUR.exe
File opened for modification	C:\Program Files\CommunicateSupervisorGentle\QRdpObipxd29.exe	TAMBkPWjDlUR.exe
File opened for modification	C:\Program Files\CommunicateSupervisorGentle	QRdpObipxd29.exe
File created	C:\Program Files\CommunicateSupervisorGentle\opencv_world452.dll	msiexec.exe
File created	C:\Program Files\CommunicateSupervisorGentle\RklfmdhbCMtmUxRFJWah	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76ced6.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSICFAE.tmp	msiexec.exe
File created	C:\Windows\Installer\f76ced3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ced3.msi	msiexec.exe
File created	C:\Windows\Installer\f76ced4.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ced4.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Executes dropped EXE 2 IoCs

pid	Process
2924	TAMBkPWjDlUR.exe
1416	QRdpObipxd29.exe

Loads dropped DLL 4 IoCs

pid	Process
2560	MsiExec.exe
2560	MsiExec.exe
2560	MsiExec.exe
2560	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TAMBkPWjDlUR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QRdpObipxd29.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\196198D7D44637E4797D9C6427CABB59	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FAC4591436573BB4EAA237F4A3E83E91\196198D7D44637E4797D9C6427CABB59	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\SourceList\PackageName = "WPS Office_104693057_401556.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\196198D7D44637E4797D9C6427CABB59\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\PackageCode = "D60F9B3F9C7140E409FD4F6076F5A228"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FAC4591436573BB4EAA237F4A3E83E91	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\ProductName = "CommunicateSupervisorGentle"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\196198D7D44637E4797D9C6427CABB59\Version = "262145"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1724	msiexec.exe
1724	msiexec.exe
1416	QRdpObipxd29.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2240	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeSecurityPrivilege	1724	msiexec.exe
Token: SeCreateTokenPrivilege	2240	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2240	msiexec.exe
Token: SeLockMemoryPrivilege	2240	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2240	msiexec.exe
Token: SeMachineAccountPrivilege	2240	msiexec.exe
Token: SeTcbPrivilege	2240	msiexec.exe
Token: SeSecurityPrivilege	2240	msiexec.exe
Token: SeTakeOwnershipPrivilege	2240	msiexec.exe
Token: SeLoadDriverPrivilege	2240	msiexec.exe
Token: SeSystemProfilePrivilege	2240	msiexec.exe
Token: SeSystemtimePrivilege	2240	msiexec.exe
Token: SeProfSingleProcessPrivilege	2240	msiexec.exe
Token: SeIncBasePriorityPrivilege	2240	msiexec.exe
Token: SeCreatePagefilePrivilege	2240	msiexec.exe
Token: SeCreatePermanentPrivilege	2240	msiexec.exe
Token: SeBackupPrivilege	2240	msiexec.exe
Token: SeRestorePrivilege	2240	msiexec.exe
Token: SeShutdownPrivilege	2240	msiexec.exe
Token: SeDebugPrivilege	2240	msiexec.exe
Token: SeAuditPrivilege	2240	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2240	msiexec.exe
Token: SeChangeNotifyPrivilege	2240	msiexec.exe
Token: SeRemoteShutdownPrivilege	2240	msiexec.exe
Token: SeUndockPrivilege	2240	msiexec.exe
Token: SeSyncAgentPrivilege	2240	msiexec.exe
Token: SeEnableDelegationPrivilege	2240	msiexec.exe
Token: SeManageVolumePrivilege	2240	msiexec.exe
Token: SeImpersonatePrivilege	2240	msiexec.exe
Token: SeCreateGlobalPrivilege	2240	msiexec.exe
Token: SeBackupPrivilege	400	vssvc.exe
Token: SeRestorePrivilege	400	vssvc.exe
Token: SeAuditPrivilege	400	vssvc.exe
Token: SeBackupPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	2640	DrvInst.exe
Token: SeRestorePrivilege	2640	DrvInst.exe
Token: SeRestorePrivilege	2640	DrvInst.exe
Token: SeRestorePrivilege	2640	DrvInst.exe
Token: SeRestorePrivilege	2640	DrvInst.exe
Token: SeRestorePrivilege	2640	DrvInst.exe
Token: SeRestorePrivilege	2640	DrvInst.exe
Token: SeLoadDriverPrivilege	2640	DrvInst.exe
Token: SeLoadDriverPrivilege	2640	DrvInst.exe
Token: SeLoadDriverPrivilege	2640	DrvInst.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2240	msiexec.exe
2240	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2560	1724	msiexec.exe	34
PID 1724 wrote to memory of 2560	1724	msiexec.exe	34
PID 1724 wrote to memory of 2560	1724	msiexec.exe	34
PID 1724 wrote to memory of 2560	1724	msiexec.exe	34
PID 1724 wrote to memory of 2560	1724	msiexec.exe	34
PID 1724 wrote to memory of 2560	1724	msiexec.exe	34
PID 1724 wrote to memory of 2560	1724	msiexec.exe	34
PID 2560 wrote to memory of 2924	2560	MsiExec.exe	35
PID 2560 wrote to memory of 2924	2560	MsiExec.exe	35
PID 2560 wrote to memory of 2924	2560	MsiExec.exe	35
PID 2560 wrote to memory of 2924	2560	MsiExec.exe	35
PID 2560 wrote to memory of 1416	2560	MsiExec.exe	37
PID 2560 wrote to memory of 1416	2560	MsiExec.exe	37
PID 2560 wrote to memory of 1416	2560	MsiExec.exe	37
PID 2560 wrote to memory of 1416	2560	MsiExec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\WPS Office_104693057_401556.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2240

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86FC38DEF41B33035E8127E92763F815 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Program Files\CommunicateSupervisorGentle\TAMBkPWjDlUR.exe
    "C:\Program Files\CommunicateSupervisorGentle\TAMBkPWjDlUR.exe" x "C:\Program Files\CommunicateSupervisorGentle\RklfmdhbCMtmUxRFJWah" -o"C:\Program Files\CommunicateSupervisorGentle\" -pvZPJIQIwTATDNSQOnwpY -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2924
- - C:\Program Files\CommunicateSupervisorGentle\QRdpObipxd29.exe
    "C:\Program Files\CommunicateSupervisorGentle\QRdpObipxd29.exe" -number 165 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C4" "00000000000005C0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76ced5.rbs

Filesize
7KB

MD5
d2d6ab9b29f3181d007d4f0fc0a21637

SHA1
6f330e8c56aec5463c5633b3deb84e42a07b59e8

SHA256
c1f87284f52fa08d1c1db471ed70534c10c0ec2c470a7a0a2fbf28c7fdec9100

SHA512
f4efce4da87b937ad89db4fb8e570ae8c1ab9d51417ca35649c6eebb08b2ea3d3320e049613fde143529e35dc45274cc287aadc93b566415e9fbd9534e544477

Download Submit
C:\Program Files\CommunicateSupervisorGentle\QRdpObipxd29.exe

Filesize
2.0MB

MD5
b52576273e38bf9285ae6c4cc6c2949d

SHA1
e2a8bbe6420b53ddaa0b644e6d60e5643617c459

SHA256
34dce8d0cdb26cb18557dc37874f0eeb9d1125a76777fc4f794c9afcd061d17a

SHA512
3a0d4a7baf8647d603cb832694f6d58b116c49fefbcbc857d29831b8f47cefef6e60a12b795a3022a17110a8b1f5bbc146ae9745bcad280dfa91cf3d1ecdd1a2

Download Submit
C:\Program Files\CommunicateSupervisorGentle\RklfmdhbCMtmUxRFJWah

Filesize
735KB

MD5
e930add428550f33a9dd8ec3c3e731a9

SHA1
82c3d0fcc3dbefc590a95497e69ee0713a9b65ac

SHA256
4a82706a491f1da255a6c331d10d3901cb495b0df90ba5f205280eb93745274e

SHA512
c9464ce4fd5000522e74ec87ff63713db7ed404c9dba15264a1501933a36fdb584613a9b69d882c0d0ac6f0f8acc9ef2540e1d086aa2dde0da70b9587be1e681

Download Submit
C:\Program Files\CommunicateSupervisorGentle\TAMBkPWjDlUR.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Windows\Installer\f76ced3.msi

Filesize
13.0MB

MD5
a8f0f41ccc09254856bc1bbd2151a15d

SHA1
4926bf9e1ca27835ee5a077565979111614c3e25

SHA256
745ae5ef809909bdda166d758a529907f4175f3131c451717ca22a536eec57a9

SHA512
8371939ad373cb6b6a5bf2cc20158fd60e7ebf91bdc67e8326d63d12aac7efd2600296e52ef1b5ef7acaa8f061a343e3ad45b5f7c1f8ff72f2113ce1f0815524

Download Submit
memory/1416-35-0x00000000002F0000-0x000000000030E000-memory.dmp

Filesize
120KB

Download
memory/2560-11-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download