Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2024, 04:27
Static task
static1
Behavioral task
behavioral1
Sample
wpsupdate.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
wpsupdate.msi
Resource
win10v2004-20240802-en
General
-
Target
wpsupdate.msi
-
Size
17.9MB
-
MD5
151a066813a13375522df7282f2837d8
-
SHA1
61ff6e9d0be8681c59e8296d4d8a2b3579044858
-
SHA256
9a6bc8d7631fe970648bc6d30c99b8764fb9f1e51fca7220799b8d3e6cfa86ea
-
SHA512
4e101083b6df77435a857bd9c5322c16e18742b82de82dc0282ff47d104acaf475f5619b4048c59d29fb3db0006d385786e5b82e67ce132c0e87d411fec8ba5d
-
SSDEEP
393216:/Wp84flbAgjDPLgoZr3hfE3XG1Ccu3mBe2fJpAMdLSVQvzmFE1KYo0Nw5i4hH:/UflhTgo5hM3Y2mBvxoFzd5iYH
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4828-38-0x000000002BEB0000-0x000000002C06B000-memory.dmp purplefox_rootkit behavioral2/memory/4828-40-0x000000002BEB0000-0x000000002C06B000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral2/memory/4828-38-0x000000002BEB0000-0x000000002C06B000-memory.dmp family_gh0strat behavioral2/memory/4828-40-0x000000002BEB0000-0x000000002C06B000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\X: qPptEPZEtb29.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: qPptEPZEtb29.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: qPptEPZEtb29.exe File opened (read-only) \??\V: qPptEPZEtb29.exe File opened (read-only) \??\Z: qPptEPZEtb29.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: qPptEPZEtb29.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: qPptEPZEtb29.exe File opened (read-only) \??\N: qPptEPZEtb29.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: qPptEPZEtb29.exe File opened (read-only) \??\Y: qPptEPZEtb29.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: qPptEPZEtb29.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: qPptEPZEtb29.exe File opened (read-only) \??\R: qPptEPZEtb29.exe File opened (read-only) \??\S: qPptEPZEtb29.exe File opened (read-only) \??\E: qPptEPZEtb29.exe File opened (read-only) \??\G: qPptEPZEtb29.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: qPptEPZEtb29.exe File opened (read-only) \??\O: qPptEPZEtb29.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: qPptEPZEtb29.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: qPptEPZEtb29.exe File opened (read-only) \??\A: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 wpsupdate.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files\LaunchAdvisorUnique\qPptEPZEtb29.exe jzafRqbTGRDF.exe File opened for modification C:\Program Files\LaunchAdvisorUnique\qPptEPZEtb29.exe jzafRqbTGRDF.exe File opened for modification C:\Program Files\LaunchAdvisorUnique qPptEPZEtb29.exe File created C:\Program Files\LaunchAdvisorUnique\jzafRqbTGRDF.exe msiexec.exe File created C:\Program Files\LaunchAdvisorUnique\sqFZEXePXWvsoVXJtAfH msiexec.exe File created C:\Program Files\LaunchAdvisorUnique\wpsupdate.exe msiexec.exe File created C:\Program Files\LaunchAdvisorUnique\XjPDFEditCore.dll msiexec.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{0C986C29-2CCB-4DBA-8B74-98C7B3187BB3} msiexec.exe File opened for modification C:\Windows\Installer\MSIB074.tmp msiexec.exe File created C:\Windows\Installer\e57afba.msi msiexec.exe File created C:\Windows\Installer\e57afb8.msi msiexec.exe File opened for modification C:\Windows\Installer\e57afb8.msi msiexec.exe -
Executes dropped EXE 4 IoCs
pid Process 2188 jzafRqbTGRDF.exe 4404 qPptEPZEtb29.exe 3060 wpsupdate.exe 4828 qPptEPZEtb29.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2724 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jzafRqbTGRDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qPptEPZEtb29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qPptEPZEtb29.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e7a671f193ce7b7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e7a671f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e7a671f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de7a671f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e7a671f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 qPptEPZEtb29.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz qPptEPZEtb29.exe -
Modifies data under HKEY_USERS 25 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common wpsupdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3t = "11" wpsupdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD = "d4cd414908a3e85cbaa340672c98b30f" wpsupdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software wpsupdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3Verify_C = 32003000320034002d0039002d00310031007c00570044004300200032002e0035002b00320033003200310033003800380030003400310036003500200020002000200020002000200020007c00370036002d00320043002d00390032002d00380043002d00430041002d00300033000000 wpsupdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoCurHardInfo = "29a56b8a14940c3acb7a4a6443907c56|017474ebe9e7e39e93f97044858b4fb3" wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3_C = "d4cd414908a3e85cbaa340672c98b30f" wpsupdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoLastHardInfo wpsupdate.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoHDModifiedType = "hdidRecalByOldHdidFromRegIsEmpty|2024-9-11" wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0 wpsupdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHDt = "11" wpsupdate.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\92C689C0BCC2ABD4B847897C3B81B73B\ProductFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\ProductName = "LaunchAdvisorUnique" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\PackageCode = "E352127AD76EDC34F8C07FAC0228DEC7" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\Version = "101253126" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\92C689C0BCC2ABD4B847897C3B81B73B msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EBC4B8230F812E044916E39B3C50E513 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\SourceList\PackageName = "wpsupdate.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EBC4B8230F812E044916E39B3C50E513\92C689C0BCC2ABD4B847897C3B81B73B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\92C689C0BCC2ABD4B847897C3B81B73B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2564 msiexec.exe 2564 msiexec.exe 3060 wpsupdate.exe 3060 wpsupdate.exe 3060 wpsupdate.exe 3060 wpsupdate.exe 4404 qPptEPZEtb29.exe 4404 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe 4828 qPptEPZEtb29.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2724 msiexec.exe Token: SeIncreaseQuotaPrivilege 2724 msiexec.exe Token: SeSecurityPrivilege 2564 msiexec.exe Token: SeCreateTokenPrivilege 2724 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2724 msiexec.exe Token: SeLockMemoryPrivilege 2724 msiexec.exe Token: SeIncreaseQuotaPrivilege 2724 msiexec.exe Token: SeMachineAccountPrivilege 2724 msiexec.exe Token: SeTcbPrivilege 2724 msiexec.exe Token: SeSecurityPrivilege 2724 msiexec.exe Token: SeTakeOwnershipPrivilege 2724 msiexec.exe Token: SeLoadDriverPrivilege 2724 msiexec.exe Token: SeSystemProfilePrivilege 2724 msiexec.exe Token: SeSystemtimePrivilege 2724 msiexec.exe Token: SeProfSingleProcessPrivilege 2724 msiexec.exe Token: SeIncBasePriorityPrivilege 2724 msiexec.exe Token: SeCreatePagefilePrivilege 2724 msiexec.exe Token: SeCreatePermanentPrivilege 2724 msiexec.exe Token: SeBackupPrivilege 2724 msiexec.exe Token: SeRestorePrivilege 2724 msiexec.exe Token: SeShutdownPrivilege 2724 msiexec.exe Token: SeDebugPrivilege 2724 msiexec.exe Token: SeAuditPrivilege 2724 msiexec.exe Token: SeSystemEnvironmentPrivilege 2724 msiexec.exe Token: SeChangeNotifyPrivilege 2724 msiexec.exe Token: SeRemoteShutdownPrivilege 2724 msiexec.exe Token: SeUndockPrivilege 2724 msiexec.exe Token: SeSyncAgentPrivilege 2724 msiexec.exe Token: SeEnableDelegationPrivilege 2724 msiexec.exe Token: SeManageVolumePrivilege 2724 msiexec.exe Token: SeImpersonatePrivilege 2724 msiexec.exe Token: SeCreateGlobalPrivilege 2724 msiexec.exe Token: SeBackupPrivilege 464 vssvc.exe Token: SeRestorePrivilege 464 vssvc.exe Token: SeAuditPrivilege 464 vssvc.exe Token: SeBackupPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeTakeOwnershipPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeTakeOwnershipPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeTakeOwnershipPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeTakeOwnershipPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeTakeOwnershipPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeTakeOwnershipPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeTakeOwnershipPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeTakeOwnershipPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeTakeOwnershipPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeTakeOwnershipPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeTakeOwnershipPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeTakeOwnershipPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeTakeOwnershipPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 2724 msiexec.exe 2724 msiexec.exe 3060 wpsupdate.exe 3060 wpsupdate.exe 3060 wpsupdate.exe 3060 wpsupdate.exe 3060 wpsupdate.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 3060 wpsupdate.exe 3060 wpsupdate.exe 3060 wpsupdate.exe 3060 wpsupdate.exe 3060 wpsupdate.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2564 wrote to memory of 1672 2564 msiexec.exe 99 PID 2564 wrote to memory of 1672 2564 msiexec.exe 99 PID 2564 wrote to memory of 2332 2564 msiexec.exe 101 PID 2564 wrote to memory of 2332 2564 msiexec.exe 101 PID 2564 wrote to memory of 2332 2564 msiexec.exe 101 PID 2332 wrote to memory of 2188 2332 MsiExec.exe 102 PID 2332 wrote to memory of 2188 2332 MsiExec.exe 102 PID 2332 wrote to memory of 2188 2332 MsiExec.exe 102 PID 2332 wrote to memory of 4404 2332 MsiExec.exe 104 PID 2332 wrote to memory of 4404 2332 MsiExec.exe 104 PID 2332 wrote to memory of 4404 2332 MsiExec.exe 104 PID 2332 wrote to memory of 3060 2332 MsiExec.exe 105 PID 2332 wrote to memory of 3060 2332 MsiExec.exe 105 PID 2332 wrote to memory of 3060 2332 MsiExec.exe 105 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2724
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1672
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 216C2C84EF05DA8B454428DD134EAC40 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Program Files\LaunchAdvisorUnique\jzafRqbTGRDF.exe"C:\Program Files\LaunchAdvisorUnique\jzafRqbTGRDF.exe" x "C:\Program Files\LaunchAdvisorUnique\sqFZEXePXWvsoVXJtAfH" -o"C:\Program Files\LaunchAdvisorUnique\" -pasvgcrJQGolJwtcpGtoH -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2188
-
-
C:\Program Files\LaunchAdvisorUnique\qPptEPZEtb29.exe"C:\Program Files\LaunchAdvisorUnique\qPptEPZEtb29.exe" -number 268 -file file3 -mode mode3 -flag flag33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4404
-
-
C:\Program Files\LaunchAdvisorUnique\wpsupdate.exe"C:\Program Files\LaunchAdvisorUnique\wpsupdate.exe"3⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3060
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:464
-
C:\Program Files\LaunchAdvisorUnique\qPptEPZEtb29.exe"C:\Program Files\LaunchAdvisorUnique\qPptEPZEtb29.exe" -file file3 -mode mode3 -flag flag3 -number 2001⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4828
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Installer Packages
1Pre-OS Boot
1Bootkit
1Defense Evasion
Pre-OS Boot
1Bootkit
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD57dab22ed48eb1dc86b106244ea5984cb
SHA1d2444915ab13de25a49cc72c858f9f518859e213
SHA25653a44bc6e72f515b7b0fc6e5f259bd347f6d2448737da80933a4fb4e6bda812b
SHA512251a48de3761320b66e47534e9f3f1eb7cd13beb60506ca736a24145046e672505529def15ba76c568b321719daf9a2b1579e2b9e275f48863a420ce6e8fd39b
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
2.1MB
MD503362c3b0c370e2d69835e761c3e4e39
SHA150e80b7cd693b070238e4d9b9c6fe1c4aee72ebb
SHA256eb63c7b4ce832c8bc998e153ed32ef86a767402c0f68ec7d4719ffd3c35ab1dc
SHA512340fcf7b6b795f21fe5dd0f144ee4bde0aef49f51eb811a6d01bb4354d0d52d90ad0a691d6f0660d74ce1c269be64a315f31deffaad967de78c8c0c035085e86
-
Filesize
745KB
MD51e97cf2c873236220e524271fa7c1937
SHA111318422806b64985ab81df5c0f561f12b53e240
SHA2565252b5f301b1db5f73985a6134213a8353f561652001265432e7109cf87c466d
SHA512fbda82c35c29c6b602ff03d39fd82a8521e2d738aa551e3128c1db76fed35ac5a9ee0b201513e8baadb31eafc0b89e7f27b32f1319cd2eb3e2de57b3e3d75f3c
-
Filesize
6.0MB
MD557dadd6a929f64c2b1efe2d52c1c4985
SHA1962cb227f81f885f23826c3e040aa9dbc97659cf
SHA256996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5
SHA5123f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf
-
Filesize
2KB
MD581ff6b8703a04606f3a5b3948f9c7158
SHA1d83da365eae19fe75f6bbda3ac63111b1d2273d7
SHA2569f71ac7bb93c7cf49439893fc6a0115a76a58f29377af0e4122a4f90169fb9cc
SHA512d1ce4dfc4bf90ee9af1334256e1cac3dfac58558e67e94d374e347e73c2520e2d0c6903642f909ef14f42c24540abe2aca3a3f3955bc259044f48c43ab5900a2
-
Filesize
17.9MB
MD5151a066813a13375522df7282f2837d8
SHA161ff6e9d0be8681c59e8296d4d8a2b3579044858
SHA2569a6bc8d7631fe970648bc6d30c99b8764fb9f1e51fca7220799b8d3e6cfa86ea
SHA5124e101083b6df77435a857bd9c5322c16e18742b82de82dc0282ff47d104acaf475f5619b4048c59d29fb3db0006d385786e5b82e67ce132c0e87d411fec8ba5d
-
Filesize
23.7MB
MD5be75974be3e0ebc061877b58c8c8b0c1
SHA1cb83b0a494f04bcba23436d85c1fd70f8875d2d5
SHA2562b5efac303741004ad6a3ca195f08a8ce7fdc524a27463164b515d8e6060d5cd
SHA512293fe20b611c3679d6337e9726fdf187e8fe0820859def247f6f3c588cced80115fb53d9aab6570eee9639ae8ab92f1335bf9eee691fe4e1851057b548556e41
-
\??\Volume{f171a6e7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2456e141-804a-4898-aac1-384abc9a42f7}_OnDiskSnapshotProp
Filesize6KB
MD5c601d37ef88666663cf7f77002be05e6
SHA159301e01a44e979b6df4655140b055bf33fada0c
SHA2563d042302f6a50c97c1b4e5d999bcc2fb45758352f640d06b1f6a8b676df1e675
SHA512f589f7ed82f4b1b58b383924556f9a7727d5fe314c258e3fce7d9fe55f4eefc3ac43cba0211bf3b931a88b04f8dfbfd2e0a12d780719f9675aaedca7fc40244d