cfe864dc8921cc9f0655628dab61186aaf6c2637bfb07330761235e0d313ede7

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tupdte-x645.4.2.msi
Size

57.0MB
MD5

f10e41a3d26bc967d29e943e7646412e
SHA1

5bf433fc21ae4642b5e2d3554ea635276c7d69d2
SHA256

cfe864dc8921cc9f0655628dab61186aaf6c2637bfb07330761235e0d313ede7
SHA512

353d0209b07ef0bfb33f590c49790c38475f68fa2a8a1b2f0cd162fe709fbb8401a732c3986421fd972bec0cc41af759b2eaa8b7aaaeaa541a4a107edf89ed81
SSDEEP

1572864:KqMBR7E4kP1EiuC8IOcJcxYqK3/3uT19fP3Jf:KtR7E4+1ENIH+6/uT19H3Jf

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\Mylnk\\down.lnk"	{C52CCD0E-91DD-4c61-93EF-7C4F291CFE0F}.exe

Blocklisted process makes network request 13 IoCs

flow	pid	Process
5	2360	MsiExec.exe
7	2360	MsiExec.exe
9	2360	MsiExec.exe
11	2360	MsiExec.exe
13	2360	MsiExec.exe
15	2360	MsiExec.exe
17	2360	MsiExec.exe
18	2360	MsiExec.exe
19	2360	MsiExec.exe
20	2360	MsiExec.exe
21	2360	MsiExec.exe
22	2360	MsiExec.exe
23	2360	MsiExec.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	down.exe
File opened (read-only)	\??\Y:	down.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	down.exe
File opened (read-only)	\??\L:	down.exe
File opened (read-only)	\??\M:	down.exe
File opened (read-only)	\??\S:	down.exe
File opened (read-only)	\??\I:	down.exe
File opened (read-only)	\??\V:	down.exe
File opened (read-only)	\??\W:	down.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	down.exe
File opened (read-only)	\??\N:	down.exe
File opened (read-only)	\??\Q:	down.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	down.exe
File opened (read-only)	\??\X:	down.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	down.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	down.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	down.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	down.exe
File opened (read-only)	\??\K:	down.exe
File opened (read-only)	\??\R:	down.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	down.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\您或您公司的名\您的应用程序\Telegram\tdata\settingss	msiexec.exe
File created	C:\Program Files (x86)\您或您公司的名\您的应用程序\Telegram\Telegram.exe	msiexec.exe
File created	C:\Program Files (x86)\您或您公司的名\您的应用程序\Telegram\Fload.dll	msiexec.exe
File created	C:\Program Files (x86)\您或您公司的名\您的应用程序\Telegram\tdata\9D4DFB963994C8D5s	msiexec.exe
File created	C:\Program Files (x86)\您或您公司的名\您的应用程序\Telegram\tdata\B543786E6393CA52s	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f77c8bc.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID0E9.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f77c8bb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77c8bb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC929.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICA23.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77c8bc.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1988	down.exe
2140	{C52CCD0E-91DD-4c61-93EF-7C4F291CFE0F}.exe

Loads dropped DLL 19 IoCs

pid	Process
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
2120	MsiExec.exe
1864	MsiExec.exe
2300	msiexec.exe
1232	Process not Found
1232	Process not Found
1232	Process not Found
1232	Process not Found
2360	MsiExec.exe
2360	MsiExec.exe
2360	MsiExec.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1632	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C52CCD0E-91DD-4c61-93EF-7C4F291CFE0F}.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1726306089"	{C52CCD0E-91DD-4c61-93EF-7C4F291CFE0F}.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2300	msiexec.exe
2300	msiexec.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe
1988	down.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1632	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1632	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeSecurityPrivilege	2300	msiexec.exe
Token: SeCreateTokenPrivilege	1632	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1632	msiexec.exe
Token: SeLockMemoryPrivilege	1632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1632	msiexec.exe
Token: SeMachineAccountPrivilege	1632	msiexec.exe
Token: SeTcbPrivilege	1632	msiexec.exe
Token: SeSecurityPrivilege	1632	msiexec.exe
Token: SeTakeOwnershipPrivilege	1632	msiexec.exe
Token: SeLoadDriverPrivilege	1632	msiexec.exe
Token: SeSystemProfilePrivilege	1632	msiexec.exe
Token: SeSystemtimePrivilege	1632	msiexec.exe
Token: SeProfSingleProcessPrivilege	1632	msiexec.exe
Token: SeIncBasePriorityPrivilege	1632	msiexec.exe
Token: SeCreatePagefilePrivilege	1632	msiexec.exe
Token: SeCreatePermanentPrivilege	1632	msiexec.exe
Token: SeBackupPrivilege	1632	msiexec.exe
Token: SeRestorePrivilege	1632	msiexec.exe
Token: SeShutdownPrivilege	1632	msiexec.exe
Token: SeDebugPrivilege	1632	msiexec.exe
Token: SeAuditPrivilege	1632	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1632	msiexec.exe
Token: SeChangeNotifyPrivilege	1632	msiexec.exe
Token: SeRemoteShutdownPrivilege	1632	msiexec.exe
Token: SeUndockPrivilege	1632	msiexec.exe
Token: SeSyncAgentPrivilege	1632	msiexec.exe
Token: SeEnableDelegationPrivilege	1632	msiexec.exe
Token: SeManageVolumePrivilege	1632	msiexec.exe
Token: SeImpersonatePrivilege	1632	msiexec.exe
Token: SeCreateGlobalPrivilege	1632	msiexec.exe
Token: SeCreateTokenPrivilege	1632	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1632	msiexec.exe
Token: SeLockMemoryPrivilege	1632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1632	msiexec.exe
Token: SeMachineAccountPrivilege	1632	msiexec.exe
Token: SeTcbPrivilege	1632	msiexec.exe
Token: SeSecurityPrivilege	1632	msiexec.exe
Token: SeTakeOwnershipPrivilege	1632	msiexec.exe
Token: SeLoadDriverPrivilege	1632	msiexec.exe
Token: SeSystemProfilePrivilege	1632	msiexec.exe
Token: SeSystemtimePrivilege	1632	msiexec.exe
Token: SeProfSingleProcessPrivilege	1632	msiexec.exe
Token: SeIncBasePriorityPrivilege	1632	msiexec.exe
Token: SeCreatePagefilePrivilege	1632	msiexec.exe
Token: SeCreatePermanentPrivilege	1632	msiexec.exe
Token: SeBackupPrivilege	1632	msiexec.exe
Token: SeRestorePrivilege	1632	msiexec.exe
Token: SeShutdownPrivilege	1632	msiexec.exe
Token: SeDebugPrivilege	1632	msiexec.exe
Token: SeAuditPrivilege	1632	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1632	msiexec.exe
Token: SeChangeNotifyPrivilege	1632	msiexec.exe
Token: SeRemoteShutdownPrivilege	1632	msiexec.exe
Token: SeUndockPrivilege	1632	msiexec.exe
Token: SeSyncAgentPrivilege	1632	msiexec.exe
Token: SeEnableDelegationPrivilege	1632	msiexec.exe
Token: SeManageVolumePrivilege	1632	msiexec.exe
Token: SeImpersonatePrivilege	1632	msiexec.exe
Token: SeCreateGlobalPrivilege	1632	msiexec.exe
Token: SeCreateTokenPrivilege	1632	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1632	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1988	down.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2120	2300	msiexec.exe	31
PID 2300 wrote to memory of 2120	2300	msiexec.exe	31
PID 2300 wrote to memory of 2120	2300	msiexec.exe	31
PID 2300 wrote to memory of 2120	2300	msiexec.exe	31
PID 2300 wrote to memory of 2120	2300	msiexec.exe	31
PID 2300 wrote to memory of 2120	2300	msiexec.exe	31
PID 2300 wrote to memory of 2120	2300	msiexec.exe	31
PID 2300 wrote to memory of 1864	2300	msiexec.exe	36
PID 2300 wrote to memory of 1864	2300	msiexec.exe	36
PID 2300 wrote to memory of 1864	2300	msiexec.exe	36
PID 2300 wrote to memory of 1864	2300	msiexec.exe	36
PID 2300 wrote to memory of 1864	2300	msiexec.exe	36
PID 2300 wrote to memory of 1864	2300	msiexec.exe	36
PID 2300 wrote to memory of 1864	2300	msiexec.exe	36
PID 2300 wrote to memory of 2360	2300	msiexec.exe	37
PID 2300 wrote to memory of 2360	2300	msiexec.exe	37
PID 2300 wrote to memory of 2360	2300	msiexec.exe	37
PID 2300 wrote to memory of 2360	2300	msiexec.exe	37
PID 2300 wrote to memory of 2360	2300	msiexec.exe	37
PID 2360 wrote to memory of 1988	2360	MsiExec.exe	40
PID 2360 wrote to memory of 1988	2360	MsiExec.exe	40
PID 2360 wrote to memory of 1988	2360	MsiExec.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\tupdte-x645.4.2.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8B2879FDC15A11296E14E2432D4B129 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2120
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E92927DB5D72C2CC0F7D81B20EDD24E9
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1864
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding B6B7D8C11B42F491C85638F1A8DF7447
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\ebcce391-6e86-4cbb-8680-b950e9bbc12b\down.exe
    C:\Users\Admin\ebcce391-6e86-4cbb-8680-b950e9bbc12b\down.exe
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1420

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004C8" "00000000000003D4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1776

C:\Users\Admin\AppData\Local\Temp\{C52CCD0E-91DD-4c61-93EF-7C4F291CFE0F}.exe
"C:\Users\Admin\AppData\Local\Temp\{C52CCD0E-91DD-4c61-93EF-7C4F291CFE0F}.exe" /s "C:\Users\Admin\AppData\Local\Temp\{3CE8C85B-1961-4dcd-A2D2-BC39718FAA54}"
1⤵
- Adds Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77c8bd.rbs

Filesize
27KB

MD5
d59c0268ff6e3b5916b23f7a6b429def

SHA1
db1006c353d89bd38470e0bd4dd8a5036dff7155

SHA256
db6cb2527a9207623b953c5fe2b37264150ee7f1931e07e0782c2b4f3f75bb17

SHA512
b5c135c95eb43da4ba107863996258ff8b81f483be098c9bfce76279dee175668374a911b5be3e548243f384bb0fc9ee9892972dacf06721597cddd6f84ac9f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
1KB

MD5
7e1c41c37a7070433d9d6306212a56d3

SHA1
f0313ca2d53dafea84950d44b4810b8802cfce49

SHA256
ab6cc046858e0a2feba54af5547939c071cf86e0061a28ee1226d9fa1d7e94de

SHA512
a490587c0107041d99132d217d63676fc75ea9c2e23bc50f0a26c26774ba7d3d5e3044e2899af2b0146080b63c74b8c32d707d371e519062475412263813d76b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
e7dae4837ba7e097895774703afa1a36

SHA1
e6a2852c82e7351e646bb6e66e4007fc18486e3f

SHA256
8a2cf739783d153d096dc3d691e122b1407d01ae03e208fc750f826909b5aef2

SHA512
56e0563a1662793488e5830dbb69686c2e712fb1ecc319295eae2f751c78d1410417141e90083fb929c4567c1de62117c9c088e0167a03371309eef2309b0b53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
33a76393cc8c670c127800ebee81d482

SHA1
866d2e3217265fa8188b7ddcc32bdb78e2c6084a

SHA256
c02bf4eec8a39dfaf7de5b009c56339895ef57f779fdd47c41f94ef0153718eb

SHA512
8e964cab7627ab82a44c1bb5edf3b8d14312e755ac96fd929a5d741aba58dc524aff5d11a18a47a8316089b0c047cd6b5f71e89eeb9aab8b9fb056e8835f0a9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_6E14CF94C16C241F1880BFD1FADC316C

Filesize
471B

MD5
4e6fc438a501d1a7d156728800edf0ba

SHA1
4da2e5e073b6b2c8a393048e99c5a0ca9421d384

SHA256
58f1c84dec4038f3387e1251e293b1acb692e55be1a866305dd2a5b98090f7e8

SHA512
20f3db03435a82aa135f86d8e0a6d89b95799c8d1a6cc5df2b5a874b9e9fafbfaa4cf19b4e4f0fe5418c059a6577e7a5a57aa8b88797a75731706602a9f88490

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

Filesize
438B

MD5
82d1070df03b1f9da64e68faa5f97596

SHA1
bf79dccc48bfdd0eec8a575ae6d8b8e3cc04ac66

SHA256
1e4dbf5c5fbc341f2f56c2dc40c79d46b43fdb1647405d4804a417df65f91200

SHA512
94a6169797dc38bb939935f9c77ccd59caf8317b0b41067d19f8ca8767c613995b968c65376e08858c69509352ae959ee131b1a22828e322ca007a4bd1433e20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e063401e3f6cc1d35c2278b6b2e8eb7b

SHA1
f3aac3e138907308f9faafa0399994dc0b15c7cf

SHA256
7baffd98b763da78b8c3106a9e569838761ce10acb0d31dd9f53e90f3cebdc7f

SHA512
766d075a45e1f54adfde184bada8f1a21a47648e2670c6d40f163e242144c3a93a3013d0bd265e24e6df3a4a3b294c48859171d821dd8188996c9feef7109989

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
190707d3d634f11f4070fd284ae1fca4

SHA1
d3d7b2423e07154ab898908419381b36feff854d

SHA256
d7537c84b49176acee4b57733232c3b9cd5f15093b2903baee3a1fbd88380769

SHA512
c6eb27a6d18a6809bf5f8a138a511c6b016b61ac51f62b0abf59842ec5b516a011bed51d3de5d73f9adc3e0833531cca40634d8c6ca695756216097f4d10c7eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
533664ae4d6f846ab16ad967984210af

SHA1
0f582262870f39a552481501dc3abe5f4c1a1612

SHA256
cdda2aea3a66fbcf6863bc99c78ccf2e39276db9d05feb46c6b6e1bf774fa4f4

SHA512
b3a8a4a71bb52a963afc77cbc6c14417514be082be2e4cea74aab2deef7c79f3280efe6dd07c1a2146b494f54799e8bfb02f1d543d5bc917a7a886b2002797da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
fad3b254130c8d558de860f19c6e0e3e

SHA1
db580aae4cd0a1a56c706e2b3d94f3b46371dc8c

SHA256
5a19b9ceb99c77bcf5b3b970f41065a44b5a52f66a006d9e219b8672366f545d

SHA512
122c21f7511e9a6597c5ee7cc8a3e9c5fe0454a9b93c7fab1c48bfa3522dc93c642c8d060c39a3241bb34e1603c82446c702d1d9134c50c84c30f64aca6ac54a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D03E46CD585BBE111C712E6577BC5F07_6E14CF94C16C241F1880BFD1FADC316C

Filesize
422B

MD5
8aeff4f5f151f992b20c31853e629c9c

SHA1
35ecb462189f5585170ab9a59eb3e7a0bcb61503

SHA256
11e9bef87efe0de4761a1ca898ca9c5b5008d464766cfebccb5bdda61ca60079

SHA512
9822fffca12b9e0a327e99cc11ea33f2227e1e184cd6b27388085233cae908e12c091143951a274030bdcc1e7bdf7c65520d6be985d50d0784d1fa99281575b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEA70.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC005.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
2KB

MD5
ff0c7c2667dff4f3ed588f40d047c642

SHA1
1162c83bd0bb0d81b7ab7f616cb012b790aa4adf

SHA256
02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7

SHA512
539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA83.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3CE8C85B-1961-4dcd-A2D2-BC39718FAA54}

Filesize
164B

MD5
81a71f6feec26723958f2364a4f1aefe

SHA1
3d4605cfd771aedb8ba51389074a60e5a38775ad

SHA256
f244b12a1e911c84dcfea45a49885cf48307d2ddc4c1ac7c1aa21bc310bebd80

SHA512
84f9f20e3a381f1c3cafce07bdfeffd77e19bf0007245e95a80a97fa71e16d877e12ec8d57e8a9e60d008e08b38c9fd670f5374a058980f019590ed1dafd59c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C52CCD0E-91DD-4c61-93EF-7C4F291CFE0F}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
C:\Users\Admin\ebcce391-6e86-4cbb-8680-b950e9bbc12b\MSVCP140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Users\Admin\ebcce391-6e86-4cbb-8680-b950e9bbc12b\VCRUNTIME140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\ebcce391-6e86-4cbb-8680-b950e9bbc12b\VCRUNTIME140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\ebcce391-6e86-4cbb-8680-b950e9bbc12b\view.png

Filesize
254KB

MD5
58b8ce47ec487041e0a6f19c87484e05

SHA1
ab4b13ece464d0a511293af5101403d9eae09ca3

SHA256
3c46c4d95c1036b86f7c952799aa1481b2b96943413039a2c686985c7ef73972

SHA512
17c82d690fe03b743ca671200df02c383cb0038ea9f0ae199e709e762c0238af7a9784d4b6e3a14b31bf2c271afeb666e01051182218dd67ac5d2b955e2934bf

Download Submit
C:\Windows\Installer\MSID0E9.tmp

Filesize
25KB

MD5
81902d13c01fd8a187f3a7f2b72d5dd0

SHA1
0ac01518c5588eb2788730c78f0c581f79cf2ed4

SHA256
eef31e9195cfacde7b4e7eb7384c8178d8811063b375fd4a28ae897cc180c6a6

SHA512
04d6e2e937328477803084e0ef9da2c3636cdc9d34af74e2d1871d7190be21cbb2771ae835175e104e24eccba52add1ba6f58407bfd522ef82b81d76e977f24c

Download Submit
\Users\Admin\ebcce391-6e86-4cbb-8680-b950e9bbc12b\down.exe

Filesize
1.4MB

MD5
07d28c0d6f4aae069141ee03c8321c79

SHA1
ce77391316af08a8289b019083ed7602311a7be3

SHA256
15c5e107880355a59646b5fac73781993ce79652fedaa9d8d740808515bef1de

SHA512
fb53b4bb5789859f051d72dcf9be591a44971bef8c8f4a08a370dff4259917b277e231ddd77df3d03835e60043f04bbbc7aa9b69405c15f5fe9836ebe8293971

Download Submit
memory/1988-251-0x000000000F400000-0x000000000F459000-memory.dmp

Filesize
356KB

Download
memory/1988-256-0x000000000E810000-0x000000000E820000-memory.dmp

Filesize
64KB

Download
memory/1988-231-0x000000013FEB0000-0x000000014002C000-memory.dmp

Filesize
1.5MB

Download
memory/1988-401-0x000000000F400000-0x000000000F459000-memory.dmp

Filesize
356KB

Download
memory/1988-402-0x000000000F400000-0x000000000F459000-memory.dmp

Filesize
356KB

Download
memory/1988-403-0x000000000F400000-0x000000000F459000-memory.dmp

Filesize
356KB

Download
memory/2360-60-0x0000000002580000-0x0000000003580000-memory.dmp

Filesize
16.0MB

Download