54fc27864211f75a83460de5faea593fa6fcde0254020057287d5b35d8724a03

Analysis

max time kernel
112s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/09/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

汇博计件工资(2005-03-16-16-02)/Console/Msi/Hyper_CSalary.msi
Size

1.0MB
MD5

67a5074ca2b8464718a00c5f55f9743d
SHA1

1dd452c81ecacea06cf83a20bb4790f362d99a93
SHA256

e9dd12f517d4cd25638a0445056f8513780f07d716792f28637b68c48e9df4ac
SHA512

eb9941a73ca7ddadaddc56c1bc8cc309ee3855789c6d06c2c2f8aa5f379fed9f32e7cb498a58ae6fe2f295fbca37816be01398f9745c0b016742981c0d366aa3
SSDEEP

24576:INaXTzN9JSp2CfD49SSLyZGcvjSI/GZtSLLZaVk:INajznJC2CrPSeZtjstoZaW

Score

7^/10

aspackv2 discovery persistence privilege_escalation

Malware Config

Signatures

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral3/files/0x00040000000195ec-13.dat	aspack_v212_v242
behavioral3/files/0x0004000000019630-15.dat	aspack_v212_v242
behavioral3/files/0x0004000000019625-14.dat	aspack_v212_v242

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\GBMgr.dll	msiexec.exe
File created	C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\PSMgr.dll	msiexec.exe
File created	C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\APL67.tmp1	dllhost.exe
File created	C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\APL67.tmp	msiexec.exe
File created	C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\SMMgr.dll	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Registration\_RegDBWrt.clb	dllhost.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f78eacc.msi	msiexec.exe
File created	C:\Windows\Installer\f78eacf.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIECBF.tmp	msiexec.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{88AD12B1-C1FC-45BC-B4D0-2AA814A0A964}.crmlog	dllhost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{88AD12B1-C1FC-45BC-B4D0-2AA814A0A964}.crmlog	dllhost.exe
File opened for modification	C:\Windows\Registration\_RegDBWrt.clb	dllhost.exe
File opened for modification	C:\Windows\Installer\f78eacc.msi	msiexec.exe

Loads dropped DLL 3 IoCs

pid	Process
2784	RunDll32.exe
2860	RunDll32.exe
2788	RunDll32.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2564	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunDll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunDll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunDll32.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C7ED57-7AFE-4CA3-B044-B0AE1895DF1C}\AppID = "{146B8980-B363-4C2C-8E70-C2787CB050F5}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{416F8093-5E4B-44F8-B30C-3BF3356E3398}\AppID = "{146B8980-B363-4C2C-8E70-C2787CB050F5}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C7ED57-7AFE-4CA3-B044-B0AE1895DF1C}\ProgID\ = "SmMgr.CoSmMgr"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71704CA6-DC36-44D0-A984-5500561FCE70}\RemoteServer\RemoteServer = 72006e00300028002e0067007e002c0063003d0071006a00630050004c0064002b006500760032003e0052005d0024004f004c00500066007b002c003d00560065002d002c0021002d005700650039004c0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71704CA6-DC36-44D0-A984-5500561FCE70}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71704CA6-DC36-44D0-A984-5500561FCE70}\ProgID\ = "PSMgr.CoPSMgr"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{146B8980-B363-4C2C-8E70-C2787CB050F5}\RunAs = "Interactive User"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{416F8093-5E4B-44F8-B30C-3BF3356E3398}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C7ED57-7AFE-4CA3-B044-B0AE1895DF1C}\RemoteServer\RemoteServer = 72006e00300028002e0067007e002c0063003d0071006a00630050004c0064002b006500760032003e0063003f00750045006e003800790062005e0040007e0043004100300061007e0024006c003f002c0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71704CA6-DC36-44D0-A984-5500561FCE70}\RemoteServer	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71704CA6-DC36-44D0-A984-5500561FCE70}\RemoteServer\ = "C:\\PROGRA~2\\COMPLU~1\\{146B8~1\\PSMgr.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C7ED57-7AFE-4CA3-B044-B0AE1895DF1C}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71704CA6-DC36-44D0-A984-5500561FCE70}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{416F8093-5E4B-44F8-B30C-3BF3356E3398}\RemoteServer\ = "C:\\PROGRA~2\\COMPLU~1\\{146B8~1\\GBMgr.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{416F8093-5E4B-44F8-B30C-3BF3356E3398}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71704CA6-DC36-44D0-A984-5500561FCE70}\AppID = "{146B8980-B363-4C2C-8E70-C2787CB050F5}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C7ED57-7AFE-4CA3-B044-B0AE1895DF1C}\RemoteServer	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C7ED57-7AFE-4CA3-B044-B0AE1895DF1C}\RemoteServer\ = "C:\\PROGRA~2\\COMPLU~1\\{146B8~1\\SMMgr.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C7ED57-7AFE-4CA3-B044-B0AE1895DF1C}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{146B8980-B363-4C2C-8E70-C2787CB050F5}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{146B8980-B363-4C2C-8E70-C2787CB050F5}\RemoteServerName = "ZDW"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{416F8093-5E4B-44F8-B30C-3BF3356E3398}\RemoteServer	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{416F8093-5E4B-44F8-B30C-3BF3356E3398}\RemoteServer\RemoteServer = 72006e00300028002e0067007e002c0063003d0071006a00630050004c0064002b006500760032003e00420041005e002500390065002a00340032003d006d0048006c003200770042005e007a007600580000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{416F8093-5E4B-44F8-B30C-3BF3356E3398}\ProgID\ = "GBMgr.CoGBMgr"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2164	msiexec.exe
2164	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2564	msiexec.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2564	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2564	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeSecurityPrivilege	2164	msiexec.exe
Token: SeCreateTokenPrivilege	2564	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2564	msiexec.exe
Token: SeLockMemoryPrivilege	2564	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2564	msiexec.exe
Token: SeMachineAccountPrivilege	2564	msiexec.exe
Token: SeTcbPrivilege	2564	msiexec.exe
Token: SeSecurityPrivilege	2564	msiexec.exe
Token: SeTakeOwnershipPrivilege	2564	msiexec.exe
Token: SeLoadDriverPrivilege	2564	msiexec.exe
Token: SeSystemProfilePrivilege	2564	msiexec.exe
Token: SeSystemtimePrivilege	2564	msiexec.exe
Token: SeProfSingleProcessPrivilege	2564	msiexec.exe
Token: SeIncBasePriorityPrivilege	2564	msiexec.exe
Token: SeCreatePagefilePrivilege	2564	msiexec.exe
Token: SeCreatePermanentPrivilege	2564	msiexec.exe
Token: SeBackupPrivilege	2564	msiexec.exe
Token: SeRestorePrivilege	2564	msiexec.exe
Token: SeShutdownPrivilege	2564	msiexec.exe
Token: SeDebugPrivilege	2564	msiexec.exe
Token: SeAuditPrivilege	2564	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2564	msiexec.exe
Token: SeChangeNotifyPrivilege	2564	msiexec.exe
Token: SeRemoteShutdownPrivilege	2564	msiexec.exe
Token: SeUndockPrivilege	2564	msiexec.exe
Token: SeSyncAgentPrivilege	2564	msiexec.exe
Token: SeEnableDelegationPrivilege	2564	msiexec.exe
Token: SeManageVolumePrivilege	2564	msiexec.exe
Token: SeImpersonatePrivilege	2564	msiexec.exe
Token: SeCreateGlobalPrivilege	2564	msiexec.exe
Token: SeBackupPrivilege	2120	vssvc.exe
Token: SeRestorePrivilege	2120	vssvc.exe
Token: SeAuditPrivilege	2120	vssvc.exe
Token: SeBackupPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeLoadDriverPrivilege	2732	DrvInst.exe
Token: SeLoadDriverPrivilege	2732	DrvInst.exe
Token: SeLoadDriverPrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe
Token: SeRestorePrivilege	2164	msiexec.exe
Token: SeTakeOwnershipPrivilege	2164	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2564	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2784	2948	dllhost.exe	35
PID 2948 wrote to memory of 2784	2948	dllhost.exe	35
PID 2948 wrote to memory of 2784	2948	dllhost.exe	35
PID 2948 wrote to memory of 2784	2948	dllhost.exe	35
PID 2948 wrote to memory of 2784	2948	dllhost.exe	35
PID 2948 wrote to memory of 2784	2948	dllhost.exe	35
PID 2948 wrote to memory of 2784	2948	dllhost.exe	35
PID 2948 wrote to memory of 2860	2948	dllhost.exe	36
PID 2948 wrote to memory of 2860	2948	dllhost.exe	36
PID 2948 wrote to memory of 2860	2948	dllhost.exe	36
PID 2948 wrote to memory of 2860	2948	dllhost.exe	36
PID 2948 wrote to memory of 2860	2948	dllhost.exe	36
PID 2948 wrote to memory of 2860	2948	dllhost.exe	36
PID 2948 wrote to memory of 2860	2948	dllhost.exe	36
PID 2948 wrote to memory of 2788	2948	dllhost.exe	37
PID 2948 wrote to memory of 2788	2948	dllhost.exe	37
PID 2948 wrote to memory of 2788	2948	dllhost.exe	37
PID 2948 wrote to memory of 2788	2948	dllhost.exe	37
PID 2948 wrote to memory of 2788	2948	dllhost.exe	37
PID 2948 wrote to memory of 2788	2948	dllhost.exe	37
PID 2948 wrote to memory of 2788	2948	dllhost.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\汇博计件工资(2005-03-16-16-02)\Console\Msi\Hyper_CSalary.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2564

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000590" "0000000000000398"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\RunDll32.exe
  C:\Windows\SysWOW64\RunDll32 C:\Windows\SysWOW64\catsrvut.dll,QueryUserDll "C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\SMMgr.dll" Global\{6A2DBFE5-7CAA-4CD2-925C-DCF4E521E8CA}
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Windows\SysWOW64\RunDll32.exe
  C:\Windows\SysWOW64\RunDll32 C:\Windows\SysWOW64\catsrvut.dll,QueryUserDll "C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\GBMgr.dll" Global\{3389B280-6071-4E13-9D2D-FBB95D0D6D6A}
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\SysWOW64\RunDll32.exe
  C:\Windows\SysWOW64\RunDll32 C:\Windows\SysWOW64\catsrvut.dll,QueryUserDll "C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\PSMgr.dll" Global\{C92BEC13-4F38-482C-94CB-6255580B80AE}
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2788

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\APL67.tmp

Filesize
26KB

MD5
cb4d90d434e66313ae39537e8029a3cb

SHA1
beba31924ba0cfd10e865da8f8d8934e0ccc15bb

SHA256
1e33dc804e259d9b46a134dd9db1408483889c9e6c230c65e1e8c975a28ed709

SHA512
5e99f93bc9234ab7c750717c1d3f4e0b09664fe0d07015edef068da2952ed377a91aaa6f2010cb9bda60263359f9ec457890e3bd0c6b8785c71958df0f414a0a

Download Submit
C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\APL67.tmp

Filesize
34KB

MD5
ee13670ec560671c82c0a21e04fe155c

SHA1
b0db9c8d35269d70bd3c3b924de3d5f62661d995

SHA256
d79879a2ec161b82f24274f7b22556d7125e4d22a8366e88be3d769a307e4a37

SHA512
b6c5dfb925e8c2f2adef5b85b8fbec25b3cf441db8b0b5ebd5ca37164d68d69c83b808e38417c7631818fd2f69000fc46925b31eb13fc08c899af359c608c3f0

Download Submit
C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\GBMgr.dll

Filesize
273KB

MD5
3342ecfc6f36cd3582bbb8a7b238b7b6

SHA1
1622f6bce501eeeea1bdd3ba6d20311f34884062

SHA256
7b0487b746d25ee34bd5781dad8843a4bf7bbb998774de552365c8f6ea618067

SHA512
44985f3f229f4b7774fb86e25e3a1c316775bb8f9a8fe48031dfbe27fa75f138ed3a536a1eb3dbf18f7e987d81e4e438aa2b11693283f045570e39a58a6fe145

Download Submit
C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\PSMgr.dll

Filesize
312KB

MD5
36ec5b141c90b03bbe4e50d300ea50a4

SHA1
bc2124f43e12f99eedfb8a4032bdc753a1b1c7ed

SHA256
765ee35de88e0d4cade0e985ff9c4bfca9ac7b78862e343a91d5ff133f8bc5e9

SHA512
97e66114b433c5c1ac696758f5db637a0ed51353727d55931975856613aaba70bbf9fe7ba26100901becdc7a87815e702072c0ddd69b17d35fe3e8467e611708

Download Submit
C:\Program Files (x86)\COMPlus Applications\{146B8980-B363-4C2C-8E70-C2787CB050F5}\SMMgr.dll

Filesize
479KB

MD5
452d12c662da3e7e57e036b81f293298

SHA1
a6a3f98b16bea3afbb03b8643e9a9243f3b455db

SHA256
215f8c75776c4afe07141d6fff392d10af1475b8ca5d5cfccc7ad07bf2710519

SHA512
0174f90b9314e1547cb7a7bea57849f022d173fc6f63072ed3f38c5721af0c7156f88fd2ede9585a866d7ce7575845d1751920c3ba5f8a135244b5f91cd2481b

Download Submit