b8a83029d01c5c2c6c2efa7a0078d8ee3624febf0b16643e2745b69b338097ec

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-09-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wpsupdate (2).msi
Size

39.8MB
MD5

86fda93a447565165b03697059473390
SHA1

cdf7f60ff16bb3f124130fb5f1c73e7c7016a0bb
SHA256

b8a83029d01c5c2c6c2efa7a0078d8ee3624febf0b16643e2745b69b338097ec
SHA512

1b0cbc0a335f0328ac1fe6846f248a3bb9b62a2f4b478a7f2d08abf7903eda690a49b26c64cd63e19009d3674b9b0001ad3dfc97f8318825181e4c8002f22304
SSDEEP

786432:dVaamaUAKTBoB8O8KiC1Wn3bc98sG3yq3ymxMwvCRW4FBkXi:v3UdBi3sSrGCq3ymxM4y2Xi

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	wpsupdate.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\ProvideRetailerMagnetic\wpsupdate.exe	msiexec.exe
File opened for modification	C:\Program Files\ProvideRetailerMagnetic\DbGhYWJuWruS.xml	NEQGPbRTAWHt.exe
File opened for modification	C:\Program Files\ProvideRetailerMagnetic\DbGhYWJuWruS.exe	NEQGPbRTAWHt.exe
File created	C:\Program Files\ProvideRetailerMagnetic\LMlDVFUEyr12.exe	NEQGPbRTAWHt.exe
File opened for modification	C:\Program Files\ProvideRetailerMagnetic\LMlDVFUEyr12.exe	NEQGPbRTAWHt.exe
File opened for modification	C:\Program Files\ProvideRetailerMagnetic	LMlDVFUEyr12.exe
File created	C:\Program Files\ProvideRetailerMagnetic\MOELauncherSetup_V0TKW.exe	msiexec.exe
File created	C:\Program Files\ProvideRetailerMagnetic\NEQGPbRTAWHt.exe	msiexec.exe
File created	C:\Program Files\ProvideRetailerMagnetic\rByypzZOvLCQebwfnFuc	msiexec.exe
File created	C:\Program Files\ProvideRetailerMagnetic\DbGhYWJuWruS.xml	NEQGPbRTAWHt.exe
File created	C:\Program Files\ProvideRetailerMagnetic\DbGhYWJuWruS.exe	NEQGPbRTAWHt.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f766ce7.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f766ce6.msi	msiexec.exe
File created	C:\Windows\Installer\f766ce7.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6DE0.tmp	msiexec.exe
File created	C:\Windows\Installer\f766ce9.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f766ce6.msi	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
2384	NEQGPbRTAWHt.exe
1684	LMlDVFUEyr12.exe
2288	wpsupdate.exe

Loads dropped DLL 7 IoCs

pid	Process
2592	MsiExec.exe
2592	MsiExec.exe
2592	MsiExec.exe
2592	MsiExec.exe
2592	MsiExec.exe
1684	LMlDVFUEyr12.exe
1684	LMlDVFUEyr12.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NEQGPbRTAWHt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LMlDVFUEyr12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD3Verify_C = 32003000320034002d0039002d00310035007c00570044004300200032002e0035002b00320033003200310033003800380030003400310036003500200020002000200020002000200020007c00460032002d00340035002d00430036002d00410043002d00340033002d00320046000000	wpsupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHDt = "15"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wpsupdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office	wpsupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD3t = "15"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\khdinfo\InfoCurHardInfo = "29a56b8a14940c3acb7a4a6443907c56\|b7c8e91c8cefa2bcb369bed4549aa3bf"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft	wpsupdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\khdinfo\InfoLastHardInfo	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD3_C = "ee6800d31216ca426dd74ae52cf60c8f"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\khdinfo\InfoHDModifiedType = "hdidRecalByOldHdidFromRegIsEmpty\|2024-9-15"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD = "ee6800d31216ca426dd74ae52cf60c8f"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\PackageCode = "99C52D52BBC3F7A4A84C56A6F8C2065D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B6820D0041B11694E901EB67B5755A00	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\810A66CA06811EC4D91DEF17DDA0C7D7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\ProductName = "ProvideRetailerMagnetic"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B6820D0041B11694E901EB67B5755A00\810A66CA06811EC4D91DEF17DDA0C7D7	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\810A66CA06811EC4D91DEF17DDA0C7D7\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\Version = "67698697"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\SourceList\PackageName = "wpsupdate (2).msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\810A66CA06811EC4D91DEF17DDA0C7D7\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2740	msiexec.exe
2740	msiexec.exe
2288	wpsupdate.exe
2288	wpsupdate.exe
1684	LMlDVFUEyr12.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2236	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2236	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeSecurityPrivilege	2740	msiexec.exe
Token: SeCreateTokenPrivilege	2236	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2236	msiexec.exe
Token: SeLockMemoryPrivilege	2236	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2236	msiexec.exe
Token: SeMachineAccountPrivilege	2236	msiexec.exe
Token: SeTcbPrivilege	2236	msiexec.exe
Token: SeSecurityPrivilege	2236	msiexec.exe
Token: SeTakeOwnershipPrivilege	2236	msiexec.exe
Token: SeLoadDriverPrivilege	2236	msiexec.exe
Token: SeSystemProfilePrivilege	2236	msiexec.exe
Token: SeSystemtimePrivilege	2236	msiexec.exe
Token: SeProfSingleProcessPrivilege	2236	msiexec.exe
Token: SeIncBasePriorityPrivilege	2236	msiexec.exe
Token: SeCreatePagefilePrivilege	2236	msiexec.exe
Token: SeCreatePermanentPrivilege	2236	msiexec.exe
Token: SeBackupPrivilege	2236	msiexec.exe
Token: SeRestorePrivilege	2236	msiexec.exe
Token: SeShutdownPrivilege	2236	msiexec.exe
Token: SeDebugPrivilege	2236	msiexec.exe
Token: SeAuditPrivilege	2236	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2236	msiexec.exe
Token: SeChangeNotifyPrivilege	2236	msiexec.exe
Token: SeRemoteShutdownPrivilege	2236	msiexec.exe
Token: SeUndockPrivilege	2236	msiexec.exe
Token: SeSyncAgentPrivilege	2236	msiexec.exe
Token: SeEnableDelegationPrivilege	2236	msiexec.exe
Token: SeManageVolumePrivilege	2236	msiexec.exe
Token: SeImpersonatePrivilege	2236	msiexec.exe
Token: SeCreateGlobalPrivilege	2236	msiexec.exe
Token: SeBackupPrivilege	2648	vssvc.exe
Token: SeRestorePrivilege	2648	vssvc.exe
Token: SeAuditPrivilege	2648	vssvc.exe
Token: SeBackupPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2984	DrvInst.exe
Token: SeRestorePrivilege	2984	DrvInst.exe
Token: SeRestorePrivilege	2984	DrvInst.exe
Token: SeRestorePrivilege	2984	DrvInst.exe
Token: SeRestorePrivilege	2984	DrvInst.exe
Token: SeRestorePrivilege	2984	DrvInst.exe
Token: SeRestorePrivilege	2984	DrvInst.exe
Token: SeLoadDriverPrivilege	2984	DrvInst.exe
Token: SeLoadDriverPrivilege	2984	DrvInst.exe
Token: SeLoadDriverPrivilege	2984	DrvInst.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2236	msiexec.exe
2236	msiexec.exe
2288	wpsupdate.exe
2288	wpsupdate.exe
2288	wpsupdate.exe
2288	wpsupdate.exe
2288	wpsupdate.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2288	wpsupdate.exe
2288	wpsupdate.exe
2288	wpsupdate.exe
2288	wpsupdate.exe
2288	wpsupdate.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2592	2740	msiexec.exe	34
PID 2740 wrote to memory of 2592	2740	msiexec.exe	34
PID 2740 wrote to memory of 2592	2740	msiexec.exe	34
PID 2740 wrote to memory of 2592	2740	msiexec.exe	34
PID 2740 wrote to memory of 2592	2740	msiexec.exe	34
PID 2740 wrote to memory of 2592	2740	msiexec.exe	34
PID 2740 wrote to memory of 2592	2740	msiexec.exe	34
PID 2592 wrote to memory of 2384	2592	MsiExec.exe	35
PID 2592 wrote to memory of 2384	2592	MsiExec.exe	35
PID 2592 wrote to memory of 2384	2592	MsiExec.exe	35
PID 2592 wrote to memory of 2384	2592	MsiExec.exe	35
PID 2592 wrote to memory of 1684	2592	MsiExec.exe	37
PID 2592 wrote to memory of 1684	2592	MsiExec.exe	37
PID 2592 wrote to memory of 1684	2592	MsiExec.exe	37
PID 2592 wrote to memory of 1684	2592	MsiExec.exe	37
PID 2592 wrote to memory of 2288	2592	MsiExec.exe	38
PID 2592 wrote to memory of 2288	2592	MsiExec.exe	38
PID 2592 wrote to memory of 2288	2592	MsiExec.exe	38
PID 2592 wrote to memory of 2288	2592	MsiExec.exe	38
PID 2592 wrote to memory of 2288	2592	MsiExec.exe	38
PID 2592 wrote to memory of 2288	2592	MsiExec.exe	38
PID 2592 wrote to memory of 2288	2592	MsiExec.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\wpsupdate (2).msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2236

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 858E8686BA990E6E855143D9C0A53C0F M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Program Files\ProvideRetailerMagnetic\NEQGPbRTAWHt.exe
    "C:\Program Files\ProvideRetailerMagnetic\NEQGPbRTAWHt.exe" x "C:\Program Files\ProvideRetailerMagnetic\rByypzZOvLCQebwfnFuc" -o"C:\Program Files\ProvideRetailerMagnetic\" -pdsUolIYrsagRANfTTkPD -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2384
- - C:\Program Files\ProvideRetailerMagnetic\LMlDVFUEyr12.exe
    "C:\Program Files\ProvideRetailerMagnetic\LMlDVFUEyr12.exe" -number 235 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1684
- - C:\Program Files\ProvideRetailerMagnetic\wpsupdate.exe
    "C:\Program Files\ProvideRetailerMagnetic\wpsupdate.exe"
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000494" "00000000000005D4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f766ce8.rbs

Filesize
7KB

MD5
309d025ceac3a2c45906203a3544609b

SHA1
5169b25607b340f5bc700b09cfb1b25931190d58

SHA256
935ca29046ffc6b91ac234938f8665786390f27b7739af9a7a3e277cb0c17b3d

SHA512
f78b91c3bd0f18a7e9c50453bc8dd7804c0e5dc3e1d2046c2c29e22cb3c07b37f583be2310b6a712398a4a2f6e2ede57d8327bc56f19b472434836d56367a0d0

Download Submit
C:\Program Files\ProvideRetailerMagnetic\LMlDVFUEyr12.exe

Filesize
2.8MB

MD5
09d864bbc9e530c77b353a96a4ea431c

SHA1
21e4c5a0a60b0ad453979b9177bf4ecef1b650ea

SHA256
9f8fa7eb001ea30933f5db3baa20ad3905e69c882882410aedd898af6c47a5b3

SHA512
e7e0c098447f8f0294dee98fa0a810d528a3ebbf976b8dedb301b17e2321a400aa9fd7db36a895242730ee37742116e880f41fdbf7f781ab3154a7b60f4b29f5

Download Submit
C:\Program Files\ProvideRetailerMagnetic\NEQGPbRTAWHt.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\ProvideRetailerMagnetic\rByypzZOvLCQebwfnFuc

Filesize
1.7MB

MD5
3f218cf79b06ffdc7b009b5d33413d01

SHA1
db681a298422ca26a507f8ca6df631a4793d4f29

SHA256
13e68712c98b65da0c568b54db9f40c8fbd34480fd19520c65859fa936547fcb

SHA512
9e5567db4010d41a8cccc27d2fd21a81a85fe52c4b9d14149e1cb61c8482eb97b7ce8342748f3a30eeae311fef320b22d896640c0768163666e4ca7b1497dbcd

Download Submit
C:\Program Files\ProvideRetailerMagnetic\wpsupdate.exe

Filesize
6.0MB

MD5
57dadd6a929f64c2b1efe2d52c1c4985

SHA1
962cb227f81f885f23826c3e040aa9dbc97659cf

SHA256
996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5

SHA512
3f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_09_15.log

Filesize
2KB

MD5
1126f7dd04c71276fabcecd7bc9ac1fb

SHA1
63088d27a073aa21b190820524bef446c0c37198

SHA256
d6cf9bebe40019f77dacaba899aeed3a67ef53930b069fbbfaa096f41764c254

SHA512
419cb4105a819dab6146724693aa4f07240f761c311988a15e2b626cc66049e11c8bef92d0e508d3f8f96c5e0374a982d462d9a481223d62081030bbcbcc461b

Download Submit
C:\Windows\Installer\f766ce6.msi

Filesize
39.8MB

MD5
86fda93a447565165b03697059473390

SHA1
cdf7f60ff16bb3f124130fb5f1c73e7c7016a0bb

SHA256
b8a83029d01c5c2c6c2efa7a0078d8ee3624febf0b16643e2745b69b338097ec

SHA512
1b0cbc0a335f0328ac1fe6846f248a3bb9b62a2f4b478a7f2d08abf7903eda690a49b26c64cd63e19009d3674b9b0001ad3dfc97f8318825181e4c8002f22304

Download Submit
\Program Files\ProvideRetailerMagnetic\DbGhYWJuWruS.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
memory/1684-46-0x0000000000A40000-0x0000000000A6A000-memory.dmp

Filesize
168KB

Download
memory/2592-12-0x0000000000700000-0x0000000000702000-memory.dmp

Filesize
8KB

Download