57bf74232f2bb8240c9c407b9677961a81ab90d539dd330de4c5ca100e4f24c1

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cchromessetup.msi
Size

20.4MB
MD5

fcaad59c22e7e848f387089fe25f0765
SHA1

21e188214f1ed9ded574b139c55b2b70c99f1d2e
SHA256

57bf74232f2bb8240c9c407b9677961a81ab90d539dd330de4c5ca100e4f24c1
SHA512

7af62c1e5dd1cd91d2327642e9f931bf46b9aa40cfcfce988dffcc323daf7ee04516c4c3a28b509907d62c7aa909dc056d1e788521ae9dfcc6c53d635e40d5d5
SSDEEP

393216:nQ0Frf5krXSujsF8dzTZJPGQUP995v4VXwalKOymRJgNN71TXibbeKNugW8XMgfx:nQ05JQsmF3hC6Xwal5pc7hMlbXM+L8aD

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\ImproveOrganizerMagnetic\DacdWcPDgGtK.exe	OtapxNTOYhmF.exe
File opened for modification	C:\Program Files\ImproveOrganizerMagnetic\oRqsGHUxNM16.exe	OtapxNTOYhmF.exe
File opened for modification	C:\Program Files\ImproveOrganizerMagnetic	oRqsGHUxNM16.exe
File created	C:\Program Files\ImproveOrganizerMagnetic\OtapxNTOYhmF.exe	msiexec.exe
File created	C:\Program Files\ImproveOrganizerMagnetic\XjPDFEditCore.dll	msiexec.exe
File created	C:\Program Files\ImproveOrganizerMagnetic\DacdWcPDgGtK.xml	OtapxNTOYhmF.exe
File opened for modification	C:\Program Files\ImproveOrganizerMagnetic\DacdWcPDgGtK.xml	OtapxNTOYhmF.exe
File opened for modification	C:\Program Files\ImproveOrganizerMagnetic\DacdWcPDgGtK.exe	OtapxNTOYhmF.exe
File created	C:\Program Files\ImproveOrganizerMagnetic\oRqsGHUxNM16.exe	OtapxNTOYhmF.exe
File created	C:\Program Files\ImproveOrganizerMagnetic\ChromeSetup.exe	msiexec.exe
File created	C:\Program Files\ImproveOrganizerMagnetic\ICXslERhfXqJTZMhevsa	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f770d9b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770d99.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f770d99.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE62.tmp	msiexec.exe
File created	C:\Windows\Installer\f770d98.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770d98.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
2332	OtapxNTOYhmF.exe
2508	oRqsGHUxNM16.exe
2952	ChromeSetup.exe

Loads dropped DLL 8 IoCs

pid	Process
2404	MsiExec.exe
2404	MsiExec.exe
2404	MsiExec.exe
2404	MsiExec.exe
2508	oRqsGHUxNM16.exe
2508	oRqsGHUxNM16.exe
2508	oRqsGHUxNM16.exe
2508	oRqsGHUxNM16.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2616	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OtapxNTOYhmF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oRqsGHUxNM16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	oRqsGHUxNM16.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\PackageCode = "9899D0B492A4E744B99D8D7CDC14244A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\SourceList\PackageName = "cchromessetup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\59F100CD6CA7A1E46A81BF3CFE01F19E\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\Version = "17039365"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EAF1A87F705B82340B055653A44DB134	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\59F100CD6CA7A1E46A81BF3CFE01F19E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\ProductName = "ImproveOrganizerMagnetic"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EAF1A87F705B82340B055653A44DB134\59F100CD6CA7A1E46A81BF3CFE01F19E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59F100CD6CA7A1E46A81BF3CFE01F19E\Assignment = "1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2672	msiexec.exe
2672	msiexec.exe
2508	oRqsGHUxNM16.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2616	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeSecurityPrivilege	2672	msiexec.exe
Token: SeCreateTokenPrivilege	2616	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2616	msiexec.exe
Token: SeLockMemoryPrivilege	2616	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2616	msiexec.exe
Token: SeMachineAccountPrivilege	2616	msiexec.exe
Token: SeTcbPrivilege	2616	msiexec.exe
Token: SeSecurityPrivilege	2616	msiexec.exe
Token: SeTakeOwnershipPrivilege	2616	msiexec.exe
Token: SeLoadDriverPrivilege	2616	msiexec.exe
Token: SeSystemProfilePrivilege	2616	msiexec.exe
Token: SeSystemtimePrivilege	2616	msiexec.exe
Token: SeProfSingleProcessPrivilege	2616	msiexec.exe
Token: SeIncBasePriorityPrivilege	2616	msiexec.exe
Token: SeCreatePagefilePrivilege	2616	msiexec.exe
Token: SeCreatePermanentPrivilege	2616	msiexec.exe
Token: SeBackupPrivilege	2616	msiexec.exe
Token: SeRestorePrivilege	2616	msiexec.exe
Token: SeShutdownPrivilege	2616	msiexec.exe
Token: SeDebugPrivilege	2616	msiexec.exe
Token: SeAuditPrivilege	2616	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2616	msiexec.exe
Token: SeChangeNotifyPrivilege	2616	msiexec.exe
Token: SeRemoteShutdownPrivilege	2616	msiexec.exe
Token: SeUndockPrivilege	2616	msiexec.exe
Token: SeSyncAgentPrivilege	2616	msiexec.exe
Token: SeEnableDelegationPrivilege	2616	msiexec.exe
Token: SeManageVolumePrivilege	2616	msiexec.exe
Token: SeImpersonatePrivilege	2616	msiexec.exe
Token: SeCreateGlobalPrivilege	2616	msiexec.exe
Token: SeBackupPrivilege	2676	vssvc.exe
Token: SeRestorePrivilege	2676	vssvc.exe
Token: SeAuditPrivilege	2676	vssvc.exe
Token: SeBackupPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2976	DrvInst.exe
Token: SeRestorePrivilege	2976	DrvInst.exe
Token: SeRestorePrivilege	2976	DrvInst.exe
Token: SeRestorePrivilege	2976	DrvInst.exe
Token: SeRestorePrivilege	2976	DrvInst.exe
Token: SeRestorePrivilege	2976	DrvInst.exe
Token: SeRestorePrivilege	2976	DrvInst.exe
Token: SeLoadDriverPrivilege	2976	DrvInst.exe
Token: SeLoadDriverPrivilege	2976	DrvInst.exe
Token: SeLoadDriverPrivilege	2976	DrvInst.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2616	msiexec.exe
2616	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2404	2672	msiexec.exe	34
PID 2672 wrote to memory of 2404	2672	msiexec.exe	34
PID 2672 wrote to memory of 2404	2672	msiexec.exe	34
PID 2672 wrote to memory of 2404	2672	msiexec.exe	34
PID 2672 wrote to memory of 2404	2672	msiexec.exe	34
PID 2672 wrote to memory of 2404	2672	msiexec.exe	34
PID 2672 wrote to memory of 2404	2672	msiexec.exe	34
PID 2404 wrote to memory of 2332	2404	MsiExec.exe	35
PID 2404 wrote to memory of 2332	2404	MsiExec.exe	35
PID 2404 wrote to memory of 2332	2404	MsiExec.exe	35
PID 2404 wrote to memory of 2332	2404	MsiExec.exe	35
PID 2404 wrote to memory of 2508	2404	MsiExec.exe	37
PID 2404 wrote to memory of 2508	2404	MsiExec.exe	37
PID 2404 wrote to memory of 2508	2404	MsiExec.exe	37
PID 2404 wrote to memory of 2508	2404	MsiExec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cchromessetup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2616

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D0AD3817BAE9C285C1FCA4C1AD4291A7 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Program Files\ImproveOrganizerMagnetic\OtapxNTOYhmF.exe
    "C:\Program Files\ImproveOrganizerMagnetic\OtapxNTOYhmF.exe" x "C:\Program Files\ImproveOrganizerMagnetic\ICXslERhfXqJTZMhevsa" -o"C:\Program Files\ImproveOrganizerMagnetic\" -pfEsefKyAWjCaZCRKYPPi -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Program Files\ImproveOrganizerMagnetic\oRqsGHUxNM16.exe
    "C:\Program Files\ImproveOrganizerMagnetic\oRqsGHUxNM16.exe" -number 281 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2508
- - C:\Program Files\ImproveOrganizerMagnetic\ChromeSetup.exe
    "C:\Program Files\ImproveOrganizerMagnetic\ChromeSetup.exe"
    3⤵
    - Executes dropped EXE
    PID:2952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000031C" "0000000000000564"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f770d9a.rbs

Filesize
7KB

MD5
154f34378643cea42467182de166b867

SHA1
4afbf27ae0d37f969dc01dadd5dc341a129ab3e7

SHA256
8577adf362cc9f9234a292952bb3eb42caa84bc5259e9059ce28b9904bfd2b11

SHA512
e64623255bb0a7e9680521a02227996cf2697a25641f5d5ca4128052748b2c72efa3dd3cff7902b3454c954ddc50227601605db5869397995fe47de3e8a5ddf1

Download Submit
C:\Program Files\ImproveOrganizerMagnetic\ChromeSetup.exe

Filesize
8.5MB

MD5
5adff4313fbd074df44b4eb5b7893c5e

SHA1
d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7

SHA256
d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae

SHA512
f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60

Download Submit
C:\Program Files\ImproveOrganizerMagnetic\DacdWcPDgGtK.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\ImproveOrganizerMagnetic\ICXslERhfXqJTZMhevsa

Filesize
1.7MB

MD5
3e8e70417e8f5df6a3e1235506c12655

SHA1
482b4d16fa7f8d25d482ced7ea3a1652a3f5915f

SHA256
feec00f05e0ad1ce966a03b67d17114ef0c2d4880b25d62c295df267dd48d3a7

SHA512
f78c352c681fd07e80f62eb017fca9188e88f9a6781e395bfe411d923c91148e87d65e40f598917c2bb6eb7e1a48de56abc4c4d59a23a29f17565b652d6523b3

Download Submit
C:\Program Files\ImproveOrganizerMagnetic\OtapxNTOYhmF.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\ImproveOrganizerMagnetic\oRqsGHUxNM16.exe

Filesize
2.9MB

MD5
019fd1a681f7d86fe351082f021f1e17

SHA1
ddacb8842f1c52ed9b71507ea59fd8a324e6a2bc

SHA256
30299b86f1a081ec5ea7c0d3c84d3286ecf6a743923c8f0d935943dd6c1c0df2

SHA512
e8b99c2a3805f68b473f35604999d8ed36423bae4bcc808cedf26a4e4f8c48606022dd2cc98d4f7ff1be9855cde63f6f6ad3634d24e6eccdb40e68b3b2c7f2fa

Download Submit
C:\Windows\Installer\f770d98.msi

Filesize
20.4MB

MD5
fcaad59c22e7e848f387089fe25f0765

SHA1
21e188214f1ed9ded574b139c55b2b70c99f1d2e

SHA256
57bf74232f2bb8240c9c407b9677961a81ab90d539dd330de4c5ca100e4f24c1

SHA512
7af62c1e5dd1cd91d2327642e9f931bf46b9aa40cfcfce988dffcc323daf7ee04516c4c3a28b509907d62c7aa909dc056d1e788521ae9dfcc6c53d635e40d5d5

Download Submit
memory/2404-12-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2508-32-0x00000000007A0000-0x00000000007CA000-memory.dmp

Filesize
168KB

Download