Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20/09/2024, 04:28
Static task
static1
Behavioral task
behavioral1
Sample
WPS Office_104693057_401535.msi
Resource
win7-20240708-en
General
-
Target
WPS Office_104693057_401535.msi
-
Size
15.4MB
-
MD5
ca9086b9f4e1cbfae86204a0e2cbea07
-
SHA1
4fb147699ab8b80fc6b89d9d1473bfb60dbd2a15
-
SHA256
21a2e0d27dfe4f70d74e0be94a1700cbc0e58c87553f1140253109ab0d9701b2
-
SHA512
b1f89f9342df8de10eaa1134eb9982942cee26abebf280b80a79b37f26e1f2b55de999d36249a731385c5a72bb2c3dd8b9b14f578263d3037799a1617279e984
-
SSDEEP
393216:WAxJ3qt2MkEOEsQ+D8PjbtTBQqc4dq47aJ7IKw9M38hoTjZ5Uu0H:WU3o2NNjgrpFQq3dd7aJkvFhoTrV0H
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files\ImproveScoutGenerous\node.dll msiexec.exe File created C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.xml hdeQkiPuSHUY.exe File opened for modification C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.xml hdeQkiPuSHUY.exe File created C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe hdeQkiPuSHUY.exe File opened for modification C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe hdeQkiPuSHUY.exe File created C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe hdeQkiPuSHUY.exe File opened for modification C:\Program Files\ImproveScoutGenerous bDOnhmOcYL12.exe File created C:\Program Files\ImproveScoutGenerous\CLAnZJhYUhSfSJqyvyQH msiexec.exe File created C:\Program Files\ImproveScoutGenerous\xlsx.xlsx msiexec.exe File opened for modification C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe hdeQkiPuSHUY.exe File created C:\Program Files\ImproveScoutGenerous\hdeQkiPuSHUY.exe msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f771dfc.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f771dfc.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1E98.tmp msiexec.exe File created C:\Windows\Installer\f771dff.msi msiexec.exe File opened for modification C:\Windows\Installer\f771dfd.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f771dfd.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 556 hdeQkiPuSHUY.exe 2812 bDOnhmOcYL12.exe -
Loads dropped DLL 8 IoCs
pid Process 1476 MsiExec.exe 1476 MsiExec.exe 1476 MsiExec.exe 1476 MsiExec.exe 2812 bDOnhmOcYL12.exe 2812 bDOnhmOcYL12.exe 2812 bDOnhmOcYL12.exe 2812 bDOnhmOcYL12.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hdeQkiPuSHUY.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bDOnhmOcYL12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Courier 6cpi = "Roman 6cpi" EXCEL.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\Excel Files\Engines\Jet\Threads = "3" EXCEL.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\yahoo.fr = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\YAHOOF~1.XML" EXCEL.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Phone Call\AutoJournaled = "0" EXCEL.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1C00 = "0" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\mapi\UserChoice\Progid = "Outlook.Shell" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Viewers\application/pot = "C:\\PROGRA~2\\MICROS~1\\Office14\\POWERPNT.EXE" EXCEL.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Meeting Cancellation EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Meeting Request\Small Icon = "[3]" EXCEL.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Remote Session EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\dotm = "C:\\PROGRA~2\\MICROS~1\\Office14\\WINWORD.EXE ^.dotm" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Suffixes\application/rtf = "RTF" EXCEL.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\Excel Files EXCEL.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Common\Smart Tag\Actions\{339361CD-6723-455D-A40B-C95F1F91FF8A} EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\linedraw = "Courier New,437" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\MS Access Database\UID EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Suffixes\application/msexcel = "XLS" EXCEL.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Outlook\Addins\ColleagueImport.ColleagueImportAddin\CommandLineSafe = "0" EXCEL.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Common\Smart Tag\Recognizers\{64AB6C69-B40E-40AF-9B7F-F5687B48E2B6}\urn:schemas-microsoft-com:office:smarttags#time EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Roman 6cpi = "Courier 6cpi" EXCEL.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\Excel Files\Engines\Jet EXCEL.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\MS Access Database\Engines EXCEL.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Excel\Security\Trusted Locations\Location2 EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\yahoo.ie = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\YAHOOI~1.XML" EXCEL.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Common\Smart Tag\Actions\{06F9A697-9708-422D-A5AF-C559391A850A} EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Century Gothic = "AvantGarde" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\London = "Old English Text MT" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Zapf Dingbats = "Monotype Sorts" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Chicago = "Arial" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\mdb = "C:\\PROGRA~2\\MICROS~1\\Office14\\MSACCESS.EXE" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\General\Xlstart = "XLSTART" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Conversation\Small Icon = "[1]" EXCEL.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Task Response\JournalByContact = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\ZapfDingbats = "Zapf Dingbats" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Courier New = "Courier" EXCEL.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Common\Smart Tag\Recognizers\{64AB6C69-B40E-40AF-9B7F-F5687B48E2B6}\urn:schemas-microsoft-com:office:smarttags#time\OMain = "2" EXCEL.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Letter\JournalByContact = "0" EXCEL.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\Outlook_Core\Count = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Letter Gothic = "Courier New" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\E-mail Message\Small Icon = "[2]" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\dot = "C:\\PROGRA~2\\MICROS~1\\Office14\\WINWORD.EXE ^.dot" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Excel\Security\Trusted Locations\Location0\Path = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\XLSTART\\" EXCEL.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MSDAIPP\Providers\{9FECD570-B9D4-11D1-9C78-0000F875AC61}\Priority = "142606336" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Web Service Providers\WebDrive\www.msnusers.com\Icon = "C:\\PROGRA~2\\MICROS~1\\Office14\\MSN.ICO" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\talk21.com = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\TALK21~1.XML" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\nvbell.net = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\NVBELL~1.XML" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Viewers\TYPE8 = "application/pps" EXCEL.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Common\Smart Tag\Actions\{06F9A697-9708-422D-A5AF-C559391A850A}\Internet Explorer_Server = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\mda = "C:\\PROGRA~2\\MICROS~1\\Office14\\MSACCESS.EXE" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordMailChangeInstallLanguage = "No" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Outlook\Addins\ColleagueImport.ColleagueImportAddin\FriendlyName = "Microsoft SharePoint Server Colleague Import Add-in" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\General\RecentFiles = "Recent" EXCEL.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Note EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Web Service Providers\FreeBusy\office.microsoft.com\FbPutDataUrl = "http://freebusy.office.microsoft.com/freebusy/freebusy.dll?prd=office&pver=|0&ar=freebusy&subar=put" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel\Small Icon = "[14]" EXCEL.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Access\Security\Trusted Locations EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Excel\Security\Trusted Locations\Location2\Path = "%APPDATA%\\Microsoft\\Templates" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Web Service Providers\WebDrive\www.msnusers.com\ShortcutUrl = "http://www.msnusers.com" EXCEL.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ASF Stream Descriptor File\Settings\Don't Show Boot Dialog = "0" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Kafisma = "Arial,866" EXCEL.EXE Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Microsoft PowerPoint\AutoJournaled = "1" EXCEL.EXE Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\General\MyPictures = "My Pictures" EXCEL.EXE -
Modifies registry class 22 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E7615B4D95282EC48955FCE0617C370B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E7615B4D95282EC48955FCE0617C370B\ProductFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6AC22BE4B23DFEC45BB98FF5AC3DB9CF\E7615B4D95282EC48955FCE0617C370B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\PackageName = "WPS Office_104693057_401535.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\ProductName = "ImproveScoutGenerous" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6AC22BE4B23DFEC45BB98FF5AC3DB9CF msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\PackageCode = "AF348A689A608BD48AB3AAADE413931C" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\Version = "50593801" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\AdvertiseFlags = "388" msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2960 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1044 msiexec.exe 1044 msiexec.exe 2812 bDOnhmOcYL12.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2084 msiexec.exe Token: SeIncreaseQuotaPrivilege 2084 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeSecurityPrivilege 1044 msiexec.exe Token: SeCreateTokenPrivilege 2084 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2084 msiexec.exe Token: SeLockMemoryPrivilege 2084 msiexec.exe Token: SeIncreaseQuotaPrivilege 2084 msiexec.exe Token: SeMachineAccountPrivilege 2084 msiexec.exe Token: SeTcbPrivilege 2084 msiexec.exe Token: SeSecurityPrivilege 2084 msiexec.exe Token: SeTakeOwnershipPrivilege 2084 msiexec.exe Token: SeLoadDriverPrivilege 2084 msiexec.exe Token: SeSystemProfilePrivilege 2084 msiexec.exe Token: SeSystemtimePrivilege 2084 msiexec.exe Token: SeProfSingleProcessPrivilege 2084 msiexec.exe Token: SeIncBasePriorityPrivilege 2084 msiexec.exe Token: SeCreatePagefilePrivilege 2084 msiexec.exe Token: SeCreatePermanentPrivilege 2084 msiexec.exe Token: SeBackupPrivilege 2084 msiexec.exe Token: SeRestorePrivilege 2084 msiexec.exe Token: SeShutdownPrivilege 2084 msiexec.exe Token: SeDebugPrivilege 2084 msiexec.exe Token: SeAuditPrivilege 2084 msiexec.exe Token: SeSystemEnvironmentPrivilege 2084 msiexec.exe Token: SeChangeNotifyPrivilege 2084 msiexec.exe Token: SeRemoteShutdownPrivilege 2084 msiexec.exe Token: SeUndockPrivilege 2084 msiexec.exe Token: SeSyncAgentPrivilege 2084 msiexec.exe Token: SeEnableDelegationPrivilege 2084 msiexec.exe Token: SeManageVolumePrivilege 2084 msiexec.exe Token: SeImpersonatePrivilege 2084 msiexec.exe Token: SeCreateGlobalPrivilege 2084 msiexec.exe Token: SeBackupPrivilege 2704 vssvc.exe Token: SeRestorePrivilege 2704 vssvc.exe Token: SeAuditPrivilege 2704 vssvc.exe Token: SeBackupPrivilege 1044 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeRestorePrivilege 2612 DrvInst.exe Token: SeRestorePrivilege 2612 DrvInst.exe Token: SeRestorePrivilege 2612 DrvInst.exe Token: SeRestorePrivilege 2612 DrvInst.exe Token: SeRestorePrivilege 2612 DrvInst.exe Token: SeRestorePrivilege 2612 DrvInst.exe Token: SeRestorePrivilege 2612 DrvInst.exe Token: SeLoadDriverPrivilege 2612 DrvInst.exe Token: SeLoadDriverPrivilege 2612 DrvInst.exe Token: SeLoadDriverPrivilege 2612 DrvInst.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe Token: SeTakeOwnershipPrivilege 1044 msiexec.exe Token: SeRestorePrivilege 1044 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2084 msiexec.exe 2084 msiexec.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2960 EXCEL.EXE 2960 EXCEL.EXE 2960 EXCEL.EXE 2960 EXCEL.EXE 2960 EXCEL.EXE 2960 EXCEL.EXE 2960 EXCEL.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1044 wrote to memory of 1476 1044 msiexec.exe 34 PID 1044 wrote to memory of 1476 1044 msiexec.exe 34 PID 1044 wrote to memory of 1476 1044 msiexec.exe 34 PID 1044 wrote to memory of 1476 1044 msiexec.exe 34 PID 1044 wrote to memory of 1476 1044 msiexec.exe 34 PID 1044 wrote to memory of 1476 1044 msiexec.exe 34 PID 1044 wrote to memory of 1476 1044 msiexec.exe 34 PID 1476 wrote to memory of 556 1476 MsiExec.exe 35 PID 1476 wrote to memory of 556 1476 MsiExec.exe 35 PID 1476 wrote to memory of 556 1476 MsiExec.exe 35 PID 1476 wrote to memory of 556 1476 MsiExec.exe 35 PID 1476 wrote to memory of 2812 1476 MsiExec.exe 37 PID 1476 wrote to memory of 2812 1476 MsiExec.exe 37 PID 1476 wrote to memory of 2812 1476 MsiExec.exe 37 PID 1476 wrote to memory of 2812 1476 MsiExec.exe 37 PID 1476 wrote to memory of 2960 1476 MsiExec.exe 38 PID 1476 wrote to memory of 2960 1476 MsiExec.exe 38 PID 1476 wrote to memory of 2960 1476 MsiExec.exe 38 PID 1476 wrote to memory of 2960 1476 MsiExec.exe 38 PID 1476 wrote to memory of 2960 1476 MsiExec.exe 38 PID 1476 wrote to memory of 2960 1476 MsiExec.exe 38 PID 1476 wrote to memory of 2960 1476 MsiExec.exe 38 PID 1476 wrote to memory of 2960 1476 MsiExec.exe 38 PID 1476 wrote to memory of 2960 1476 MsiExec.exe 38 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\WPS Office_104693057_401535.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2084
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A5850FAD15B224595719F4638E5E176D M Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Program Files\ImproveScoutGenerous\hdeQkiPuSHUY.exe"C:\Program Files\ImproveScoutGenerous\hdeQkiPuSHUY.exe" x "C:\Program Files\ImproveScoutGenerous\CLAnZJhYUhSfSJqyvyQH" -o"C:\Program Files\ImproveScoutGenerous\" -pNOcFSwDtYEhVUsSNDuRc -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:556
-
-
C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe"C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe" -number 237 -file file3 -mode mode3 -flag flag33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2812
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde3⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2960
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C0" "0000000000000568"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5384832ab818d9c474eab79afaa4353e0
SHA100258b431aaf7e6cca3b4a4c7ddc3482811abf68
SHA256963a6cf59b3d8d3db09c73dd4ed181cb8f24dc9bfc6374f8235861b0d69013a6
SHA512d2427316ef54a2e6102397c2bea7cf91760fbf52f3f05255eef95784904e5ae524edc275f32666885e2d89e3a11a05ecfb163c8b21f09da106e89a0fc13b5b12
-
Filesize
1.7MB
MD5b52875621f2ed8ba730e1baa322994ac
SHA12ddb59cc65ee3297eb0a959f868633c36d8bdab6
SHA256ae9b0f8b4d037535b0682905c7082607b9bd730d2ac549c1f86f36ad459e06f8
SHA5122958f18969b1ce08adce13d6b0b249eacb627099387a9fe60472f8a4ef78ee37f4c17c77a2fea62f2b59a80724cd46dd6a74fd1c994eabd8a8f6f36f873c524d
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796
-
Filesize
2.8MB
MD58e355304eb0c0a6c787c158c6097d35d
SHA14978f2462040aee13f3d79e1f1dab5b4d4e8feb3
SHA256ecf62496c9c74d3fddbd737964629a8cad0f42968c6f6c88652ca9f9b9bc9d3f
SHA5129b3ab911e2e5002bea4877628dc4dd14e99ab8a5ece51fd76d5a65f0f39fbd7812390ebc328b857422d0bcde571385c9e6ab85d1a9214d7124e4f3d100490542
-
Filesize
15.4MB
MD5ca9086b9f4e1cbfae86204a0e2cbea07
SHA14fb147699ab8b80fc6b89d9d1473bfb60dbd2a15
SHA25621a2e0d27dfe4f70d74e0be94a1700cbc0e58c87553f1140253109ab0d9701b2
SHA512b1f89f9342df8de10eaa1134eb9982942cee26abebf280b80a79b37f26e1f2b55de999d36249a731385c5a72bb2c3dd8b9b14f578263d3037799a1617279e984
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c