21a2e0d27dfe4f70d74e0be94a1700cbc0e58c87553f1140253109ab0d9701b2

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WPS Office_104693057_401535.msi
Size

15.4MB
MD5

ca9086b9f4e1cbfae86204a0e2cbea07
SHA1

4fb147699ab8b80fc6b89d9d1473bfb60dbd2a15
SHA256

21a2e0d27dfe4f70d74e0be94a1700cbc0e58c87553f1140253109ab0d9701b2
SHA512

b1f89f9342df8de10eaa1134eb9982942cee26abebf280b80a79b37f26e1f2b55de999d36249a731385c5a72bb2c3dd8b9b14f578263d3037799a1617279e984
SSDEEP

393216:WAxJ3qt2MkEOEsQ+D8PjbtTBQqc4dq47aJ7IKw9M38hoTjZ5Uu0H:WU3o2NNjgrpFQq3dd7aJkvFhoTrV0H

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\ImproveScoutGenerous\node.dll	msiexec.exe
File created	C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.xml	hdeQkiPuSHUY.exe
File opened for modification	C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.xml	hdeQkiPuSHUY.exe
File created	C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe	hdeQkiPuSHUY.exe
File opened for modification	C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe	hdeQkiPuSHUY.exe
File created	C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe	hdeQkiPuSHUY.exe
File opened for modification	C:\Program Files\ImproveScoutGenerous	bDOnhmOcYL12.exe
File created	C:\Program Files\ImproveScoutGenerous\CLAnZJhYUhSfSJqyvyQH	msiexec.exe
File created	C:\Program Files\ImproveScoutGenerous\xlsx.xlsx	msiexec.exe
File opened for modification	C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe	hdeQkiPuSHUY.exe
File created	C:\Program Files\ImproveScoutGenerous\hdeQkiPuSHUY.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f771dfc.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f771dfc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E98.tmp	msiexec.exe
File created	C:\Windows\Installer\f771dff.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f771dfd.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f771dfd.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
556	hdeQkiPuSHUY.exe
2812	bDOnhmOcYL12.exe

Loads dropped DLL 8 IoCs

pid	Process
1476	MsiExec.exe
1476	MsiExec.exe
1476	MsiExec.exe
1476	MsiExec.exe
2812	bDOnhmOcYL12.exe
2812	bDOnhmOcYL12.exe
2812	bDOnhmOcYL12.exe
2812	bDOnhmOcYL12.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hdeQkiPuSHUY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bDOnhmOcYL12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Courier 6cpi = "Roman 6cpi"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\Excel Files\Engines\Jet\Threads = "3"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\yahoo.fr = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\YAHOOF~1.XML"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Phone Call\AutoJournaled = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1C00 = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\mapi\UserChoice\Progid = "Outlook.Shell"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Viewers\application/pot = "C:\\PROGRA~2\\MICROS~1\\Office14\\POWERPNT.EXE"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Meeting Cancellation	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Meeting Request\Small Icon = "[3]"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Remote Session	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\dotm = "C:\\PROGRA~2\\MICROS~1\\Office14\\WINWORD.EXE ^.dotm"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Suffixes\application/rtf = "RTF"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\Excel Files	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Common\Smart Tag\Actions\{339361CD-6723-455D-A40B-C95F1F91FF8A}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\linedraw = "Courier New,437"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\MS Access Database\UID	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Suffixes\application/msexcel = "XLS"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Outlook\Addins\ColleagueImport.ColleagueImportAddin\CommandLineSafe = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Common\Smart Tag\Recognizers\{64AB6C69-B40E-40AF-9B7F-F5687B48E2B6}\urn:schemas-microsoft-com:office:smarttags#time	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Roman 6cpi = "Courier 6cpi"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\Excel Files\Engines\Jet	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\MS Access Database\Engines	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Excel\Security\Trusted Locations\Location2	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\yahoo.ie = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\YAHOOI~1.XML"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Common\Smart Tag\Actions\{06F9A697-9708-422D-A5AF-C559391A850A}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Century Gothic = "AvantGarde"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\London = "Old English Text MT"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Zapf Dingbats = "Monotype Sorts"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Chicago = "Arial"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\mdb = "C:\\PROGRA~2\\MICROS~1\\Office14\\MSACCESS.EXE"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\General\Xlstart = "XLSTART"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Conversation\Small Icon = "[1]"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Task Response\JournalByContact = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\ZapfDingbats = "Zapf Dingbats"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Courier New = "Courier"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Common\Smart Tag\Recognizers\{64AB6C69-B40E-40AF-9B7F-F5687B48E2B6}\urn:schemas-microsoft-com:office:smarttags#time\OMain = "2"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Letter\JournalByContact = "0"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\Outlook_Core\Count = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Letter Gothic = "Courier New"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\E-mail Message\Small Icon = "[2]"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\dot = "C:\\PROGRA~2\\MICROS~1\\Office14\\WINWORD.EXE ^.dot"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Excel\Security\Trusted Locations\Location0\Path = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\XLSTART\\"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MSDAIPP\Providers\{9FECD570-B9D4-11D1-9C78-0000F875AC61}\Priority = "142606336"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Web Service Providers\WebDrive\www.msnusers.com\Icon = "C:\\PROGRA~2\\MICROS~1\\Office14\\MSN.ICO"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\talk21.com = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\TALK21~1.XML"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\nvbell.net = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\NVBELL~1.XML"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Viewers\TYPE8 = "application/pps"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Common\Smart Tag\Actions\{06F9A697-9708-422D-A5AF-C559391A850A}\Internet Explorer_Server = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\mda = "C:\\PROGRA~2\\MICROS~1\\Office14\\MSACCESS.EXE"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordMailChangeInstallLanguage = "No"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Outlook\Addins\ColleagueImport.ColleagueImportAddin\FriendlyName = "Microsoft SharePoint Server Colleague Import Add-in"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\General\RecentFiles = "Recent"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Note	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Web Service Providers\FreeBusy\office.microsoft.com\FbPutDataUrl = "http://freebusy.office.microsoft.com/freebusy/freebusy.dll?prd=office&pver=\|0&ar=freebusy&subar=put"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel\Small Icon = "[14]"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Access\Security\Trusted Locations	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Excel\Security\Trusted Locations\Location2\Path = "%APPDATA%\\Microsoft\\Templates"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Web Service Providers\WebDrive\www.msnusers.com\ShortcutUrl = "http://www.msnusers.com"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ASF Stream Descriptor File\Settings\Don't Show Boot Dialog = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Kafisma = "Arial,866"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Microsoft PowerPoint\AutoJournaled = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\General\MyPictures = "My Pictures"	EXCEL.EXE

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E7615B4D95282EC48955FCE0617C370B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E7615B4D95282EC48955FCE0617C370B\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6AC22BE4B23DFEC45BB98FF5AC3DB9CF\E7615B4D95282EC48955FCE0617C370B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\PackageName = "WPS Office_104693057_401535.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\ProductName = "ImproveScoutGenerous"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6AC22BE4B23DFEC45BB98FF5AC3DB9CF	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\PackageCode = "AF348A689A608BD48AB3AAADE413931C"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\Version = "50593801"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E7615B4D95282EC48955FCE0617C370B\AdvertiseFlags = "388"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2960	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1044	msiexec.exe
1044	msiexec.exe
2812	bDOnhmOcYL12.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2084	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	1044	msiexec.exe
Token: SeTakeOwnershipPrivilege	1044	msiexec.exe
Token: SeSecurityPrivilege	1044	msiexec.exe
Token: SeCreateTokenPrivilege	2084	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2084	msiexec.exe
Token: SeLockMemoryPrivilege	2084	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2084	msiexec.exe
Token: SeMachineAccountPrivilege	2084	msiexec.exe
Token: SeTcbPrivilege	2084	msiexec.exe
Token: SeSecurityPrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeLoadDriverPrivilege	2084	msiexec.exe
Token: SeSystemProfilePrivilege	2084	msiexec.exe
Token: SeSystemtimePrivilege	2084	msiexec.exe
Token: SeProfSingleProcessPrivilege	2084	msiexec.exe
Token: SeIncBasePriorityPrivilege	2084	msiexec.exe
Token: SeCreatePagefilePrivilege	2084	msiexec.exe
Token: SeCreatePermanentPrivilege	2084	msiexec.exe
Token: SeBackupPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeShutdownPrivilege	2084	msiexec.exe
Token: SeDebugPrivilege	2084	msiexec.exe
Token: SeAuditPrivilege	2084	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2084	msiexec.exe
Token: SeChangeNotifyPrivilege	2084	msiexec.exe
Token: SeRemoteShutdownPrivilege	2084	msiexec.exe
Token: SeUndockPrivilege	2084	msiexec.exe
Token: SeSyncAgentPrivilege	2084	msiexec.exe
Token: SeEnableDelegationPrivilege	2084	msiexec.exe
Token: SeManageVolumePrivilege	2084	msiexec.exe
Token: SeImpersonatePrivilege	2084	msiexec.exe
Token: SeCreateGlobalPrivilege	2084	msiexec.exe
Token: SeBackupPrivilege	2704	vssvc.exe
Token: SeRestorePrivilege	2704	vssvc.exe
Token: SeAuditPrivilege	2704	vssvc.exe
Token: SeBackupPrivilege	1044	msiexec.exe
Token: SeRestorePrivilege	1044	msiexec.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	2612	DrvInst.exe
Token: SeLoadDriverPrivilege	2612	DrvInst.exe
Token: SeLoadDriverPrivilege	2612	DrvInst.exe
Token: SeLoadDriverPrivilege	2612	DrvInst.exe
Token: SeRestorePrivilege	1044	msiexec.exe
Token: SeTakeOwnershipPrivilege	1044	msiexec.exe
Token: SeRestorePrivilege	1044	msiexec.exe
Token: SeTakeOwnershipPrivilege	1044	msiexec.exe
Token: SeRestorePrivilege	1044	msiexec.exe
Token: SeTakeOwnershipPrivilege	1044	msiexec.exe
Token: SeRestorePrivilege	1044	msiexec.exe
Token: SeTakeOwnershipPrivilege	1044	msiexec.exe
Token: SeRestorePrivilege	1044	msiexec.exe
Token: SeTakeOwnershipPrivilege	1044	msiexec.exe
Token: SeRestorePrivilege	1044	msiexec.exe
Token: SeTakeOwnershipPrivilege	1044	msiexec.exe
Token: SeRestorePrivilege	1044	msiexec.exe
Token: SeTakeOwnershipPrivilege	1044	msiexec.exe
Token: SeRestorePrivilege	1044	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2084	msiexec.exe
2084	msiexec.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2960	EXCEL.EXE
2960	EXCEL.EXE
2960	EXCEL.EXE
2960	EXCEL.EXE
2960	EXCEL.EXE
2960	EXCEL.EXE
2960	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1476	1044	msiexec.exe	34
PID 1044 wrote to memory of 1476	1044	msiexec.exe	34
PID 1044 wrote to memory of 1476	1044	msiexec.exe	34
PID 1044 wrote to memory of 1476	1044	msiexec.exe	34
PID 1044 wrote to memory of 1476	1044	msiexec.exe	34
PID 1044 wrote to memory of 1476	1044	msiexec.exe	34
PID 1044 wrote to memory of 1476	1044	msiexec.exe	34
PID 1476 wrote to memory of 556	1476	MsiExec.exe	35
PID 1476 wrote to memory of 556	1476	MsiExec.exe	35
PID 1476 wrote to memory of 556	1476	MsiExec.exe	35
PID 1476 wrote to memory of 556	1476	MsiExec.exe	35
PID 1476 wrote to memory of 2812	1476	MsiExec.exe	37
PID 1476 wrote to memory of 2812	1476	MsiExec.exe	37
PID 1476 wrote to memory of 2812	1476	MsiExec.exe	37
PID 1476 wrote to memory of 2812	1476	MsiExec.exe	37
PID 1476 wrote to memory of 2960	1476	MsiExec.exe	38
PID 1476 wrote to memory of 2960	1476	MsiExec.exe	38
PID 1476 wrote to memory of 2960	1476	MsiExec.exe	38
PID 1476 wrote to memory of 2960	1476	MsiExec.exe	38
PID 1476 wrote to memory of 2960	1476	MsiExec.exe	38
PID 1476 wrote to memory of 2960	1476	MsiExec.exe	38
PID 1476 wrote to memory of 2960	1476	MsiExec.exe	38
PID 1476 wrote to memory of 2960	1476	MsiExec.exe	38
PID 1476 wrote to memory of 2960	1476	MsiExec.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\WPS Office_104693057_401535.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2084

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A5850FAD15B224595719F4638E5E176D M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Program Files\ImproveScoutGenerous\hdeQkiPuSHUY.exe
    "C:\Program Files\ImproveScoutGenerous\hdeQkiPuSHUY.exe" x "C:\Program Files\ImproveScoutGenerous\CLAnZJhYUhSfSJqyvyQH" -o"C:\Program Files\ImproveScoutGenerous\" -pNOcFSwDtYEhVUsSNDuRc -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:556
- - C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe
    "C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe" -number 237 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2812
- - C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C0" "0000000000000568"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f771dfe.rbs

Filesize
7KB

MD5
384832ab818d9c474eab79afaa4353e0

SHA1
00258b431aaf7e6cca3b4a4c7ddc3482811abf68

SHA256
963a6cf59b3d8d3db09c73dd4ed181cb8f24dc9bfc6374f8235861b0d69013a6

SHA512
d2427316ef54a2e6102397c2bea7cf91760fbf52f3f05255eef95784904e5ae524edc275f32666885e2d89e3a11a05ecfb163c8b21f09da106e89a0fc13b5b12

Download Submit
C:\Program Files\ImproveScoutGenerous\CLAnZJhYUhSfSJqyvyQH

Filesize
1.7MB

MD5
b52875621f2ed8ba730e1baa322994ac

SHA1
2ddb59cc65ee3297eb0a959f868633c36d8bdab6

SHA256
ae9b0f8b4d037535b0682905c7082607b9bd730d2ac549c1f86f36ad459e06f8

SHA512
2958f18969b1ce08adce13d6b0b249eacb627099387a9fe60472f8a4ef78ee37f4c17c77a2fea62f2b59a80724cd46dd6a74fd1c994eabd8a8f6f36f873c524d

Download Submit
C:\Program Files\ImproveScoutGenerous\HMeBxhzrchEW.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\ImproveScoutGenerous\bDOnhmOcYL12.exe

Filesize
2.8MB

MD5
8e355304eb0c0a6c787c158c6097d35d

SHA1
4978f2462040aee13f3d79e1f1dab5b4d4e8feb3

SHA256
ecf62496c9c74d3fddbd737964629a8cad0f42968c6f6c88652ca9f9b9bc9d3f

SHA512
9b3ab911e2e5002bea4877628dc4dd14e99ab8a5ece51fd76d5a65f0f39fbd7812390ebc328b857422d0bcde571385c9e6ab85d1a9214d7124e4f3d100490542

Download Submit
C:\Windows\Installer\f771dfc.msi

Filesize
15.4MB

MD5
ca9086b9f4e1cbfae86204a0e2cbea07

SHA1
4fb147699ab8b80fc6b89d9d1473bfb60dbd2a15

SHA256
21a2e0d27dfe4f70d74e0be94a1700cbc0e58c87553f1140253109ab0d9701b2

SHA512
b1f89f9342df8de10eaa1134eb9982942cee26abebf280b80a79b37f26e1f2b55de999d36249a731385c5a72bb2c3dd8b9b14f578263d3037799a1617279e984

Download Submit
\Program Files\ImproveScoutGenerous\hdeQkiPuSHUY.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
memory/1476-12-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2812-29-0x0000000000790000-0x00000000007BA000-memory.dmp

Filesize
168KB

Download
memory/2960-28-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download