d5d245b5e9d6b56778fcad5bd8154779074e891df0455ae8cc77e14595f0df8c

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wpsupdate .msi
Size

18.0MB
MD5

a73709d320e1160a965987bd3298b0bc
SHA1

2b1942cad548a048f62eb643573baf671696c5ea
SHA256

d5d245b5e9d6b56778fcad5bd8154779074e891df0455ae8cc77e14595f0df8c
SHA512

78844102b9d83f5f8f3dc3c1b83217bb0a6a69579168dca0e4740afd1f9f4e8864b9203570b031e9ce47a8f9a2a6db98b558634708fd828727365f0271a5f686
SSDEEP

393216:0vd1NDtHWaIhF5AfrpW4+SRxqwIxgFU1elj6iY9Q4mG3WX0X9Jnbx:0fWaIFaFWdqjle1xB99kC/nbx

Score

6^/10

bootkit discovery persistence

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	wpsupdate.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe	YElwbdcCOAiT.exe
File created	C:\Program Files\OrganizeSupporterNimble\wpsupdate.exe	msiexec.exe
File created	C:\Program Files\OrganizeSupporterNimble\YElwbdcCOAiT.exe	msiexec.exe
File opened for modification	C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.xml	YElwbdcCOAiT.exe
File created	C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe	YElwbdcCOAiT.exe
File opened for modification	C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe	YElwbdcCOAiT.exe
File created	C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe	YElwbdcCOAiT.exe
File created	C:\Program Files\OrganizeSupporterNimble\node.dll	msiexec.exe
File created	C:\Program Files\OrganizeSupporterNimble\qRnXMHAQiKBugDENYhOR	msiexec.exe
File created	C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.xml	YElwbdcCOAiT.exe
File opened for modification	C:\Program Files\OrganizeSupporterNimble	TpuaDVwAtO28.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f772a1f.msi	msiexec.exe
File created	C:\Windows\Installer\f772a1d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2B06.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f772a1d.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f772a1c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f772a1c.msi	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
1476	YElwbdcCOAiT.exe
2368	TpuaDVwAtO28.exe
1964	wpsupdate.exe

Loads dropped DLL 11 IoCs

pid	Process
1688	MsiExec.exe
1688	MsiExec.exe
1688	MsiExec.exe
1688	MsiExec.exe
1688	MsiExec.exe
2368	TpuaDVwAtO28.exe
2368	TpuaDVwAtO28.exe
2368	TpuaDVwAtO28.exe
2368	TpuaDVwAtO28.exe
2368	TpuaDVwAtO28.exe
2368	TpuaDVwAtO28.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YElwbdcCOAiT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TpuaDVwAtO28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD3_C = "af627f08f5619f1da46525d769aa4316"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD3t = "20"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	TpuaDVwAtO28.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\khdinfo\InfoHDModifiedType = "hdidRecalByOldHdidFromRegIsEmpty\|2024-9-20"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	TpuaDVwAtO28.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD3Verify_C = 32003000320034002d0039002d00320030007c00570044004300200032002e0035002b00320033003200310033003800380030003400310036003500200020002000200020002000200020007c00450036002d00390039002d00460037002d00390033002d00300032002d00340046000000	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	TpuaDVwAtO28.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0	wpsupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\khdinfo\InfoCurHardInfo = "29a56b8a14940c3acb7a4a6443907c56\|ecc1f339b231b4b29b3f3df3d9c8fde5"	wpsupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD = "af627f08f5619f1da46525d769aa4316"	wpsupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\khdinfo\InfoLastHardInfo	wpsupdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHDt = "20"	wpsupdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	TpuaDVwAtO28.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\PackageCode = "CEA73F1C5C6787349AB3A11C771E1A2B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\SourceList\PackageName = "wpsupdate .msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F4A29A934CBA7A74E9F746BCFCAF81BB\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\ProductName = "OrganizeSupporterNimble"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\Version = "17039361"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F4A29A934CBA7A74E9F746BCFCAF81BB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\91E4850C13A5A9040811EA7CEA18D148	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\91E4850C13A5A9040811EA7CEA18D148\F4A29A934CBA7A74E9F746BCFCAF81BB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F4A29A934CBA7A74E9F746BCFCAF81BB\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2188	msiexec.exe
2188	msiexec.exe
1964	wpsupdate.exe
1964	wpsupdate.exe
2368	TpuaDVwAtO28.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2216	msiexec.exe
Token: SeRestorePrivilege	2188	msiexec.exe
Token: SeTakeOwnershipPrivilege	2188	msiexec.exe
Token: SeSecurityPrivilege	2188	msiexec.exe
Token: SeCreateTokenPrivilege	2216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2216	msiexec.exe
Token: SeLockMemoryPrivilege	2216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2216	msiexec.exe
Token: SeMachineAccountPrivilege	2216	msiexec.exe
Token: SeTcbPrivilege	2216	msiexec.exe
Token: SeSecurityPrivilege	2216	msiexec.exe
Token: SeTakeOwnershipPrivilege	2216	msiexec.exe
Token: SeLoadDriverPrivilege	2216	msiexec.exe
Token: SeSystemProfilePrivilege	2216	msiexec.exe
Token: SeSystemtimePrivilege	2216	msiexec.exe
Token: SeProfSingleProcessPrivilege	2216	msiexec.exe
Token: SeIncBasePriorityPrivilege	2216	msiexec.exe
Token: SeCreatePagefilePrivilege	2216	msiexec.exe
Token: SeCreatePermanentPrivilege	2216	msiexec.exe
Token: SeBackupPrivilege	2216	msiexec.exe
Token: SeRestorePrivilege	2216	msiexec.exe
Token: SeShutdownPrivilege	2216	msiexec.exe
Token: SeDebugPrivilege	2216	msiexec.exe
Token: SeAuditPrivilege	2216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2216	msiexec.exe
Token: SeChangeNotifyPrivilege	2216	msiexec.exe
Token: SeRemoteShutdownPrivilege	2216	msiexec.exe
Token: SeUndockPrivilege	2216	msiexec.exe
Token: SeSyncAgentPrivilege	2216	msiexec.exe
Token: SeEnableDelegationPrivilege	2216	msiexec.exe
Token: SeManageVolumePrivilege	2216	msiexec.exe
Token: SeImpersonatePrivilege	2216	msiexec.exe
Token: SeCreateGlobalPrivilege	2216	msiexec.exe
Token: SeBackupPrivilege	2764	vssvc.exe
Token: SeRestorePrivilege	2764	vssvc.exe
Token: SeAuditPrivilege	2764	vssvc.exe
Token: SeBackupPrivilege	2188	msiexec.exe
Token: SeRestorePrivilege	2188	msiexec.exe
Token: SeRestorePrivilege	2484	DrvInst.exe
Token: SeRestorePrivilege	2484	DrvInst.exe
Token: SeRestorePrivilege	2484	DrvInst.exe
Token: SeRestorePrivilege	2484	DrvInst.exe
Token: SeRestorePrivilege	2484	DrvInst.exe
Token: SeRestorePrivilege	2484	DrvInst.exe
Token: SeRestorePrivilege	2484	DrvInst.exe
Token: SeLoadDriverPrivilege	2484	DrvInst.exe
Token: SeLoadDriverPrivilege	2484	DrvInst.exe
Token: SeLoadDriverPrivilege	2484	DrvInst.exe
Token: SeRestorePrivilege	2188	msiexec.exe
Token: SeTakeOwnershipPrivilege	2188	msiexec.exe
Token: SeRestorePrivilege	2188	msiexec.exe
Token: SeTakeOwnershipPrivilege	2188	msiexec.exe
Token: SeRestorePrivilege	2188	msiexec.exe
Token: SeTakeOwnershipPrivilege	2188	msiexec.exe
Token: SeRestorePrivilege	2188	msiexec.exe
Token: SeTakeOwnershipPrivilege	2188	msiexec.exe
Token: SeRestorePrivilege	2188	msiexec.exe
Token: SeTakeOwnershipPrivilege	2188	msiexec.exe
Token: SeRestorePrivilege	2188	msiexec.exe
Token: SeTakeOwnershipPrivilege	2188	msiexec.exe
Token: SeRestorePrivilege	2188	msiexec.exe
Token: SeTakeOwnershipPrivilege	2188	msiexec.exe
Token: SeRestorePrivilege	2188	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2216	msiexec.exe
2216	msiexec.exe
1964	wpsupdate.exe
1964	wpsupdate.exe
1964	wpsupdate.exe
1964	wpsupdate.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1964	wpsupdate.exe
1964	wpsupdate.exe
1964	wpsupdate.exe
1964	wpsupdate.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1688	2188	msiexec.exe	34
PID 2188 wrote to memory of 1688	2188	msiexec.exe	34
PID 2188 wrote to memory of 1688	2188	msiexec.exe	34
PID 2188 wrote to memory of 1688	2188	msiexec.exe	34
PID 2188 wrote to memory of 1688	2188	msiexec.exe	34
PID 2188 wrote to memory of 1688	2188	msiexec.exe	34
PID 2188 wrote to memory of 1688	2188	msiexec.exe	34
PID 1688 wrote to memory of 1476	1688	MsiExec.exe	35
PID 1688 wrote to memory of 1476	1688	MsiExec.exe	35
PID 1688 wrote to memory of 1476	1688	MsiExec.exe	35
PID 1688 wrote to memory of 1476	1688	MsiExec.exe	35
PID 1688 wrote to memory of 2368	1688	MsiExec.exe	37
PID 1688 wrote to memory of 2368	1688	MsiExec.exe	37
PID 1688 wrote to memory of 2368	1688	MsiExec.exe	37
PID 1688 wrote to memory of 2368	1688	MsiExec.exe	37
PID 1688 wrote to memory of 1964	1688	MsiExec.exe	38
PID 1688 wrote to memory of 1964	1688	MsiExec.exe	38
PID 1688 wrote to memory of 1964	1688	MsiExec.exe	38
PID 1688 wrote to memory of 1964	1688	MsiExec.exe	38
PID 1688 wrote to memory of 1964	1688	MsiExec.exe	38
PID 1688 wrote to memory of 1964	1688	MsiExec.exe	38
PID 1688 wrote to memory of 1964	1688	MsiExec.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\wpsupdate .msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2216

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57B68653D996033381F4ADCF20B1C085 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Program Files\OrganizeSupporterNimble\YElwbdcCOAiT.exe
    "C:\Program Files\OrganizeSupporterNimble\YElwbdcCOAiT.exe" x "C:\Program Files\OrganizeSupporterNimble\qRnXMHAQiKBugDENYhOR" -o"C:\Program Files\OrganizeSupporterNimble\" -ptLyXGitilIeFgXMurmJK -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1476
- - C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe
    "C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe" -number 143 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2368
- - C:\Program Files\OrganizeSupporterNimble\wpsupdate.exe
    "C:\Program Files\OrganizeSupporterNimble\wpsupdate.exe"
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "00000000000005E0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f772a1e.rbs

Filesize
7KB

MD5
6faa64f4d614314f37cad83f3013b9d2

SHA1
da3d71b978f35572cdedd917b56ebd2297e865ad

SHA256
085544cc953a1e1e34b4e547d47f20a58aea438cd46dabcfd38488b5b249f01c

SHA512
98712cbeea69afb510ae4a19d9b3d5c443b772ccf78af59ea5174f657eeff4ce51f81aad5360945b3425ac95d1e18084ee43dec81e54c78aa24da959d6ef1202

Download Submit
C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe

Filesize
3.1MB

MD5
cab83f4897ba305ccf1b3811d0d46b46

SHA1
f9b0a859ccfd545ca4794d2e37f0fe92e7469c88

SHA256
45265ec03d03272fbda8eca896bdc2f72f8ac0ab862d41f7a97cd823525c0a9c

SHA512
e018957a52075c203d48a59b2e049ed0d6980fefe467bd1b49bdd2a9b7aa5efb2d0d84a2b9e24f9b3ce680d424da137a2a7c3bc14f060960fba4cfbd900431ac

Download Submit
C:\Program Files\OrganizeSupporterNimble\YElwbdcCOAiT.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\OrganizeSupporterNimble\qRnXMHAQiKBugDENYhOR

Filesize
1.9MB

MD5
b40f2629f6045761ca8acf21ec4341e7

SHA1
082326d152d2d13a5981ad9f4c3cf7906ec842bc

SHA256
2699edad6ae5d99914c94f54075ff20ffce1a6f13e83d4f2e807f614466fd28f

SHA512
d70d54d21bd4eb69a9748ca48f246dac236d06996da792818d188ae3a55a2f060a6fbb4421e27fdcf8aa7fd37f60951ef073d79fee1be6bac90d7e4d89dcdacc

Download Submit
C:\Program Files\OrganizeSupporterNimble\wpsupdate.exe

Filesize
6.0MB

MD5
57dadd6a929f64c2b1efe2d52c1c4985

SHA1
962cb227f81f885f23826c3e040aa9dbc97659cf

SHA256
996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5

SHA512
3f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_09_20.log

Filesize
2KB

MD5
4245feed7fa1a84835e753ef50217894

SHA1
492463d88b28c955768a3c96d53a465be139c4c5

SHA256
aa07b37c11e761586f3c6ef08ab643c58071b849b69ae419ee7f21a092c3e2e1

SHA512
9955da0a17452589b3aa0eca0c4d20d4b922c5820eb747a633d405637dc3cf9f1ab96d586ec6e1bfd45fe1ecc354d7ca85a82b6a337466edfe5657d95d4e9e6d

Download Submit
C:\Windows\Installer\f772a1c.msi

Filesize
18.0MB

MD5
a73709d320e1160a965987bd3298b0bc

SHA1
2b1942cad548a048f62eb643573baf671696c5ea

SHA256
d5d245b5e9d6b56778fcad5bd8154779074e891df0455ae8cc77e14595f0df8c

SHA512
78844102b9d83f5f8f3dc3c1b83217bb0a6a69579168dca0e4740afd1f9f4e8864b9203570b031e9ce47a8f9a2a6db98b558634708fd828727365f0271a5f686

Download Submit
memory/1688-12-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2368-46-0x00000000008E0000-0x000000000090A000-memory.dmp

Filesize
168KB

Download