1cde78045d2d3ab8d1d2ad5bfd97f6805b806026e60a36a5c7849458406f3927

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChromeSetup.msi
Size

17.2MB
MD5

90e7d3e1ecaee3ac54dbb8ed66b07a18
SHA1

ac5e851894550338e80c5ba046c141273af476de
SHA256

1cde78045d2d3ab8d1d2ad5bfd97f6805b806026e60a36a5c7849458406f3927
SHA512

5df073ab043468739c3c244329e3c2114c160208237b9d583870f6bcd20feae7411dc9be390d617338c42d3db373bfcd4e39806b93afb3118c6946954d0e5cd9
SSDEEP

393216:7JC9ulDuFcnsXWOcCmo72eL9pOQFYNM9wzNujzUAx8:7Xsmomo7FLejNCxx8

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\PromoteMonitorBenevolent\mwKLWIWGgxnxgSuiLbNU	msiexec.exe
File opened for modification	C:\Program Files\PromoteMonitorBenevolent\GigWEwXASNhD.xml	AuOSovrPCaNd.exe
File created	C:\Program Files\PromoteMonitorBenevolent\GigWEwXASNhD.exe	AuOSovrPCaNd.exe
File opened for modification	C:\Program Files\PromoteMonitorBenevolent\GigWEwXASNhD.exe	AuOSovrPCaNd.exe
File created	C:\Program Files\PromoteMonitorBenevolent\igsBsAaTNp29.exe	AuOSovrPCaNd.exe
File opened for modification	C:\Program Files\PromoteMonitorBenevolent\igsBsAaTNp29.exe	AuOSovrPCaNd.exe
File created	C:\Program Files\PromoteMonitorBenevolent\AuOSovrPCaNd.exe	msiexec.exe
File created	C:\Program Files\PromoteMonitorBenevolent\ChromeSetup.exe	msiexec.exe
File created	C:\Program Files\PromoteMonitorBenevolent\opencv_world452.dll	msiexec.exe
File created	C:\Program Files\PromoteMonitorBenevolent\GigWEwXASNhD.xml	AuOSovrPCaNd.exe
File opened for modification	C:\Program Files\PromoteMonitorBenevolent	igsBsAaTNp29.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76ea9d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ea9d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB58.tmp	msiexec.exe
File created	C:\Windows\Installer\f76eaa0.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76ea9e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ea9e.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Executes dropped EXE 3 IoCs

pid	Process
2952	AuOSovrPCaNd.exe
2784	igsBsAaTNp29.exe
2960	ChromeSetup.exe

Loads dropped DLL 10 IoCs

pid	Process
2324	MsiExec.exe
2324	MsiExec.exe
2324	MsiExec.exe
2324	MsiExec.exe
2784	igsBsAaTNp29.exe
2784	igsBsAaTNp29.exe
2784	igsBsAaTNp29.exe
2784	igsBsAaTNp29.exe
2784	igsBsAaTNp29.exe
2784	igsBsAaTNp29.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2500	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igsBsAaTNp29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AuOSovrPCaNd.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	igsBsAaTNp29.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	igsBsAaTNp29.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	igsBsAaTNp29.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	igsBsAaTNp29.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\ProductName = "PromoteMonitorBenevolent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\98794E0347D460E4EB777D6C25CB1D75	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\77EB9641DB591044CAC271D0781668E3\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\Version = "100925445"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\PackageCode = "F8F6925794A991E4385326B3FC2E1255"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\98794E0347D460E4EB777D6C25CB1D75\77EB9641DB591044CAC271D0781668E3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\77EB9641DB591044CAC271D0781668E3	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\SourceList\PackageName = "ChromeSetup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\77EB9641DB591044CAC271D0781668E3\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2664	msiexec.exe
2664	msiexec.exe
2784	igsBsAaTNp29.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeSecurityPrivilege	2664	msiexec.exe
Token: SeCreateTokenPrivilege	2500	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2500	msiexec.exe
Token: SeLockMemoryPrivilege	2500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2500	msiexec.exe
Token: SeMachineAccountPrivilege	2500	msiexec.exe
Token: SeTcbPrivilege	2500	msiexec.exe
Token: SeSecurityPrivilege	2500	msiexec.exe
Token: SeTakeOwnershipPrivilege	2500	msiexec.exe
Token: SeLoadDriverPrivilege	2500	msiexec.exe
Token: SeSystemProfilePrivilege	2500	msiexec.exe
Token: SeSystemtimePrivilege	2500	msiexec.exe
Token: SeProfSingleProcessPrivilege	2500	msiexec.exe
Token: SeIncBasePriorityPrivilege	2500	msiexec.exe
Token: SeCreatePagefilePrivilege	2500	msiexec.exe
Token: SeCreatePermanentPrivilege	2500	msiexec.exe
Token: SeBackupPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2500	msiexec.exe
Token: SeShutdownPrivilege	2500	msiexec.exe
Token: SeDebugPrivilege	2500	msiexec.exe
Token: SeAuditPrivilege	2500	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2500	msiexec.exe
Token: SeChangeNotifyPrivilege	2500	msiexec.exe
Token: SeRemoteShutdownPrivilege	2500	msiexec.exe
Token: SeUndockPrivilege	2500	msiexec.exe
Token: SeSyncAgentPrivilege	2500	msiexec.exe
Token: SeEnableDelegationPrivilege	2500	msiexec.exe
Token: SeManageVolumePrivilege	2500	msiexec.exe
Token: SeImpersonatePrivilege	2500	msiexec.exe
Token: SeCreateGlobalPrivilege	2500	msiexec.exe
Token: SeBackupPrivilege	2344	vssvc.exe
Token: SeRestorePrivilege	2344	vssvc.exe
Token: SeAuditPrivilege	2344	vssvc.exe
Token: SeBackupPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2744	DrvInst.exe
Token: SeRestorePrivilege	2744	DrvInst.exe
Token: SeRestorePrivilege	2744	DrvInst.exe
Token: SeRestorePrivilege	2744	DrvInst.exe
Token: SeRestorePrivilege	2744	DrvInst.exe
Token: SeRestorePrivilege	2744	DrvInst.exe
Token: SeRestorePrivilege	2744	DrvInst.exe
Token: SeLoadDriverPrivilege	2744	DrvInst.exe
Token: SeLoadDriverPrivilege	2744	DrvInst.exe
Token: SeLoadDriverPrivilege	2744	DrvInst.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe
Token: SeTakeOwnershipPrivilege	2664	msiexec.exe
Token: SeRestorePrivilege	2664	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2500	msiexec.exe
2500	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2324	2664	msiexec.exe	35
PID 2664 wrote to memory of 2324	2664	msiexec.exe	35
PID 2664 wrote to memory of 2324	2664	msiexec.exe	35
PID 2664 wrote to memory of 2324	2664	msiexec.exe	35
PID 2664 wrote to memory of 2324	2664	msiexec.exe	35
PID 2664 wrote to memory of 2324	2664	msiexec.exe	35
PID 2664 wrote to memory of 2324	2664	msiexec.exe	35
PID 2324 wrote to memory of 2952	2324	MsiExec.exe	36
PID 2324 wrote to memory of 2952	2324	MsiExec.exe	36
PID 2324 wrote to memory of 2952	2324	MsiExec.exe	36
PID 2324 wrote to memory of 2952	2324	MsiExec.exe	36
PID 2324 wrote to memory of 2784	2324	MsiExec.exe	38
PID 2324 wrote to memory of 2784	2324	MsiExec.exe	38
PID 2324 wrote to memory of 2784	2324	MsiExec.exe	38
PID 2324 wrote to memory of 2784	2324	MsiExec.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ChromeSetup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2500

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F329422712D74ED40E0E5EDC56DBE12B M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Program Files\PromoteMonitorBenevolent\AuOSovrPCaNd.exe
    "C:\Program Files\PromoteMonitorBenevolent\AuOSovrPCaNd.exe" x "C:\Program Files\PromoteMonitorBenevolent\mwKLWIWGgxnxgSuiLbNU" -o"C:\Program Files\PromoteMonitorBenevolent\" -pBnWSXXmUXNseShAWdqlU -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2952
- - C:\Program Files\PromoteMonitorBenevolent\igsBsAaTNp29.exe
    "C:\Program Files\PromoteMonitorBenevolent\igsBsAaTNp29.exe" -number 235 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2784
- - C:\Program Files\PromoteMonitorBenevolent\ChromeSetup.exe
    "C:\Program Files\PromoteMonitorBenevolent\ChromeSetup.exe"
    3⤵
    - Executes dropped EXE
    PID:2960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005D0" "00000000000002F8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76ea9f.rbs

Filesize
7KB

MD5
444bf73d5150eb7761ff632fbb542118

SHA1
72978e93d33bb9fbfd98c3658ca0b1b8977cf2f2

SHA256
8a691fdb0a4c9498f2ff09368482cd16074c9d88cc9112a8201a6ec1bfc8f789

SHA512
016ac6a8fdda6a240ffde40826c8922857d35e2bfe745261460c9fb09966a64ae12d85a33fd94823b33063076057600efe29d618524275740b570b2c3443b672

Download Submit
C:\Program Files\PromoteMonitorBenevolent\AuOSovrPCaNd.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\PromoteMonitorBenevolent\ChromeSetup.exe

Filesize
8.5MB

MD5
5adff4313fbd074df44b4eb5b7893c5e

SHA1
d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7

SHA256
d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae

SHA512
f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60

Download Submit
C:\Program Files\PromoteMonitorBenevolent\igsBsAaTNp29.exe

Filesize
2.1MB

MD5
5991eb282362e4eb924e7227be83dfa0

SHA1
43800f4ac1fd5737092dd448de83f47eb26c84f3

SHA256
81e5abede9c029d1425e77384810fff317afa05dd26e010b7335d929252388ea

SHA512
b56105ba6ae47167db1ed531d2dd5c7e91699c5482849933cfa559e497e8175f6e2af533bf4b235b84144b753f7f018628e236294f37735ea94d3b7a149b885d

Download Submit
C:\Program Files\PromoteMonitorBenevolent\mwKLWIWGgxnxgSuiLbNU

Filesize
1019KB

MD5
97f55f3126305a0d2541258a22855be8

SHA1
9887f6b12721fb56b25debd94ac987af6ca45255

SHA256
a57ea70b35fde7910e7c51d36d85f9eaaa0800393c1b6d9dbf87175db921eafc

SHA512
12311bcec03ab0b13ebe39f5b889e324bcfdff27e3e2adb1c223f620d5a787a51775c3165c06124bbf97d1ccfeebe3351c42f22ddf5433d68b728cb42a853fef

Download Submit
C:\Windows\Installer\f76ea9d.msi

Filesize
17.2MB

MD5
90e7d3e1ecaee3ac54dbb8ed66b07a18

SHA1
ac5e851894550338e80c5ba046c141273af476de

SHA256
1cde78045d2d3ab8d1d2ad5bfd97f6805b806026e60a36a5c7849458406f3927

SHA512
5df073ab043468739c3c244329e3c2114c160208237b9d583870f6bcd20feae7411dc9be390d617338c42d3db373bfcd4e39806b93afb3118c6946954d0e5cd9

Download Submit
\Program Files\PromoteMonitorBenevolent\GigWEwXASNhD.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
memory/2324-12-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2784-42-0x0000000000A70000-0x0000000000A9A000-memory.dmp

Filesize
168KB

Download