9ab1f0f955d23c0a2a0e3727a9f778bef9057d4b615df3f6194906dac49e2c26

Resubmissions

21/09/2024, 02:03

240921-cgz6dszfpl 8

21/09/2024, 01:42

21/09/2024, 01:37

21/09/2024, 01:13

21/09/2024, 01:00

21/09/2024, 00:55

Analysis

max time kernel
1563s
max time network
1567s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EZFNLauncher.msi
Size

8.8MB
MD5

c094ae439f4a97409d752fa64f6eab86
SHA1

e607d4616a2262bb245c43269d7c3f769269e5d0
SHA256

9ab1f0f955d23c0a2a0e3727a9f778bef9057d4b615df3f6194906dac49e2c26
SHA512

df8bd4db2130cdf94493caa170801cfc1e273aa22253d33b066db3be56b164c904f54172bb6f60afd131f9459a8e9895d718bb905420f067936862d86ed9506e
SSDEEP

196608:hwrQNEqoCdzOx618QNSi2lfVc6VpvPH62RM7tBIbK1/JuhC:hgcOxvQgllfjXtr8/kh

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1332	powershell.exe
1332	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files\EZFN Launcher\_up_\public\vercel.svg	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season6.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season15.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\EZFN Launcher.exe	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season1.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season7.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\next.svg	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season3.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\Uninstall EZFN Launcher.lnk	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season11.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season2.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season9.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season4.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season5.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\favicon.ico	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season8.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season10.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\Inter-VariableFont_slnt,wght.ttf	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\default_skin.png	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\FiraCode-VariableFont_wght.ttf	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\BricolageGrotesque-VariableFont_opsz,wdth,wght.ttf	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f78cca2.msi	msiexec.exe
File created	C:\Windows\Installer\f78cca3.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD9C.tmp	msiexec.exe
File created	C:\Windows\Installer\{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\f78cca5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f78cca3.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f78cca2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Loads dropped DLL 7 IoCs

pid	Process
2012	MsiExec.exe
1532	msiexec.exe
1532	msiexec.exe
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1916	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\ProductName = "EZFN Launcher"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\ShortcutsFeature = "MainProgram"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\PackageCode = "902E236029C1087479870FBC7034677D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Version = "16908292"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\PackageName = "EZFNLauncher.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\Environment = "MainProgram"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\External	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\MainProgram	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\ProductIcon = "C:\\Windows\\Installer\\{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}\\ProductIcon"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1532	msiexec.exe
1532	msiexec.exe
1332	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1916	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1916	msiexec.exe
Token: SeRestorePrivilege	1532	msiexec.exe
Token: SeTakeOwnershipPrivilege	1532	msiexec.exe
Token: SeSecurityPrivilege	1532	msiexec.exe
Token: SeCreateTokenPrivilege	1916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1916	msiexec.exe
Token: SeLockMemoryPrivilege	1916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1916	msiexec.exe
Token: SeMachineAccountPrivilege	1916	msiexec.exe
Token: SeTcbPrivilege	1916	msiexec.exe
Token: SeSecurityPrivilege	1916	msiexec.exe
Token: SeTakeOwnershipPrivilege	1916	msiexec.exe
Token: SeLoadDriverPrivilege	1916	msiexec.exe
Token: SeSystemProfilePrivilege	1916	msiexec.exe
Token: SeSystemtimePrivilege	1916	msiexec.exe
Token: SeProfSingleProcessPrivilege	1916	msiexec.exe
Token: SeIncBasePriorityPrivilege	1916	msiexec.exe
Token: SeCreatePagefilePrivilege	1916	msiexec.exe
Token: SeCreatePermanentPrivilege	1916	msiexec.exe
Token: SeBackupPrivilege	1916	msiexec.exe
Token: SeRestorePrivilege	1916	msiexec.exe
Token: SeShutdownPrivilege	1916	msiexec.exe
Token: SeDebugPrivilege	1916	msiexec.exe
Token: SeAuditPrivilege	1916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1916	msiexec.exe
Token: SeChangeNotifyPrivilege	1916	msiexec.exe
Token: SeRemoteShutdownPrivilege	1916	msiexec.exe
Token: SeUndockPrivilege	1916	msiexec.exe
Token: SeSyncAgentPrivilege	1916	msiexec.exe
Token: SeEnableDelegationPrivilege	1916	msiexec.exe
Token: SeManageVolumePrivilege	1916	msiexec.exe
Token: SeImpersonatePrivilege	1916	msiexec.exe
Token: SeCreateGlobalPrivilege	1916	msiexec.exe
Token: SeCreateTokenPrivilege	1916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1916	msiexec.exe
Token: SeLockMemoryPrivilege	1916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1916	msiexec.exe
Token: SeMachineAccountPrivilege	1916	msiexec.exe
Token: SeTcbPrivilege	1916	msiexec.exe
Token: SeSecurityPrivilege	1916	msiexec.exe
Token: SeTakeOwnershipPrivilege	1916	msiexec.exe
Token: SeLoadDriverPrivilege	1916	msiexec.exe
Token: SeSystemProfilePrivilege	1916	msiexec.exe
Token: SeSystemtimePrivilege	1916	msiexec.exe
Token: SeProfSingleProcessPrivilege	1916	msiexec.exe
Token: SeIncBasePriorityPrivilege	1916	msiexec.exe
Token: SeCreatePagefilePrivilege	1916	msiexec.exe
Token: SeCreatePermanentPrivilege	1916	msiexec.exe
Token: SeBackupPrivilege	1916	msiexec.exe
Token: SeRestorePrivilege	1916	msiexec.exe
Token: SeShutdownPrivilege	1916	msiexec.exe
Token: SeDebugPrivilege	1916	msiexec.exe
Token: SeAuditPrivilege	1916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1916	msiexec.exe
Token: SeChangeNotifyPrivilege	1916	msiexec.exe
Token: SeRemoteShutdownPrivilege	1916	msiexec.exe
Token: SeUndockPrivilege	1916	msiexec.exe
Token: SeSyncAgentPrivilege	1916	msiexec.exe
Token: SeEnableDelegationPrivilege	1916	msiexec.exe
Token: SeManageVolumePrivilege	1916	msiexec.exe
Token: SeImpersonatePrivilege	1916	msiexec.exe
Token: SeCreateGlobalPrivilege	1916	msiexec.exe
Token: SeCreateTokenPrivilege	1916	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1916	msiexec.exe
1916	msiexec.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2012	1532	msiexec.exe	33
PID 1532 wrote to memory of 2012	1532	msiexec.exe	33
PID 1532 wrote to memory of 2012	1532	msiexec.exe	33
PID 1532 wrote to memory of 2012	1532	msiexec.exe	33
PID 1532 wrote to memory of 2012	1532	msiexec.exe	33
PID 1532 wrote to memory of 2012	1532	msiexec.exe	33
PID 1532 wrote to memory of 2012	1532	msiexec.exe	33
PID 1532 wrote to memory of 1332	1532	msiexec.exe	37
PID 1532 wrote to memory of 1332	1532	msiexec.exe	37
PID 1532 wrote to memory of 1332	1532	msiexec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\EZFNLauncher.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1916

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A7DFB2DBD01886DBD975815720530E12 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1332

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2440

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004C0" "00000000000003E8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EZFN Launcher\EZFN Launcher.lnk

Filesize
2KB

MD5
86a926fdbcf94901224e3c3a353e39c0

SHA1
4ab66187df90905b438986187b7339c448764854

SHA256
cfb9f5a862573e532182b5abd26d5a09ad55472ef2ec4d0f716c243511db4738

SHA512
bf391452efa80baf34ad59fed2fb44283f4bea11ee3381f3239f9ee1de269a41f014e9015f9f231065884ae12333cfe4fa34a16d389790145ac246d2de0cae44

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA64D.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Windows\Installer\f78cca2.msi

Filesize
8.8MB

MD5
c094ae439f4a97409d752fa64f6eab86

SHA1
e607d4616a2262bb245c43269d7c3f769269e5d0

SHA256
9ab1f0f955d23c0a2a0e3727a9f778bef9057d4b615df3f6194906dac49e2c26

SHA512
df8bd4db2130cdf94493caa170801cfc1e273aa22253d33b066db3be56b164c904f54172bb6f60afd131f9459a8e9895d718bb905420f067936862d86ed9506e

Download Submit
\Program Files\EZFN Launcher\EZFN Launcher.exe

Filesize
9.4MB

MD5
4f33ce3ea36ef1f99b6825a86b2470ff

SHA1
baca999aadc039799d779088276704b14b5c665b

SHA256
5f05babffaded0eae013bcea5de6821cb51c82acbb6889c4b01ebde41b3dafa8

SHA512
a96e86906b195d035a824f48f89db9455208dda2ca7ad1d7dc88881cbf6b0649bafea39fa384254aebc23f6a903cd18cf7dda375194390119c0111d901fbc0b6

Download Submit
memory/1332-63-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/1332-64-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download