50682bb6ccf5da1ed1d20db6fe254f78f2f5d20985637fa4b5764956b00d4a8a

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VLC2.7.msi
Size

14.0MB
MD5

a1c5d32005ee62baa30dc993394aa17c
SHA1

360dd1889252cc5c06386706f5d9f8f326f218db
SHA256

49d8edfd8a93ede3e3087771d69b7e6be33f53dfb92ee1da9d82c09f2e0d3188
SHA512

3ae8fcf6120e9c2a518b109c64996cea7d5b8f28df1e00c6e18a74b199d4f80d44e2c647fddb22b6b5ab3e24a495366be21d1a140521c00db35dd9e3480c4124
SSDEEP

393216:sGS3skS0F5Ky7pfJY/+LXwwhCtZRZ5bz/ueWBem1f4V:sG8S0F5N7pfJu2XwwhYZRDbz/uFdp4V

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\UpgradeWholesalerAgile\opencv_world452.dll	msiexec.exe
File created	C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe	UdgXmVwhvaeF.exe
File opened for modification	C:\Program Files\UpgradeWholesalerAgile	nSBnCTQPhM12.exe
File created	C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.xml	UdgXmVwhvaeF.exe
File opened for modification	C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.xml	UdgXmVwhvaeF.exe
File opened for modification	C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe	UdgXmVwhvaeF.exe
File created	C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe	UdgXmVwhvaeF.exe
File opened for modification	C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe	UdgXmVwhvaeF.exe
File created	C:\Program Files\UpgradeWholesalerAgile\svml_dispmd2.dll	msiexec.exe
File created	C:\Program Files\UpgradeWholesalerAgile\UdgXmVwhvaeF.exe	msiexec.exe
File created	C:\Program Files\UpgradeWholesalerAgile\zJVekxzWHGhLKpsaTVoA	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76d1df.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d1df.msi	msiexec.exe
File created	C:\Windows\Installer\f76d1e0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSID2BA.tmp	msiexec.exe
File created	C:\Windows\Installer\f76d1e2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d1e0.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
768	UdgXmVwhvaeF.exe
2672	nSBnCTQPhM12.exe

Loads dropped DLL 6 IoCs

pid	Process
2772	MsiExec.exe
2772	MsiExec.exe
2772	MsiExec.exe
2772	MsiExec.exe
2672	nSBnCTQPhM12.exe
2672	nSBnCTQPhM12.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1244	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UdgXmVwhvaeF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nSBnCTQPhM12.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\SourceList\PackageName = "VLC\uefb2\uefa5\uefb7\uefc5\uefc6\ueff72.7.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\04EB18D82073ABF42842CCA56ECD0909\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\PackageCode = "D2FD7181211B77A4B97E1C454892B469"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1F1EA91E6509F3D4CB169EA220D06350	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\ProductName = "UpgradeWholesalerAgile"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1F1EA91E6509F3D4CB169EA220D06350\04EB18D82073ABF42842CCA56ECD0909	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\04EB18D82073ABF42842CCA56ECD0909	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\Version = "118030336"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\04EB18D82073ABF42842CCA56ECD0909\SourceList	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1448	msiexec.exe
1448	msiexec.exe
2672	nSBnCTQPhM12.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1244	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1244	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeSecurityPrivilege	1448	msiexec.exe
Token: SeCreateTokenPrivilege	1244	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1244	msiexec.exe
Token: SeLockMemoryPrivilege	1244	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1244	msiexec.exe
Token: SeMachineAccountPrivilege	1244	msiexec.exe
Token: SeTcbPrivilege	1244	msiexec.exe
Token: SeSecurityPrivilege	1244	msiexec.exe
Token: SeTakeOwnershipPrivilege	1244	msiexec.exe
Token: SeLoadDriverPrivilege	1244	msiexec.exe
Token: SeSystemProfilePrivilege	1244	msiexec.exe
Token: SeSystemtimePrivilege	1244	msiexec.exe
Token: SeProfSingleProcessPrivilege	1244	msiexec.exe
Token: SeIncBasePriorityPrivilege	1244	msiexec.exe
Token: SeCreatePagefilePrivilege	1244	msiexec.exe
Token: SeCreatePermanentPrivilege	1244	msiexec.exe
Token: SeBackupPrivilege	1244	msiexec.exe
Token: SeRestorePrivilege	1244	msiexec.exe
Token: SeShutdownPrivilege	1244	msiexec.exe
Token: SeDebugPrivilege	1244	msiexec.exe
Token: SeAuditPrivilege	1244	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1244	msiexec.exe
Token: SeChangeNotifyPrivilege	1244	msiexec.exe
Token: SeRemoteShutdownPrivilege	1244	msiexec.exe
Token: SeUndockPrivilege	1244	msiexec.exe
Token: SeSyncAgentPrivilege	1244	msiexec.exe
Token: SeEnableDelegationPrivilege	1244	msiexec.exe
Token: SeManageVolumePrivilege	1244	msiexec.exe
Token: SeImpersonatePrivilege	1244	msiexec.exe
Token: SeCreateGlobalPrivilege	1244	msiexec.exe
Token: SeBackupPrivilege	1444	vssvc.exe
Token: SeRestorePrivilege	1444	vssvc.exe
Token: SeAuditPrivilege	1444	vssvc.exe
Token: SeBackupPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	2732	DrvInst.exe
Token: SeLoadDriverPrivilege	2732	DrvInst.exe
Token: SeLoadDriverPrivilege	2732	DrvInst.exe
Token: SeLoadDriverPrivilege	2732	DrvInst.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1244	msiexec.exe
1244	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2772	1448	msiexec.exe	35
PID 1448 wrote to memory of 2772	1448	msiexec.exe	35
PID 1448 wrote to memory of 2772	1448	msiexec.exe	35
PID 1448 wrote to memory of 2772	1448	msiexec.exe	35
PID 1448 wrote to memory of 2772	1448	msiexec.exe	35
PID 1448 wrote to memory of 2772	1448	msiexec.exe	35
PID 1448 wrote to memory of 2772	1448	msiexec.exe	35
PID 2772 wrote to memory of 768	2772	MsiExec.exe	36
PID 2772 wrote to memory of 768	2772	MsiExec.exe	36
PID 2772 wrote to memory of 768	2772	MsiExec.exe	36
PID 2772 wrote to memory of 768	2772	MsiExec.exe	36
PID 2772 wrote to memory of 2672	2772	MsiExec.exe	38
PID 2772 wrote to memory of 2672	2772	MsiExec.exe	38
PID 2772 wrote to memory of 2672	2772	MsiExec.exe	38
PID 2772 wrote to memory of 2672	2772	MsiExec.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\VLC2.7.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1244

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2EFC3C0EB22946C20F8E42DBAD0E4785 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Program Files\UpgradeWholesalerAgile\UdgXmVwhvaeF.exe
    "C:\Program Files\UpgradeWholesalerAgile\UdgXmVwhvaeF.exe" x "C:\Program Files\UpgradeWholesalerAgile\zJVekxzWHGhLKpsaTVoA" -o"C:\Program Files\UpgradeWholesalerAgile\" -pDUaIQBEnpsKpUhGkYwoZ -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:768
- - C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe
    "C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe" -number 218 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004C4" "00000000000003B4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76d1e1.rbs

Filesize
7KB

MD5
2cec0aa4f92ca55572dd126f8bdf26b5

SHA1
25ff2269ea9e2189f4d3e855f79ce3fe0b84e9d8

SHA256
d9cdbd4748dbc699a62b75efa6feb03c78819c164cefb5431b3b6fac153fac5a

SHA512
3a4ece240a10b54db3e80b26c8b9176a4b2e153cf5d7555495dfc08701ecd3c39ee91f28bdcce6b53551c67a9495a5da499b509fdfe82fb651bd07b2eb4bb79c

Download Submit
C:\Program Files\UpgradeWholesalerAgile\QCIFTyMgyyFp.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\UpgradeWholesalerAgile\UdgXmVwhvaeF.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\UpgradeWholesalerAgile\nSBnCTQPhM12.exe

Filesize
2.9MB

MD5
a39b845fda1e4459eed816fd8f300935

SHA1
6eb0bb58fabdf307f4fda5a2eb408226cdb2ac35

SHA256
7beb9eb8189d6f97bc9def1190b4e00d3a8bca6af9378a383683baa002cda3f9

SHA512
d1f0fdea0738a658c5d7977be76a96ff09d922f0c2ca884ca39e50618de42e9acee0d944e97fcd306fb8d5eda17b05dec286a2c2306f4782541f90c16931ab71

Download Submit
C:\Program Files\UpgradeWholesalerAgile\zJVekxzWHGhLKpsaTVoA

Filesize
1.7MB

MD5
9c911a773c1629487f12783080c37b0c

SHA1
d0c3db8b3c354f96bd0cff829dbd561b81676f19

SHA256
6a6a941a94077fc7d43076e4d231341b6641a455681f80d65efd480de4733b3c

SHA512
51c669086de0492442ae030315fd9adeee1208c79b605b34d46d20758aeeac569f8d5d16b110a7164490ff9a255bb1af207c931ed45be2409aaee6a29e04a421

Download Submit
C:\Windows\Installer\f76d1df.msi

Filesize
14.0MB

MD5
a1c5d32005ee62baa30dc993394aa17c

SHA1
360dd1889252cc5c06386706f5d9f8f326f218db

SHA256
49d8edfd8a93ede3e3087771d69b7e6be33f53dfb92ee1da9d82c09f2e0d3188

SHA512
3ae8fcf6120e9c2a518b109c64996cea7d5b8f28df1e00c6e18a74b199d4f80d44e2c647fddb22b6b5ab3e24a495366be21d1a140521c00db35dd9e3480c4124

Download Submit
memory/2772-11-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download