593c2deaacb09860822ec349224494c5aa35ebac3ff8836b43f63ad41d168d60

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WPS-Office_10469357_401533.msi
Size

41.1MB
MD5

27ba48360e40e33e30f22f9258ca8aec
SHA1

f86f07a4fde054f77591c7c42a751f4fa566cdd5
SHA256

593c2deaacb09860822ec349224494c5aa35ebac3ff8836b43f63ad41d168d60
SHA512

0ba2009808c661cc9780bdf437f2ca47cfb99daa080f95428f3631752d2f49f6fce1ec747ef9228e49e3df00db61b67d4f52c4411d76cb6551fb6f50eaf90497
SSDEEP

786432:bz9YO2wwhIk3QM8g4fzggu4Pm7WJn8tKFodQrzRIwio026V:Fa3Qg4fzgh4fn8tKFeQr9tiod6V

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\SecureSponsorGenerous\OUvlZvvsRHvvVPzWjGvr	msiexec.exe
File created	C:\Program Files\SecureSponsorGenerous\UE4PrereqSetup_x64.exe	msiexec.exe
File created	C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe	hqUsxQVokjCH.exe
File opened for modification	C:\Program Files\SecureSponsorGenerous	EiAuPIYhFE4.exe
File opened for modification	C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe	hqUsxQVokjCH.exe
File created	C:\Program Files\SecureSponsorGenerous\hqUsxQVokjCH.exe	msiexec.exe
File created	C:\Program Files\SecureSponsorGenerous\xlsx.xlsx	msiexec.exe
File created	C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.xml	hqUsxQVokjCH.exe
File opened for modification	C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.xml	hqUsxQVokjCH.exe
File opened for modification	C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe	hqUsxQVokjCH.exe
File created	C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe	hqUsxQVokjCH.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76dd46.ipi	msiexec.exe
File created	C:\Windows\Installer\f76dd48.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76dd46.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76dd45.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76dd45.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE2F.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2940	hqUsxQVokjCH.exe
1996	EiAuPIYhFE4.exe

Loads dropped DLL 6 IoCs

pid	Process
2476	MsiExec.exe
2476	MsiExec.exe
2476	MsiExec.exe
2476	MsiExec.exe
1996	EiAuPIYhFE4.exe
1996	EiAuPIYhFE4.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2196	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hqUsxQVokjCH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EiAuPIYhFE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\OneNoteToIEAddin	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\PowerPoint	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\PSD = "Roman PX"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Viewers\application/ppt = "C:\\PROGRA~2\\MICROS~1\\Office14\\POWERPNT.EXE"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Zapf Chancery = "Monotype Corsiva"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Viewers\TYPE5 = "application/rtf"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\Excel Files\Engines\Jet\ImplicitCommitSync	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\MS Access Database\Engines	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Task Request	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\Excel Files\UID	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Viewers\application/msexcel = "C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\Migration\Excel	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MSDAIPP\Providers\{9FECD570-B9D4-11D1-9C78-0000F875AC61}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\General\Actors = "Actors"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\London = "Old English Text MT"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\dot = "C:\\PROGRA~2\\MICROS~1\\Office14\\WINWORD.EXE ^.dot"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Remote Session\Large Icon = "[21]"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Task Response\JournalByContact = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Common\Smart Tag\Recognizers\{64AB6C69-B40E-40AF-9B7F-F5687B48E2B6}\urn:schemas-microsoft-com:office:smarttags#time	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Web Service Providers\WebDrive\www.msnusers.com\ShortcutUrl = "http://www.msnusers.com"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\yahoo.com.tw = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\YAB0F6~1.XML"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Remote Session\AutoJournaled = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Word\Security\Trusted Locations\Location0\Path = "%APPDATA%\\Microsoft\\Templates"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\OneNoteToWordAddin	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Fax\Large Icon = "[9]"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\NLQDblHigh = "NLQII 10cpi"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Suffixes\application/rtf = "RTF"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Arial = "Helvetica"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\Outlook_Intl\Count = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Courier PS = "Roman PS"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Conversation	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Courier 5cpi = "Roman 5cpi"	EXCEL.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\Excel Files\Engines\Jet\FirstRowHasNames = 01	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\MS Access Database\DriverId = "25"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\Word_Intl	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI\MS Access Database\Engines\Jet\UserCommitSync = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Web Service Providers\WebDrive\www.msnusers.com\WizardName = "New Web Site on MSN"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\OneNoteToPPTAddin\Count = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia\msacm.imaadpcm	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Monotype Corsiva = "ZapfChancery"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Word\Security\Trusted Locations	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\ODBC\ODBC.INI	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\Mso_Intl	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Fax\DescriptionID = "28"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Meeting Response\DescriptionID = "33"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\Outlook_SocialConnector\Count = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\PowerPoint\Security\Trusted Locations\Location0\Description = "8"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Letter Gothic = "Courier New"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Extensions\docm = "C:\\PROGRA~2\\MICROS~1\\Office14\\WINWORD.EXE ^.docm"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Access\AutoJournaled = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\General\MyDocuments = "My Documents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Conversation\Large Icon = "[1]"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Web Service Providers\FreeBusy\office.microsoft.com\InfoUrl = "http://freebusy.office.microsoft.com/freebusy/freebusy.dll"	EXCEL.EXE

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\587C2C6BD312F174B88A161D7D7958A7	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\74F584E381D0AFF4DBFE10B32E52A17F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\587C2C6BD312F174B88A161D7D7958A7\74F584E381D0AFF4DBFE10B32E52A17F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\SourceList\PackageName = "WPS-Office_10469357_401533.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\PackageCode = "F55B3AEC34BB71F4F9AA425C412D3435"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\Version = "134414336"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\74F584E381D0AFF4DBFE10B32E52A17F\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\ProductName = "SecureSponsorGenerous"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\InstanceType = "0"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2824	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1124	msiexec.exe
1124	msiexec.exe
1996	EiAuPIYhFE4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeSecurityPrivilege	1124	msiexec.exe
Token: SeCreateTokenPrivilege	2196	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2196	msiexec.exe
Token: SeLockMemoryPrivilege	2196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2196	msiexec.exe
Token: SeMachineAccountPrivilege	2196	msiexec.exe
Token: SeTcbPrivilege	2196	msiexec.exe
Token: SeSecurityPrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeLoadDriverPrivilege	2196	msiexec.exe
Token: SeSystemProfilePrivilege	2196	msiexec.exe
Token: SeSystemtimePrivilege	2196	msiexec.exe
Token: SeProfSingleProcessPrivilege	2196	msiexec.exe
Token: SeIncBasePriorityPrivilege	2196	msiexec.exe
Token: SeCreatePagefilePrivilege	2196	msiexec.exe
Token: SeCreatePermanentPrivilege	2196	msiexec.exe
Token: SeBackupPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeShutdownPrivilege	2196	msiexec.exe
Token: SeDebugPrivilege	2196	msiexec.exe
Token: SeAuditPrivilege	2196	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2196	msiexec.exe
Token: SeChangeNotifyPrivilege	2196	msiexec.exe
Token: SeRemoteShutdownPrivilege	2196	msiexec.exe
Token: SeUndockPrivilege	2196	msiexec.exe
Token: SeSyncAgentPrivilege	2196	msiexec.exe
Token: SeEnableDelegationPrivilege	2196	msiexec.exe
Token: SeManageVolumePrivilege	2196	msiexec.exe
Token: SeImpersonatePrivilege	2196	msiexec.exe
Token: SeCreateGlobalPrivilege	2196	msiexec.exe
Token: SeBackupPrivilege	2564	vssvc.exe
Token: SeRestorePrivilege	2564	vssvc.exe
Token: SeAuditPrivilege	2564	vssvc.exe
Token: SeBackupPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeLoadDriverPrivilege	2736	DrvInst.exe
Token: SeLoadDriverPrivilege	2736	DrvInst.exe
Token: SeLoadDriverPrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2196	msiexec.exe
2196	msiexec.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2824	EXCEL.EXE
2824	EXCEL.EXE
2824	EXCEL.EXE
2824	EXCEL.EXE
2824	EXCEL.EXE
2824	EXCEL.EXE
2824	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 2476	1124	msiexec.exe	35
PID 1124 wrote to memory of 2476	1124	msiexec.exe	35
PID 1124 wrote to memory of 2476	1124	msiexec.exe	35
PID 1124 wrote to memory of 2476	1124	msiexec.exe	35
PID 1124 wrote to memory of 2476	1124	msiexec.exe	35
PID 1124 wrote to memory of 2476	1124	msiexec.exe	35
PID 1124 wrote to memory of 2476	1124	msiexec.exe	35
PID 2476 wrote to memory of 2940	2476	MsiExec.exe	36
PID 2476 wrote to memory of 2940	2476	MsiExec.exe	36
PID 2476 wrote to memory of 2940	2476	MsiExec.exe	36
PID 2476 wrote to memory of 2940	2476	MsiExec.exe	36
PID 2476 wrote to memory of 1996	2476	MsiExec.exe	38
PID 2476 wrote to memory of 1996	2476	MsiExec.exe	38
PID 2476 wrote to memory of 1996	2476	MsiExec.exe	38
PID 2476 wrote to memory of 1996	2476	MsiExec.exe	38
PID 2476 wrote to memory of 2824	2476	MsiExec.exe	39
PID 2476 wrote to memory of 2824	2476	MsiExec.exe	39
PID 2476 wrote to memory of 2824	2476	MsiExec.exe	39
PID 2476 wrote to memory of 2824	2476	MsiExec.exe	39
PID 2476 wrote to memory of 2824	2476	MsiExec.exe	39
PID 2476 wrote to memory of 2824	2476	MsiExec.exe	39
PID 2476 wrote to memory of 2824	2476	MsiExec.exe	39
PID 2476 wrote to memory of 2824	2476	MsiExec.exe	39
PID 2476 wrote to memory of 2824	2476	MsiExec.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WPS-Office_10469357_401533.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2196

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 56B259B671511B545E7DF852C1C04820 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Program Files\SecureSponsorGenerous\hqUsxQVokjCH.exe
    "C:\Program Files\SecureSponsorGenerous\hqUsxQVokjCH.exe" x "C:\Program Files\SecureSponsorGenerous\OUvlZvvsRHvvVPzWjGvr" -o"C:\Program Files\SecureSponsorGenerous\" -pBtrCoSaelPTuXoCAcEwA -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe
    "C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe" -number 242 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1996
- - C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:2824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000330" "000000000000032C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76dd47.rbs

Filesize
7KB

MD5
1b401bbd819f6730c5bfd2bae5dc3a18

SHA1
e4d753ebab8e180820243c384d93fe312c9256ae

SHA256
de4b08a0498b0f1491562d56833e0a1424c79cbdd4a3e51559b35f6dd88180a2

SHA512
132abbe7a41217cd5c75eee8f542e54cf9c2c1f5de25a66b0b83212f78f731f86a6adbfa921ed806f604a0f5bcd72be5bd90155bf797d1fd305b6991d67e0f97

Download Submit
C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe

Filesize
3.2MB

MD5
1c3d835b334c146196997f99df3c6f8e

SHA1
0027a83539881abaf1f5cb3a2cc0cd6ba528d000

SHA256
dcd7d379effc6f28e3fc43bdeebc3c39c933a93b09d9dc6691fb64392c432b3f

SHA512
f4da23997640cad08e9c3cc605472bb3b112e01406cc18789bd78d1f735790029cede3cd784d5d66882d571d6d515666a2017463ab5be454df50ddc4498d6042

Download Submit
C:\Program Files\SecureSponsorGenerous\OUvlZvvsRHvvVPzWjGvr

Filesize
2.0MB

MD5
d076e5e2afedcdbd328b5a3f0222b408

SHA1
8d8407cf4006934271fbd1f0c251fb5e91786997

SHA256
7a275f7f2ccf99a65eb4bd5f8cbd944041473b6c804487daf03b720700b760ea

SHA512
1f58ffe864710bc35f790510284b39337e8caaf0cf434517afcf0e894dd99c737aba22da27ddd6ee93ce7791407c7338ad2433b4310815f3f644fc72a212b2d9

Download Submit
C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\SecureSponsorGenerous\hqUsxQVokjCH.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Windows\Installer\f76dd45.msi

Filesize
41.1MB

MD5
27ba48360e40e33e30f22f9258ca8aec

SHA1
f86f07a4fde054f77591c7c42a751f4fa566cdd5

SHA256
593c2deaacb09860822ec349224494c5aa35ebac3ff8836b43f63ad41d168d60

SHA512
0ba2009808c661cc9780bdf437f2ca47cfb99daa080f95428f3631752d2f49f6fce1ec747ef9228e49e3df00db61b67d4f52c4411d76cb6551fb6f50eaf90497

Download Submit
memory/2476-12-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2824-31-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download