59d6dc380808c3e46f3ec1d7b2aeae25a542e0082d0ff6efff12a6abd379b6c1

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kuilian89.msi
Size

35.9MB
MD5

6bd8fab2fd596986f7f55c0993ae1981
SHA1

ab2963c0959aaa08ce98ae3e7990ecb5b4cbf313
SHA256

59d6dc380808c3e46f3ec1d7b2aeae25a542e0082d0ff6efff12a6abd379b6c1
SHA512

4fade01d209ffa312f55477eeaeaf0600b9fe43a3cf8af92fdfb0f3eedb2c7facfaf1e803c73b32c2f4346beb010124515388af4d08e7520495ff0d54a316685
SSDEEP

786432:+0SBQMqgaahHtS6fKR0h5w1NMICKjpYpMUDRDbNm5IZYax4TzFVwEG7aPuDu9d:TSB/qgvg6CR04NMIC4ZUFDbNm5zjTJVD

Score

6^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\SolveDefenderSerene\ZNIpMGgmtO28.exe	LaMhTUfHIdyc.exe
File opened for modification	C:\Program Files\SolveDefenderSerene	ZNIpMGgmtO28.exe
File created	C:\Program Files\SolveDefenderSerene\LaMhTUfHIdyc.exe	msiexec.exe
File created	C:\Program Files\SolveDefenderSerene\letsvpn.exe	msiexec.exe
File created	C:\Program Files\SolveDefenderSerene\QnnRXazkZQiQCErBAOww	msiexec.exe
File created	C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.exe	LaMhTUfHIdyc.exe
File opened for modification	C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.exe	LaMhTUfHIdyc.exe
File opened for modification	C:\Program Files\SolveDefenderSerene\ZNIpMGgmtO28.exe	LaMhTUfHIdyc.exe
File created	C:\Program Files\SolveDefenderSerene\UnityPlayer.dll	msiexec.exe
File created	C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.xml	LaMhTUfHIdyc.exe
File opened for modification	C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.xml	LaMhTUfHIdyc.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f775503.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f775503.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI563B.tmp	msiexec.exe
File created	C:\Windows\Installer\f775506.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f775504.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f775504.ipi	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
696	LaMhTUfHIdyc.exe
264	ZNIpMGgmtO28.exe
1132	letsvpn.exe

Loads dropped DLL 11 IoCs

pid	Process
2436	MsiExec.exe
2436	MsiExec.exe
2436	MsiExec.exe
2436	MsiExec.exe
2436	MsiExec.exe
264	ZNIpMGgmtO28.exe
264	ZNIpMGgmtO28.exe
264	ZNIpMGgmtO28.exe
1132	letsvpn.exe
1132	letsvpn.exe
1132	letsvpn.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1912	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2156	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LaMhTUfHIdyc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZNIpMGgmtO28.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	ZNIpMGgmtO28.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 6090b7d1e20cdb01	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	ZNIpMGgmtO28.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ZNIpMGgmtO28.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	ZNIpMGgmtO28.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\SourceList\PackageName = "kuilian89.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\756291624123FA74696285E148233E10	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\PackageCode = "37ACAB37803DF1D46A97C65260D6EFAA"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\217C81EF23351BD4E8C3D4637A5C33A1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\756291624123FA74696285E148233E10\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\217C81EF23351BD4E8C3D4637A5C33A1\756291624123FA74696285E148233E10	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\ProductName = "SolveDefenderSerene"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\Version = "83951616"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\756291624123FA74696285E148233E10\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2788	msiexec.exe
2788	msiexec.exe
264	ZNIpMGgmtO28.exe
1912	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1132	letsvpn.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2156	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2156	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeSecurityPrivilege	2788	msiexec.exe
Token: SeCreateTokenPrivilege	2156	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2156	msiexec.exe
Token: SeLockMemoryPrivilege	2156	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2156	msiexec.exe
Token: SeMachineAccountPrivilege	2156	msiexec.exe
Token: SeTcbPrivilege	2156	msiexec.exe
Token: SeSecurityPrivilege	2156	msiexec.exe
Token: SeTakeOwnershipPrivilege	2156	msiexec.exe
Token: SeLoadDriverPrivilege	2156	msiexec.exe
Token: SeSystemProfilePrivilege	2156	msiexec.exe
Token: SeSystemtimePrivilege	2156	msiexec.exe
Token: SeProfSingleProcessPrivilege	2156	msiexec.exe
Token: SeIncBasePriorityPrivilege	2156	msiexec.exe
Token: SeCreatePagefilePrivilege	2156	msiexec.exe
Token: SeCreatePermanentPrivilege	2156	msiexec.exe
Token: SeBackupPrivilege	2156	msiexec.exe
Token: SeRestorePrivilege	2156	msiexec.exe
Token: SeShutdownPrivilege	2156	msiexec.exe
Token: SeDebugPrivilege	2156	msiexec.exe
Token: SeAuditPrivilege	2156	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2156	msiexec.exe
Token: SeChangeNotifyPrivilege	2156	msiexec.exe
Token: SeRemoteShutdownPrivilege	2156	msiexec.exe
Token: SeUndockPrivilege	2156	msiexec.exe
Token: SeSyncAgentPrivilege	2156	msiexec.exe
Token: SeEnableDelegationPrivilege	2156	msiexec.exe
Token: SeManageVolumePrivilege	2156	msiexec.exe
Token: SeImpersonatePrivilege	2156	msiexec.exe
Token: SeCreateGlobalPrivilege	2156	msiexec.exe
Token: SeBackupPrivilege	2672	vssvc.exe
Token: SeRestorePrivilege	2672	vssvc.exe
Token: SeAuditPrivilege	2672	vssvc.exe
Token: SeBackupPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeLoadDriverPrivilege	2604	DrvInst.exe
Token: SeLoadDriverPrivilege	2604	DrvInst.exe
Token: SeLoadDriverPrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe
Token: SeTakeOwnershipPrivilege	2788	msiexec.exe
Token: SeRestorePrivilege	2788	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2156	msiexec.exe
2156	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2436	2788	msiexec.exe	34
PID 2788 wrote to memory of 2436	2788	msiexec.exe	34
PID 2788 wrote to memory of 2436	2788	msiexec.exe	34
PID 2788 wrote to memory of 2436	2788	msiexec.exe	34
PID 2788 wrote to memory of 2436	2788	msiexec.exe	34
PID 2788 wrote to memory of 2436	2788	msiexec.exe	34
PID 2788 wrote to memory of 2436	2788	msiexec.exe	34
PID 2436 wrote to memory of 696	2436	MsiExec.exe	35
PID 2436 wrote to memory of 696	2436	MsiExec.exe	35
PID 2436 wrote to memory of 696	2436	MsiExec.exe	35
PID 2436 wrote to memory of 696	2436	MsiExec.exe	35
PID 2436 wrote to memory of 264	2436	MsiExec.exe	37
PID 2436 wrote to memory of 264	2436	MsiExec.exe	37
PID 2436 wrote to memory of 264	2436	MsiExec.exe	37
PID 2436 wrote to memory of 264	2436	MsiExec.exe	37
PID 2436 wrote to memory of 1132	2436	MsiExec.exe	38
PID 2436 wrote to memory of 1132	2436	MsiExec.exe	38
PID 2436 wrote to memory of 1132	2436	MsiExec.exe	38
PID 2436 wrote to memory of 1132	2436	MsiExec.exe	38
PID 1132 wrote to memory of 1912	1132	letsvpn.exe	39
PID 1132 wrote to memory of 1912	1132	letsvpn.exe	39
PID 1132 wrote to memory of 1912	1132	letsvpn.exe	39
PID 1132 wrote to memory of 1912	1132	letsvpn.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\kuilian89.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2156

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 315E22711BDCD917DD24A38CAAA8F332 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Program Files\SolveDefenderSerene\LaMhTUfHIdyc.exe
    "C:\Program Files\SolveDefenderSerene\LaMhTUfHIdyc.exe" x "C:\Program Files\SolveDefenderSerene\QnnRXazkZQiQCErBAOww" -o"C:\Program Files\SolveDefenderSerene\" -pPakXGajjGRCPvwIYdoub -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:696
- - C:\Program Files\SolveDefenderSerene\ZNIpMGgmtO28.exe
    "C:\Program Files\SolveDefenderSerene\ZNIpMGgmtO28.exe" -number 145 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:264
- - C:\Program Files\SolveDefenderSerene\letsvpn.exe
    "C:\Program Files\SolveDefenderSerene\letsvpn.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:1912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D0" "00000000000003E0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f775505.rbs

Filesize
7KB

MD5
b396805ac9e0d167cbba8c20bd72e4ad

SHA1
5727bc7f8dbcd953e9d717b9c5aa6dab7827ed5d

SHA256
3bb60ac6c2d6307345a94cb02219414d2a919671c78ce1a369e122256109551b

SHA512
f8dfa6d33c11302a053f1f5578e08e95e6d182b243d519be602e14f65bbcc991ecd732b929cead5d35b00086af63bf8884f2ac2fd486143edfbdf3f2a9891e5e

Download Submit
C:\Program Files\SolveDefenderSerene\LaMhTUfHIdyc.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\SolveDefenderSerene\QnnRXazkZQiQCErBAOww

Filesize
1.9MB

MD5
f7423e2f19b6fc053365e2407323afdd

SHA1
c4eb99a5b00ed04aec04be5d63d5b969e19a47c7

SHA256
89daf936de489f902d1161197d4251266059887fd56db8dd26ef45d9a86e237c

SHA512
da09f8f06d03e0b215dbe195f11ad095f8000ecea2fb6bc53493b933befec4e680a3d5474eb3deed622e49492be35aecff1743394809ce4151a71402e4161289

Download Submit
C:\Program Files\SolveDefenderSerene\ZNIpMGgmtO28.exe

Filesize
3.1MB

MD5
d7fdb97ae01bacc7eb06909f8a180947

SHA1
4408c678c1bcea5618c3260de4186d5ba9c2682e

SHA256
9da994b1517829109024345b820d1b546e74ad20921aacaec250096786047a53

SHA512
bfd1b948abc17ecd3e63679de69b14114f41baa7933d9254a02aacdbf1b01951f544a72771712e46470046c47ad9ee00d012e05c496e5b56a9a5cdcc1512895b

Download Submit
C:\Program Files\SolveDefenderSerene\letsvpn.exe

Filesize
14.5MB

MD5
94f6bd702b7a2e17c45d16eaf7da0d64

SHA1
45f8c05851bcf16416e087253ce962b320e9db8a

SHA256
07f44325eab13b01d536a42e90a0247c6efecf23ccd4586309828aa814f5c776

SHA512
7ffc5183d3f1fb23e38c60d55724ab9e9e1e3832c9fb09296f0635f78d81477c6894c00a28e63096fa395e1c11cbeaa1f77f910f9ff9c1f1ecf0b857aa671b3d

Download Submit
C:\Windows\Installer\f775503.msi

Filesize
35.9MB

MD5
6bd8fab2fd596986f7f55c0993ae1981

SHA1
ab2963c0959aaa08ce98ae3e7990ecb5b4cbf313

SHA256
59d6dc380808c3e46f3ec1d7b2aeae25a542e0082d0ff6efff12a6abd379b6c1

SHA512
4fade01d209ffa312f55477eeaeaf0600b9fe43a3cf8af92fdfb0f3eedb2c7facfaf1e803c73b32c2f4346beb010124515388af4d08e7520495ff0d54a316685

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5FBE.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5FBE.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
\Users\Admin\AppData\Local\Temp\nsz5FBE.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
memory/264-43-0x0000000002230000-0x000000000225A000-memory.dmp

Filesize
168KB

Download
memory/2436-12-0x0000000000210000-0x0000000000212000-memory.dmp

Filesize
8KB

Download