60ccad58b390a02fdf64477e6cbfd545c43788c7abaeb1fbe4d26099e178fe4a

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

googlups.msi
Size

27.6MB
MD5

1360b4beaf800c3ca4be311301cb2cb7
SHA1

f4d0724cf3df9d78779a5002c0414b1fcd76cbf8
SHA256

60ccad58b390a02fdf64477e6cbfd545c43788c7abaeb1fbe4d26099e178fe4a
SHA512

7e66cae3bbc27d7e55871e7ed06ded74b5aa222d4e21a0ed37b55b0c00fdcbd3817abc5ad303bc561ac54bb0bfa2a0cfe441226638f364ea7163977856046ab7
SSDEEP

786432:wURQ1YYLOtsId3pQof4c0RtYhGYrCw45almp:w2U9XeI8bwala

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SecureRetailerTrusty\IVgmTTGSKQEu.xml	ivfFOaaBljLY.exe
File created	C:\Program Files\SecureRetailerTrusty\EDWJLBYgUE16.exe	ivfFOaaBljLY.exe
File opened for modification	C:\Program Files\SecureRetailerTrusty\IVgmTTGSKQEu.exe	ivfFOaaBljLY.exe
File created	C:\Program Files\SecureRetailerTrusty\Aspose.Pdf.dll	msiexec.exe
File created	C:\Program Files\SecureRetailerTrusty\ChromeSetup.exe	msiexec.exe
File created	C:\Program Files\SecureRetailerTrusty\EvUYYnXAbyuPvELXKSQP	msiexec.exe
File created	C:\Program Files\SecureRetailerTrusty\ivfFOaaBljLY.exe	msiexec.exe
File created	C:\Program Files\SecureRetailerTrusty\IVgmTTGSKQEu.xml	ivfFOaaBljLY.exe
File opened for modification	C:\Program Files\SecureRetailerTrusty\EDWJLBYgUE16.exe	ivfFOaaBljLY.exe
File created	C:\Program Files\SecureRetailerTrusty\IVgmTTGSKQEu.exe	ivfFOaaBljLY.exe
File opened for modification	C:\Program Files\SecureRetailerTrusty	EDWJLBYgUE16.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76bece.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF88.tmp	msiexec.exe
File created	C:\Windows\Installer\f76bed0.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76becd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76becd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76bece.ipi	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
2544	ivfFOaaBljLY.exe
2168	EDWJLBYgUE16.exe
584	ChromeSetup.exe

Loads dropped DLL 10 IoCs

pid	Process
2792	MsiExec.exe
2792	MsiExec.exe
2792	MsiExec.exe
2792	MsiExec.exe
2168	EDWJLBYgUE16.exe
2168	EDWJLBYgUE16.exe
2168	EDWJLBYgUE16.exe
2168	EDWJLBYgUE16.exe
2168	EDWJLBYgUE16.exe
2168	EDWJLBYgUE16.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2400	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivfFOaaBljLY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EDWJLBYgUE16.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8898F902281C1494FBF264B882CD5E63	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\SourceList\PackageName = "googlups.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\72C09383E414F154AB45B1F83E731FE6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\PackageCode = "CCB08B62D8D3D0F4495CB22D00B18B18"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\72C09383E414F154AB45B1F83E731FE6\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\Version = "151191560"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8898F902281C1494FBF264B882CD5E63\72C09383E414F154AB45B1F83E731FE6	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\ProductName = "SecureRetailerTrusty"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\72C09383E414F154AB45B1F83E731FE6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1732	msiexec.exe
1732	msiexec.exe
2168	EDWJLBYgUE16.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2400	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeSecurityPrivilege	1732	msiexec.exe
Token: SeCreateTokenPrivilege	2400	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2400	msiexec.exe
Token: SeLockMemoryPrivilege	2400	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2400	msiexec.exe
Token: SeMachineAccountPrivilege	2400	msiexec.exe
Token: SeTcbPrivilege	2400	msiexec.exe
Token: SeSecurityPrivilege	2400	msiexec.exe
Token: SeTakeOwnershipPrivilege	2400	msiexec.exe
Token: SeLoadDriverPrivilege	2400	msiexec.exe
Token: SeSystemProfilePrivilege	2400	msiexec.exe
Token: SeSystemtimePrivilege	2400	msiexec.exe
Token: SeProfSingleProcessPrivilege	2400	msiexec.exe
Token: SeIncBasePriorityPrivilege	2400	msiexec.exe
Token: SeCreatePagefilePrivilege	2400	msiexec.exe
Token: SeCreatePermanentPrivilege	2400	msiexec.exe
Token: SeBackupPrivilege	2400	msiexec.exe
Token: SeRestorePrivilege	2400	msiexec.exe
Token: SeShutdownPrivilege	2400	msiexec.exe
Token: SeDebugPrivilege	2400	msiexec.exe
Token: SeAuditPrivilege	2400	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2400	msiexec.exe
Token: SeChangeNotifyPrivilege	2400	msiexec.exe
Token: SeRemoteShutdownPrivilege	2400	msiexec.exe
Token: SeUndockPrivilege	2400	msiexec.exe
Token: SeSyncAgentPrivilege	2400	msiexec.exe
Token: SeEnableDelegationPrivilege	2400	msiexec.exe
Token: SeManageVolumePrivilege	2400	msiexec.exe
Token: SeImpersonatePrivilege	2400	msiexec.exe
Token: SeCreateGlobalPrivilege	2400	msiexec.exe
Token: SeBackupPrivilege	2304	vssvc.exe
Token: SeRestorePrivilege	2304	vssvc.exe
Token: SeAuditPrivilege	2304	vssvc.exe
Token: SeBackupPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	2192	DrvInst.exe
Token: SeRestorePrivilege	2192	DrvInst.exe
Token: SeRestorePrivilege	2192	DrvInst.exe
Token: SeRestorePrivilege	2192	DrvInst.exe
Token: SeRestorePrivilege	2192	DrvInst.exe
Token: SeRestorePrivilege	2192	DrvInst.exe
Token: SeRestorePrivilege	2192	DrvInst.exe
Token: SeLoadDriverPrivilege	2192	DrvInst.exe
Token: SeLoadDriverPrivilege	2192	DrvInst.exe
Token: SeLoadDriverPrivilege	2192	DrvInst.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe
Token: SeTakeOwnershipPrivilege	1732	msiexec.exe
Token: SeRestorePrivilege	1732	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2400	msiexec.exe
2400	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2792	1732	msiexec.exe	32
PID 1732 wrote to memory of 2792	1732	msiexec.exe	32
PID 1732 wrote to memory of 2792	1732	msiexec.exe	32
PID 1732 wrote to memory of 2792	1732	msiexec.exe	32
PID 1732 wrote to memory of 2792	1732	msiexec.exe	32
PID 1732 wrote to memory of 2792	1732	msiexec.exe	32
PID 1732 wrote to memory of 2792	1732	msiexec.exe	32
PID 2792 wrote to memory of 2544	2792	MsiExec.exe	33
PID 2792 wrote to memory of 2544	2792	MsiExec.exe	33
PID 2792 wrote to memory of 2544	2792	MsiExec.exe	33
PID 2792 wrote to memory of 2544	2792	MsiExec.exe	33
PID 2792 wrote to memory of 2168	2792	MsiExec.exe	35
PID 2792 wrote to memory of 2168	2792	MsiExec.exe	35
PID 2792 wrote to memory of 2168	2792	MsiExec.exe	35
PID 2792 wrote to memory of 2168	2792	MsiExec.exe	35

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\googlups.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2400

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5CD746C0D0DFA42E538C51B7DCFA178E M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Program Files\SecureRetailerTrusty\ivfFOaaBljLY.exe
    "C:\Program Files\SecureRetailerTrusty\ivfFOaaBljLY.exe" x "C:\Program Files\SecureRetailerTrusty\EvUYYnXAbyuPvELXKSQP" -o"C:\Program Files\SecureRetailerTrusty\" -pFpTMTtJmTTolePKAwdwa -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2544
- - C:\Program Files\SecureRetailerTrusty\EDWJLBYgUE16.exe
    "C:\Program Files\SecureRetailerTrusty\EDWJLBYgUE16.exe" -number 123 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2168
- - C:\Program Files\SecureRetailerTrusty\ChromeSetup.exe
    "C:\Program Files\SecureRetailerTrusty\ChromeSetup.exe"
    3⤵
    - Executes dropped EXE
    PID:584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004E0" "0000000000000594"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76becf.rbs

Filesize
7KB

MD5
9f27585553d88188b89aae28c4c3517c

SHA1
5bea07d8fa760ee9a92ba46236a0b5fdb6a68d0f

SHA256
209ea80be678773c8195556d7fd64875584fde0bd18e3d382d175f2d122c1527

SHA512
21a922a34c5b90a5c23fd04208a0251829f20a9b350536915e7d3407923bd9c686f0138a832df5f1f499fbe8c060ff5b253d069c439bd0cc33578ed9e7cb21bd

Download Submit
C:\Program Files\SecureRetailerTrusty\ChromeSetup.exe

Filesize
8.5MB

MD5
5adff4313fbd074df44b4eb5b7893c5e

SHA1
d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7

SHA256
d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae

SHA512
f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60

Download Submit
C:\Program Files\SecureRetailerTrusty\EDWJLBYgUE16.exe

Filesize
2.9MB

MD5
9b00446b1873b8f20daff14b661bbacd

SHA1
42e34fb9765eb68e778cc563c0785a40c7d2bcb0

SHA256
d982712ae57d4b1110392d310eca2b45ab147daabb9d40ed88880b7dca32de6b

SHA512
c81ad99db9bdaf36814447041616f0d06562062d910e0b4a61666f1f60eae6af9494f214e8e21b0d61dd6157ee920871846ed825ed3c22e2b87a0effe2c06a6a

Download Submit
C:\Program Files\SecureRetailerTrusty\EvUYYnXAbyuPvELXKSQP

Filesize
1.7MB

MD5
206da7cd1a42c14a1be878ebc5364c48

SHA1
3291599dfd884ea782fee8a061c053a1c7556718

SHA256
fc4190690f79d82f665c3f4ac2c6061b0f89d3ad7667d327e22f40f0d9de8c30

SHA512
c46cf62d59d7c340087bf1a45fcbf76b796ae50a8ea737cb3b47c01899e691373f49767b574a0efb2c849fed4329fe8e9f1186b1b8995d0dc066c251b039ace8

Download Submit
C:\Program Files\SecureRetailerTrusty\ivfFOaaBljLY.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Windows\Installer\f76becd.msi

Filesize
27.6MB

MD5
1360b4beaf800c3ca4be311301cb2cb7

SHA1
f4d0724cf3df9d78779a5002c0414b1fcd76cbf8

SHA256
60ccad58b390a02fdf64477e6cbfd545c43788c7abaeb1fbe4d26099e178fe4a

SHA512
7e66cae3bbc27d7e55871e7ed06ded74b5aa222d4e21a0ed37b55b0c00fdcbd3817abc5ad303bc561ac54bb0bfa2a0cfe441226638f364ea7163977856046ab7

Download Submit
\Program Files\SecureRetailerTrusty\IVgmTTGSKQEu.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
memory/2168-42-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/2792-12-0x00000000002D0000-0x00000000002D2000-memory.dmp

Filesize
8KB

Download