593c2deaacb09860822ec349224494c5aa35ebac3ff8836b43f63ad41d168d60

Analysis

max time kernel
149s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WPSOffice10469357401533.msi
Size

41.1MB
MD5

27ba48360e40e33e30f22f9258ca8aec
SHA1

f86f07a4fde054f77591c7c42a751f4fa566cdd5
SHA256

593c2deaacb09860822ec349224494c5aa35ebac3ff8836b43f63ad41d168d60
SHA512

0ba2009808c661cc9780bdf437f2ca47cfb99daa080f95428f3631752d2f49f6fce1ec747ef9228e49e3df00db61b67d4f52c4411d76cb6551fb6f50eaf90497
SSDEEP

786432:bz9YO2wwhIk3QM8g4fzggu4Pm7WJn8tKFodQrzRIwio026V:Fa3Qg4fzgh4fn8tKFeQr9tiod6V

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe	hqUsxQVokjCH.exe
File opened for modification	C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe	hqUsxQVokjCH.exe
File opened for modification	C:\Program Files\SecureSponsorGenerous	EiAuPIYhFE4.exe
File created	C:\Program Files\SecureSponsorGenerous\OUvlZvvsRHvvVPzWjGvr	msiexec.exe
File created	C:\Program Files\SecureSponsorGenerous\xlsx.xlsx	msiexec.exe
File created	C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.xml	hqUsxQVokjCH.exe
File opened for modification	C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.xml	hqUsxQVokjCH.exe
File opened for modification	C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe	hqUsxQVokjCH.exe
File created	C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe	hqUsxQVokjCH.exe
File created	C:\Program Files\SecureSponsorGenerous\hqUsxQVokjCH.exe	msiexec.exe
File created	C:\Program Files\SecureSponsorGenerous\UE4PrereqSetup_x64.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f77b4fd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f77b4fe.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f77b4fd.msi	msiexec.exe
File created	C:\Windows\Installer\f77b4fe.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB75D.tmp	msiexec.exe
File created	C:\Windows\Installer\f77b500.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Executes dropped EXE 2 IoCs

pid	Process
1624	hqUsxQVokjCH.exe
1420	EiAuPIYhFE4.exe

Loads dropped DLL 6 IoCs

pid	Process
1032	MsiExec.exe
1032	MsiExec.exe
1032	MsiExec.exe
1032	MsiExec.exe
1420	EiAuPIYhFE4.exe
1420	EiAuPIYhFE4.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3028	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hqUsxQVokjCH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EiAuPIYhFE4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Web Service Providers\FreeBusy\office.microsoft.com\FbGetDataUrl = "http://freebusy.office.microsoft.com/freebusy/freebusy.dll?prd=office&pver=\|0&ar=freebusy&subar=get&email="	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\MT Symbol = "Symbol"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\sbcglobal.net = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\SBCGLO~1.XML"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Remote Session\JournalByContact = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\PowerPoint\Security	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Word\Security\Trusted Locations\Location1	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Word\Security\Trusted Locations\Location1\Path = "C:\\Program Files (x86)\\Microsoft Office\\Templates\\"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\NLQDblHigh = "NLQII 10cpi"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Zapf Chancery = "Monotype Corsiva"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\ShowDates = "ON"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\New Century Schlbk = "Century Schoolbook"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\outexum\Count = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\PicaD = "Roman 5cpi"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Common\Smart Tag\Actions\{F114AE61-1331-4238-92C9-BBE330AF25FD}\OMain = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Common\Smart Tag\Recognizers\{32D85DA2-070B-49A0-9261-E7854457A6D6}	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\PowerPoint	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Note\JournalByContact = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\yahoo.co.jp = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\YAHOOC~3.XML"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1C00 = "0"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\PowerPoint\Security\Trusted Locations\Location3\Description = "11"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Word\Small Icon = "[13]"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Viewers\application/rtf = "C:\\PROGRA~2\\MICROS~1\\Office14\\WINWORD.EXE"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Outlook\Addins\AccessAddin.DC\FriendlyName = "Microsoft Access Outlook Add-in for Data Collection and Publishing"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\General\MyPictures = "My Pictures"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\yahoo.pl = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\YAHOOP~1.XML"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\PowerPoint\Addins\OneNote.PowerPointAddinTakeNotesService\LoadBehavior = "0"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\Mso_Core	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\yahoo.com.tw = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\YAB0F6~1.XML"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Conversation\DescriptionID = "25"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Multimedia\msacm.msgsm610\MaxRTDecodeSetting = "4"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Netscape\Netscape Navigator\Suffixes\application/ppt = "PPT"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Courier = "Courier New"	EXCEL.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InfoPathChangeInstallLanguage = "No"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\E-mail Message\Small Icon = "[2]"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Word\Security\Trusted Locations\Location0	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OutlookChangeInstallLanguage = "No"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Outlook\Addins\AccessAddin.DC	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\PSD = "Roman PX"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Access	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Meeting Cancellation	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\General\MyDocuments = "My Documents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\Word\Addins\OneNote.WordAddinTakeNotesService\Description = "Enable OneNote Linked Notes Content Service for Word"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Font Mapping\Tms Rmn = "Times Roman"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Remote Session\DescriptionID = "36"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Access\Security\Trusted Locations\Location2\Description = "Access default location: Wizard Databases"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Access\Description = "Microsoft Office Access"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Access\AutoJournaled = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Microsoft Access\Large Icon = "[16]"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\User Settings\	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\General\Signatures = "Signatures"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Outlook\AutoDiscover\wans.net = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOO~1\\WANSNE~1.XML"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Document\Small Icon = "[18]"	EXCEL.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared Tools\Outlook\Journaling\Remote Session	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\PowerPoint\Security\Trusted Locations\Location3\AllowSubFolders = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OneNoteChangeInstallLanguage = "No"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\User Settings\PowerPoint_Core\Count = "1"	EXCEL.EXE

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\587C2C6BD312F174B88A161D7D7958A7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\587C2C6BD312F174B88A161D7D7958A7\74F584E381D0AFF4DBFE10B32E52A17F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\74F584E381D0AFF4DBFE10B32E52A17F	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\Version = "134414336"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\ProductName = "SecureSponsorGenerous"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\PackageCode = "F55B3AEC34BB71F4F9AA425C412D3435"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\SourceList\PackageName = "WPSOffice10469357401533.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\74F584E381D0AFF4DBFE10B32E52A17F\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74F584E381D0AFF4DBFE10B32E52A17F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
776	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2736	msiexec.exe
2736	msiexec.exe
1420	EiAuPIYhFE4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3028	msiexec.exe
Token: SeRestorePrivilege	2736	msiexec.exe
Token: SeTakeOwnershipPrivilege	2736	msiexec.exe
Token: SeSecurityPrivilege	2736	msiexec.exe
Token: SeCreateTokenPrivilege	3028	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3028	msiexec.exe
Token: SeLockMemoryPrivilege	3028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3028	msiexec.exe
Token: SeMachineAccountPrivilege	3028	msiexec.exe
Token: SeTcbPrivilege	3028	msiexec.exe
Token: SeSecurityPrivilege	3028	msiexec.exe
Token: SeTakeOwnershipPrivilege	3028	msiexec.exe
Token: SeLoadDriverPrivilege	3028	msiexec.exe
Token: SeSystemProfilePrivilege	3028	msiexec.exe
Token: SeSystemtimePrivilege	3028	msiexec.exe
Token: SeProfSingleProcessPrivilege	3028	msiexec.exe
Token: SeIncBasePriorityPrivilege	3028	msiexec.exe
Token: SeCreatePagefilePrivilege	3028	msiexec.exe
Token: SeCreatePermanentPrivilege	3028	msiexec.exe
Token: SeBackupPrivilege	3028	msiexec.exe
Token: SeRestorePrivilege	3028	msiexec.exe
Token: SeShutdownPrivilege	3028	msiexec.exe
Token: SeDebugPrivilege	3028	msiexec.exe
Token: SeAuditPrivilege	3028	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3028	msiexec.exe
Token: SeChangeNotifyPrivilege	3028	msiexec.exe
Token: SeRemoteShutdownPrivilege	3028	msiexec.exe
Token: SeUndockPrivilege	3028	msiexec.exe
Token: SeSyncAgentPrivilege	3028	msiexec.exe
Token: SeEnableDelegationPrivilege	3028	msiexec.exe
Token: SeManageVolumePrivilege	3028	msiexec.exe
Token: SeImpersonatePrivilege	3028	msiexec.exe
Token: SeCreateGlobalPrivilege	3028	msiexec.exe
Token: SeBackupPrivilege	2636	vssvc.exe
Token: SeRestorePrivilege	2636	vssvc.exe
Token: SeAuditPrivilege	2636	vssvc.exe
Token: SeBackupPrivilege	2736	msiexec.exe
Token: SeRestorePrivilege	2736	msiexec.exe
Token: SeRestorePrivilege	912	DrvInst.exe
Token: SeRestorePrivilege	912	DrvInst.exe
Token: SeRestorePrivilege	912	DrvInst.exe
Token: SeRestorePrivilege	912	DrvInst.exe
Token: SeRestorePrivilege	912	DrvInst.exe
Token: SeRestorePrivilege	912	DrvInst.exe
Token: SeRestorePrivilege	912	DrvInst.exe
Token: SeLoadDriverPrivilege	912	DrvInst.exe
Token: SeLoadDriverPrivilege	912	DrvInst.exe
Token: SeLoadDriverPrivilege	912	DrvInst.exe
Token: SeRestorePrivilege	2736	msiexec.exe
Token: SeTakeOwnershipPrivilege	2736	msiexec.exe
Token: SeRestorePrivilege	2736	msiexec.exe
Token: SeTakeOwnershipPrivilege	2736	msiexec.exe
Token: SeRestorePrivilege	2736	msiexec.exe
Token: SeTakeOwnershipPrivilege	2736	msiexec.exe
Token: SeRestorePrivilege	2736	msiexec.exe
Token: SeTakeOwnershipPrivilege	2736	msiexec.exe
Token: SeRestorePrivilege	2736	msiexec.exe
Token: SeTakeOwnershipPrivilege	2736	msiexec.exe
Token: SeRestorePrivilege	2736	msiexec.exe
Token: SeTakeOwnershipPrivilege	2736	msiexec.exe
Token: SeRestorePrivilege	2736	msiexec.exe
Token: SeTakeOwnershipPrivilege	2736	msiexec.exe
Token: SeRestorePrivilege	2736	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3028	msiexec.exe
3028	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
776	EXCEL.EXE
776	EXCEL.EXE
776	EXCEL.EXE
776	EXCEL.EXE
776	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 1032	2736	msiexec.exe	34
PID 2736 wrote to memory of 1032	2736	msiexec.exe	34
PID 2736 wrote to memory of 1032	2736	msiexec.exe	34
PID 2736 wrote to memory of 1032	2736	msiexec.exe	34
PID 2736 wrote to memory of 1032	2736	msiexec.exe	34
PID 2736 wrote to memory of 1032	2736	msiexec.exe	34
PID 2736 wrote to memory of 1032	2736	msiexec.exe	34
PID 1032 wrote to memory of 1624	1032	MsiExec.exe	35
PID 1032 wrote to memory of 1624	1032	MsiExec.exe	35
PID 1032 wrote to memory of 1624	1032	MsiExec.exe	35
PID 1032 wrote to memory of 1624	1032	MsiExec.exe	35
PID 1032 wrote to memory of 1420	1032	MsiExec.exe	37
PID 1032 wrote to memory of 1420	1032	MsiExec.exe	37
PID 1032 wrote to memory of 1420	1032	MsiExec.exe	37
PID 1032 wrote to memory of 1420	1032	MsiExec.exe	37
PID 1032 wrote to memory of 776	1032	MsiExec.exe	38
PID 1032 wrote to memory of 776	1032	MsiExec.exe	38
PID 1032 wrote to memory of 776	1032	MsiExec.exe	38
PID 1032 wrote to memory of 776	1032	MsiExec.exe	38
PID 1032 wrote to memory of 776	1032	MsiExec.exe	38
PID 1032 wrote to memory of 776	1032	MsiExec.exe	38
PID 1032 wrote to memory of 776	1032	MsiExec.exe	38
PID 1032 wrote to memory of 776	1032	MsiExec.exe	38
PID 1032 wrote to memory of 776	1032	MsiExec.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WPSOffice10469357401533.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8927A8332E8C27DF8654CFC4FCADD9F3 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Program Files\SecureSponsorGenerous\hqUsxQVokjCH.exe
    "C:\Program Files\SecureSponsorGenerous\hqUsxQVokjCH.exe" x "C:\Program Files\SecureSponsorGenerous\OUvlZvvsRHvvVPzWjGvr" -o"C:\Program Files\SecureSponsorGenerous\" -pBtrCoSaelPTuXoCAcEwA -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1624
- - C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe
    "C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe" -number 242 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1420
- - C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
    3⤵
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "0000000000000598"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77b4ff.rbs

Filesize
7KB

MD5
ac13bcb315f920f265bddf62158e7a3a

SHA1
992bdbe42bd895a19d09d658ddcda9714a2b7d76

SHA256
8c5e0b6b5b82a0e210bfc52e5054d23f4750c516768a92b74bc8e6c7aab0c487

SHA512
0d1863b7da48ed5a40b3403a225786c328521dd9f1611cf0e688cb4200422d1ace59f211519a05daf6a629321d5744b34a8b37a64762ad2692f0f881ab40bf80

Download Submit
C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe

Filesize
3.2MB

MD5
1c3d835b334c146196997f99df3c6f8e

SHA1
0027a83539881abaf1f5cb3a2cc0cd6ba528d000

SHA256
dcd7d379effc6f28e3fc43bdeebc3c39c933a93b09d9dc6691fb64392c432b3f

SHA512
f4da23997640cad08e9c3cc605472bb3b112e01406cc18789bd78d1f735790029cede3cd784d5d66882d571d6d515666a2017463ab5be454df50ddc4498d6042

Download Submit
C:\Program Files\SecureSponsorGenerous\OUvlZvvsRHvvVPzWjGvr

Filesize
2.0MB

MD5
d076e5e2afedcdbd328b5a3f0222b408

SHA1
8d8407cf4006934271fbd1f0c251fb5e91786997

SHA256
7a275f7f2ccf99a65eb4bd5f8cbd944041473b6c804487daf03b720700b760ea

SHA512
1f58ffe864710bc35f790510284b39337e8caaf0cf434517afcf0e894dd99c737aba22da27ddd6ee93ce7791407c7338ad2433b4310815f3f644fc72a212b2d9

Download Submit
C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\SecureSponsorGenerous\hqUsxQVokjCH.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Windows\Installer\f77b4fd.msi

Filesize
41.1MB

MD5
27ba48360e40e33e30f22f9258ca8aec

SHA1
f86f07a4fde054f77591c7c42a751f4fa566cdd5

SHA256
593c2deaacb09860822ec349224494c5aa35ebac3ff8836b43f63ad41d168d60

SHA512
0ba2009808c661cc9780bdf437f2ca47cfb99daa080f95428f3631752d2f49f6fce1ec747ef9228e49e3df00db61b67d4f52c4411d76cb6551fb6f50eaf90497

Download Submit
memory/776-31-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1032-12-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download