df41ebd057040524d137711938752fef32872f8a3ed2f4ee10e6b7c05d7f4410

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/09/2024, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chrrmesetup.msi
Size

27.8MB
MD5

60b6321a22e3cfcecc3c1c68295cc868
SHA1

808a316ee3b0f4fc7bce63358ff4f744e628465b
SHA256

df41ebd057040524d137711938752fef32872f8a3ed2f4ee10e6b7c05d7f4410
SHA512

b4047e9ef64bf63933143d289ce88b11107d552d37ef2905c3139e414bc8a61f86f49b548ee2e8978d0d02f5acfdc407640def7d05a9bcaffacfcebd5d872b91
SSDEEP

786432:NURQ1YYLOtsId3pQof4c0RtYhGYrCw45alNJFOF:N2U9XeI8bwal8

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\DeployEngineerCalm\ChromeSetup.exe	msiexec.exe
File created	C:\Program Files\DeployEngineerCalm\RVMrLdYYerZH.exe	msiexec.exe
File created	C:\Program Files\DeployEngineerCalm\gafcETxyYz4.exe	RVMrLdYYerZH.exe
File opened for modification	C:\Program Files\DeployEngineerCalm\gafcETxyYz4.exe	RVMrLdYYerZH.exe
File created	C:\Program Files\DeployEngineerCalm\xFVbVZKWVCwS.exe	RVMrLdYYerZH.exe
File created	C:\Program Files\DeployEngineerCalm\Aspose.Pdf.dll	msiexec.exe
File created	C:\Program Files\DeployEngineerCalm\MSjpGFGbYdhVKRljAaZT	msiexec.exe
File created	C:\Program Files\DeployEngineerCalm\xFVbVZKWVCwS.xml	RVMrLdYYerZH.exe
File opened for modification	C:\Program Files\DeployEngineerCalm\xFVbVZKWVCwS.xml	RVMrLdYYerZH.exe
File opened for modification	C:\Program Files\DeployEngineerCalm\xFVbVZKWVCwS.exe	RVMrLdYYerZH.exe
File opened for modification	C:\Program Files\DeployEngineerCalm	gafcETxyYz4.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f773ee4.msi	msiexec.exe
File created	C:\Windows\Installer\f773ee7.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f773ee4.msi	msiexec.exe
File created	C:\Windows\Installer\f773ee5.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3FBE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f773ee5.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Executes dropped EXE 3 IoCs

pid	Process
2616	RVMrLdYYerZH.exe
1784	gafcETxyYz4.exe
2924	ChromeSetup.exe

Loads dropped DLL 10 IoCs

pid	Process
2196	MsiExec.exe
2196	MsiExec.exe
2196	MsiExec.exe
2196	MsiExec.exe
1784	gafcETxyYz4.exe
1784	gafcETxyYz4.exe
1784	gafcETxyYz4.exe
1784	gafcETxyYz4.exe
1784	gafcETxyYz4.exe
1784	gafcETxyYz4.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1620	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RVMrLdYYerZH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gafcETxyYz4.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\54C49777214F77A419A86C2403F1E555\AFC7F96DBCD857B428991B4339BD9527	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AFC7F96DBCD857B428991B4339BD9527	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\ProductName = "DeployEngineerCalm"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AFC7F96DBCD857B428991B4339BD9527\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\54C49777214F77A419A86C2403F1E555	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\SourceList\PackageName = "chrrmesetup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\Version = "151388168"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\PackageCode = "79FDD66EA25769F40B8EC75BE5FFDB45"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AFC7F96DBCD857B428991B4339BD9527\Language = "1033"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2840	msiexec.exe
2840	msiexec.exe
1784	gafcETxyYz4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	2840	msiexec.exe
Token: SeTakeOwnershipPrivilege	2840	msiexec.exe
Token: SeSecurityPrivilege	2840	msiexec.exe
Token: SeCreateTokenPrivilege	1620	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1620	msiexec.exe
Token: SeLockMemoryPrivilege	1620	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1620	msiexec.exe
Token: SeMachineAccountPrivilege	1620	msiexec.exe
Token: SeTcbPrivilege	1620	msiexec.exe
Token: SeSecurityPrivilege	1620	msiexec.exe
Token: SeTakeOwnershipPrivilege	1620	msiexec.exe
Token: SeLoadDriverPrivilege	1620	msiexec.exe
Token: SeSystemProfilePrivilege	1620	msiexec.exe
Token: SeSystemtimePrivilege	1620	msiexec.exe
Token: SeProfSingleProcessPrivilege	1620	msiexec.exe
Token: SeIncBasePriorityPrivilege	1620	msiexec.exe
Token: SeCreatePagefilePrivilege	1620	msiexec.exe
Token: SeCreatePermanentPrivilege	1620	msiexec.exe
Token: SeBackupPrivilege	1620	msiexec.exe
Token: SeRestorePrivilege	1620	msiexec.exe
Token: SeShutdownPrivilege	1620	msiexec.exe
Token: SeDebugPrivilege	1620	msiexec.exe
Token: SeAuditPrivilege	1620	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1620	msiexec.exe
Token: SeChangeNotifyPrivilege	1620	msiexec.exe
Token: SeRemoteShutdownPrivilege	1620	msiexec.exe
Token: SeUndockPrivilege	1620	msiexec.exe
Token: SeSyncAgentPrivilege	1620	msiexec.exe
Token: SeEnableDelegationPrivilege	1620	msiexec.exe
Token: SeManageVolumePrivilege	1620	msiexec.exe
Token: SeImpersonatePrivilege	1620	msiexec.exe
Token: SeCreateGlobalPrivilege	1620	msiexec.exe
Token: SeBackupPrivilege	2704	vssvc.exe
Token: SeRestorePrivilege	2704	vssvc.exe
Token: SeAuditPrivilege	2704	vssvc.exe
Token: SeBackupPrivilege	2840	msiexec.exe
Token: SeRestorePrivilege	2840	msiexec.exe
Token: SeRestorePrivilege	2076	DrvInst.exe
Token: SeRestorePrivilege	2076	DrvInst.exe
Token: SeRestorePrivilege	2076	DrvInst.exe
Token: SeRestorePrivilege	2076	DrvInst.exe
Token: SeRestorePrivilege	2076	DrvInst.exe
Token: SeRestorePrivilege	2076	DrvInst.exe
Token: SeRestorePrivilege	2076	DrvInst.exe
Token: SeLoadDriverPrivilege	2076	DrvInst.exe
Token: SeLoadDriverPrivilege	2076	DrvInst.exe
Token: SeLoadDriverPrivilege	2076	DrvInst.exe
Token: SeRestorePrivilege	2840	msiexec.exe
Token: SeTakeOwnershipPrivilege	2840	msiexec.exe
Token: SeRestorePrivilege	2840	msiexec.exe
Token: SeTakeOwnershipPrivilege	2840	msiexec.exe
Token: SeRestorePrivilege	2840	msiexec.exe
Token: SeTakeOwnershipPrivilege	2840	msiexec.exe
Token: SeRestorePrivilege	2840	msiexec.exe
Token: SeTakeOwnershipPrivilege	2840	msiexec.exe
Token: SeRestorePrivilege	2840	msiexec.exe
Token: SeTakeOwnershipPrivilege	2840	msiexec.exe
Token: SeRestorePrivilege	2840	msiexec.exe
Token: SeTakeOwnershipPrivilege	2840	msiexec.exe
Token: SeRestorePrivilege	2840	msiexec.exe
Token: SeTakeOwnershipPrivilege	2840	msiexec.exe
Token: SeRestorePrivilege	2840	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1620	msiexec.exe
1620	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2196	2840	msiexec.exe	34
PID 2840 wrote to memory of 2196	2840	msiexec.exe	34
PID 2840 wrote to memory of 2196	2840	msiexec.exe	34
PID 2840 wrote to memory of 2196	2840	msiexec.exe	34
PID 2840 wrote to memory of 2196	2840	msiexec.exe	34
PID 2840 wrote to memory of 2196	2840	msiexec.exe	34
PID 2840 wrote to memory of 2196	2840	msiexec.exe	34
PID 2196 wrote to memory of 2616	2196	MsiExec.exe	35
PID 2196 wrote to memory of 2616	2196	MsiExec.exe	35
PID 2196 wrote to memory of 2616	2196	MsiExec.exe	35
PID 2196 wrote to memory of 2616	2196	MsiExec.exe	35
PID 2196 wrote to memory of 1784	2196	MsiExec.exe	37
PID 2196 wrote to memory of 1784	2196	MsiExec.exe	37
PID 2196 wrote to memory of 1784	2196	MsiExec.exe	37
PID 2196 wrote to memory of 1784	2196	MsiExec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\chrrmesetup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1620

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B1D0C1A46CF5D986241218BA52AAADD7 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Program Files\DeployEngineerCalm\RVMrLdYYerZH.exe
    "C:\Program Files\DeployEngineerCalm\RVMrLdYYerZH.exe" x "C:\Program Files\DeployEngineerCalm\MSjpGFGbYdhVKRljAaZT" -o"C:\Program Files\DeployEngineerCalm\" -pCVtfwrfwUvBoTLjcdFbD -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2616
- - C:\Program Files\DeployEngineerCalm\gafcETxyYz4.exe
    "C:\Program Files\DeployEngineerCalm\gafcETxyYz4.exe" -number 250 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1784
- - C:\Program Files\DeployEngineerCalm\ChromeSetup.exe
    "C:\Program Files\DeployEngineerCalm\ChromeSetup.exe"
    3⤵
    - Executes dropped EXE
    PID:2924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000330" "00000000000004D8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f773ee6.rbs

Filesize
7KB

MD5
02d71430364448b399e35623e5e34a3d

SHA1
c54573ed114946157f5a4413ef8ddfc27b9b5f7a

SHA256
211439023c2c7c1a6d6ef9c37faa225bb8672945150fdb6b12ce9aecdbd00fb2

SHA512
5d36df8cf9580c1795aab6bda6447730d1411b938a40a757e3b7a5e774fefad69cc2117be6b0d812b78e328a11d365fc3726a349de7aa9100ee503cbd78ca80f

Download Submit
C:\Program Files\DeployEngineerCalm\ChromeSetup.exe

Filesize
8.5MB

MD5
5adff4313fbd074df44b4eb5b7893c5e

SHA1
d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7

SHA256
d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae

SHA512
f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60

Download Submit
C:\Program Files\DeployEngineerCalm\MSjpGFGbYdhVKRljAaZT

Filesize
1.9MB

MD5
af02d33c55b6178318bf59b6f26b3b5d

SHA1
80d56ade2e9f52347d5aa7be46bcf970a93cd689

SHA256
c135cb4f3c7b7f480499187109dde41281a1e8f29259fae95893ee53d744f1da

SHA512
8d86f7de37c3e22dd5223cf3bd6140f58ff57019ad1560c43ffaff17a83ee181b64fbe210b77ed6548e0125c412bb2a9912f5aa04344e01d53454fd5bfcd6d6a

Download Submit
C:\Program Files\DeployEngineerCalm\gafcETxyYz4.exe

Filesize
3.2MB

MD5
61c267c568496d0621a0107c0fecb047

SHA1
d1d02d62bfcb4ea245fd54eb1507150d2d344284

SHA256
f7db71cf62374b28b0b635a1fbedb5524d84773ff14ea9a579f0d45ca945a059

SHA512
5e6cd5c304c5e7effd58c4eb08a4b71236d0697b6cf6e4b82c5ab980daeb3b9e7691915d7b086dd4f9dbefe49a45c3036a9f91f520be516e4872d4bd8cfe3983

Download Submit
C:\Windows\Installer\f773ee4.msi

Filesize
27.8MB

MD5
60b6321a22e3cfcecc3c1c68295cc868

SHA1
808a316ee3b0f4fc7bce63358ff4f744e628465b

SHA256
df41ebd057040524d137711938752fef32872f8a3ed2f4ee10e6b7c05d7f4410

SHA512
b4047e9ef64bf63933143d289ce88b11107d552d37ef2905c3139e414bc8a61f86f49b548ee2e8978d0d02f5acfdc407640def7d05a9bcaffacfcebd5d872b91

Download Submit
\Program Files\DeployEngineerCalm\RVMrLdYYerZH.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\Program Files\DeployEngineerCalm\xFVbVZKWVCwS.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
memory/1784-32-0x0000000002060000-0x000000000208A000-memory.dmp

Filesize
168KB

Download
memory/2196-12-0x00000000002A0000-0x00000000002A2000-memory.dmp

Filesize
8KB

Download