4f47635b4eaa1e3e8eddf090b25af99a07dafc7b71d876cf533e8cf8437d62cb

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

klianghaxx.msi
Size

35.7MB
MD5

b50224d2998918a46f53631e95d0c82a
SHA1

b87a7ac613227efff93e5ee806587bdff1407561
SHA256

4f47635b4eaa1e3e8eddf090b25af99a07dafc7b71d876cf533e8cf8437d62cb
SHA512

35ace3df1e35e5b633184d78df5c8aa56f180ff55cc3d90304fdb720d9908325af36fb82151b5a7bbf175d2afbb140a13e5c4f9fea46e12a5719c5a8e8fcf1c8
SSDEEP

786432:qkhIiFQmQPoasemFaut9MNGXQAXPrWDP7THYKuPQplTiE7Fym:b0m8oasgutuN9AXPrWDPvHduGTifm

Score

6^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe	RprxlqTjDBnm.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe	RprxlqTjDBnm.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\letsvpn.exe	msiexec.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\RprxlqTjDBnm.exe	msiexec.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\UnityPlayer.dll	msiexec.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\WSycNbZGAgGoCikzCVpf	msiexec.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.xml	RprxlqTjDBnm.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.xml	RprxlqTjDBnm.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe	RprxlqTjDBnm.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe	RprxlqTjDBnm.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast	eCIiCJQGvW16.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76a90b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76a90b.msi	msiexec.exe
File created	C:\Windows\Installer\f76a90c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA05.tmp	msiexec.exe
File created	C:\Windows\Installer\f76a90e.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76a90c.ipi	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
1948	RprxlqTjDBnm.exe
2416	eCIiCJQGvW16.exe
1560	letsvpn.exe

Loads dropped DLL 10 IoCs

pid	Process
2208	MsiExec.exe
2208	MsiExec.exe
2208	MsiExec.exe
2208	MsiExec.exe
2208	MsiExec.exe
1560	letsvpn.exe
1560	letsvpn.exe
2416	eCIiCJQGvW16.exe
2416	eCIiCJQGvW16.exe
1560	letsvpn.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2876	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2496	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RprxlqTjDBnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eCIiCJQGvW16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0b878a4fa0cdb01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\40D7CD3262B65554CB27A9B80694B49B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0122D42CC5553E14B8A2D8928378198D\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\ProductName = "UpgradeAdvisorSteadfast"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\Version = "67108870"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\PackageName = "klianghaxx.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\PackageCode = "9F3668E6BA3100E4789F21AFF2E8BF85"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\40D7CD3262B65554CB27A9B80694B49B\0122D42CC5553E14B8A2D8928378198D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0122D42CC5553E14B8A2D8928378198D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2944	msiexec.exe
2944	msiexec.exe
2416	eCIiCJQGvW16.exe
2876	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1560	letsvpn.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2496	msiexec.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeTakeOwnershipPrivilege	2944	msiexec.exe
Token: SeSecurityPrivilege	2944	msiexec.exe
Token: SeCreateTokenPrivilege	2496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2496	msiexec.exe
Token: SeLockMemoryPrivilege	2496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2496	msiexec.exe
Token: SeMachineAccountPrivilege	2496	msiexec.exe
Token: SeTcbPrivilege	2496	msiexec.exe
Token: SeSecurityPrivilege	2496	msiexec.exe
Token: SeTakeOwnershipPrivilege	2496	msiexec.exe
Token: SeLoadDriverPrivilege	2496	msiexec.exe
Token: SeSystemProfilePrivilege	2496	msiexec.exe
Token: SeSystemtimePrivilege	2496	msiexec.exe
Token: SeProfSingleProcessPrivilege	2496	msiexec.exe
Token: SeIncBasePriorityPrivilege	2496	msiexec.exe
Token: SeCreatePagefilePrivilege	2496	msiexec.exe
Token: SeCreatePermanentPrivilege	2496	msiexec.exe
Token: SeBackupPrivilege	2496	msiexec.exe
Token: SeRestorePrivilege	2496	msiexec.exe
Token: SeShutdownPrivilege	2496	msiexec.exe
Token: SeDebugPrivilege	2496	msiexec.exe
Token: SeAuditPrivilege	2496	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2496	msiexec.exe
Token: SeChangeNotifyPrivilege	2496	msiexec.exe
Token: SeRemoteShutdownPrivilege	2496	msiexec.exe
Token: SeUndockPrivilege	2496	msiexec.exe
Token: SeSyncAgentPrivilege	2496	msiexec.exe
Token: SeEnableDelegationPrivilege	2496	msiexec.exe
Token: SeManageVolumePrivilege	2496	msiexec.exe
Token: SeImpersonatePrivilege	2496	msiexec.exe
Token: SeCreateGlobalPrivilege	2496	msiexec.exe
Token: SeBackupPrivilege	2884	vssvc.exe
Token: SeRestorePrivilege	2884	vssvc.exe
Token: SeAuditPrivilege	2884	vssvc.exe
Token: SeBackupPrivilege	2944	msiexec.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeLoadDriverPrivilege	2736	DrvInst.exe
Token: SeLoadDriverPrivilege	2736	DrvInst.exe
Token: SeLoadDriverPrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeTakeOwnershipPrivilege	2944	msiexec.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeTakeOwnershipPrivilege	2944	msiexec.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeTakeOwnershipPrivilege	2944	msiexec.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeTakeOwnershipPrivilege	2944	msiexec.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeTakeOwnershipPrivilege	2944	msiexec.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeTakeOwnershipPrivilege	2944	msiexec.exe
Token: SeRestorePrivilege	2944	msiexec.exe
Token: SeTakeOwnershipPrivilege	2944	msiexec.exe
Token: SeRestorePrivilege	2944	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2496	msiexec.exe
2496	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2208	2944	msiexec.exe	34
PID 2944 wrote to memory of 2208	2944	msiexec.exe	34
PID 2944 wrote to memory of 2208	2944	msiexec.exe	34
PID 2944 wrote to memory of 2208	2944	msiexec.exe	34
PID 2944 wrote to memory of 2208	2944	msiexec.exe	34
PID 2944 wrote to memory of 2208	2944	msiexec.exe	34
PID 2944 wrote to memory of 2208	2944	msiexec.exe	34
PID 2208 wrote to memory of 1948	2208	MsiExec.exe	35
PID 2208 wrote to memory of 1948	2208	MsiExec.exe	35
PID 2208 wrote to memory of 1948	2208	MsiExec.exe	35
PID 2208 wrote to memory of 1948	2208	MsiExec.exe	35
PID 2208 wrote to memory of 2416	2208	MsiExec.exe	37
PID 2208 wrote to memory of 2416	2208	MsiExec.exe	37
PID 2208 wrote to memory of 2416	2208	MsiExec.exe	37
PID 2208 wrote to memory of 2416	2208	MsiExec.exe	37
PID 2208 wrote to memory of 1560	2208	MsiExec.exe	38
PID 2208 wrote to memory of 1560	2208	MsiExec.exe	38
PID 2208 wrote to memory of 1560	2208	MsiExec.exe	38
PID 2208 wrote to memory of 1560	2208	MsiExec.exe	38
PID 1560 wrote to memory of 2876	1560	letsvpn.exe	39
PID 1560 wrote to memory of 2876	1560	letsvpn.exe	39
PID 1560 wrote to memory of 2876	1560	letsvpn.exe	39
PID 1560 wrote to memory of 2876	1560	letsvpn.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\klianghaxx.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2496

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 56B2C2DEC1BB2EC0D9272134A1996ED0 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Program Files\UpgradeAdvisorSteadfast\RprxlqTjDBnm.exe
    "C:\Program Files\UpgradeAdvisorSteadfast\RprxlqTjDBnm.exe" x "C:\Program Files\UpgradeAdvisorSteadfast\WSycNbZGAgGoCikzCVpf" -o"C:\Program Files\UpgradeAdvisorSteadfast\" -pUdhsuLYAGzPmDseEvpqp -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1948
- - C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe
    "C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe" -number 175 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2416
- - C:\Program Files\UpgradeAdvisorSteadfast\letsvpn.exe
    "C:\Program Files\UpgradeAdvisorSteadfast\letsvpn.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:2876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000055C" "00000000000003D8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76a90d.rbs

Filesize
7KB

MD5
55d6b7a28f48ba730875d94fcf8fb3ea

SHA1
9339ad65510cc9dc649f381b51f4e483e1e85daa

SHA256
04212eb4e6dfb1d67cc4da2718b99ae6badee6be5eff3f52cb047b3934a3cb9b

SHA512
7884f04d9ec3501d75f5f4a49347039ee0ba2a627559d59531454b2229efd70e98cce2d0e92b17057e9d32a4d57a225bd5c90cac9da902c7f8c763176e7458c0

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\RprxlqTjDBnm.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\WSycNbZGAgGoCikzCVpf

Filesize
1.7MB

MD5
8f3fb6888ea0fa0b469d24ba3c94c7a0

SHA1
07ce9c008e0696f7f199870abcf8f7fce2d44226

SHA256
2fb227f2e083aa82be21d4d1c9d7cdbf6fb0f56004652f836cf444f7e3f88fe5

SHA512
a3703356ed830834fc0e29fde22e2018a6c71e098a1c2aadfb7beab42e587dfe8db243848e7b8b2ff4f962d89e9de450a9b0505dd27bf19564b619af72ddbc96

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe

Filesize
2.9MB

MD5
0e9a77152636348ef1df5bc112457d62

SHA1
759eb71dfed78cb9718e1c8f3dc719f6d3d4b4bb

SHA256
a001a3b643a7d3aafe82ac9e1f49e576d408bad20993844b6051353456127b89

SHA512
ce439b31e4540bbad086ab9508a0817909a508ef8a7bdc27568c52758fd0a0f7465fb93850bd8238cb1d24fe9c38b76276454e093faa3671c574605aa97326e6

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\letsvpn.exe

Filesize
14.5MB

MD5
94f6bd702b7a2e17c45d16eaf7da0d64

SHA1
45f8c05851bcf16416e087253ce962b320e9db8a

SHA256
07f44325eab13b01d536a42e90a0247c6efecf23ccd4586309828aa814f5c776

SHA512
7ffc5183d3f1fb23e38c60d55724ab9e9e1e3832c9fb09296f0635f78d81477c6894c00a28e63096fa395e1c11cbeaa1f77f910f9ff9c1f1ecf0b857aa671b3d

Download Submit
C:\Windows\Installer\f76a90b.msi

Filesize
35.7MB

MD5
b50224d2998918a46f53631e95d0c82a

SHA1
b87a7ac613227efff93e5ee806587bdff1407561

SHA256
4f47635b4eaa1e3e8eddf090b25af99a07dafc7b71d876cf533e8cf8437d62cb

SHA512
35ace3df1e35e5b633184d78df5c8aa56f180ff55cc3d90304fdb720d9908325af36fb82151b5a7bbf175d2afbb140a13e5c4f9fea46e12a5719c5a8e8fcf1c8

Download Submit
\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB202.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB202.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB202.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
memory/2208-12-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download