8ed36de47fb703e516f63d7db1708dbfac0bc3619024d7769796d7ebeddb3603

Analysis

max time kernel
91s
max time network
104s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

i4Tools_ns9.9.8.6.msi
Size

232.3MB
MD5

5cc9c7280b6ac33963bc8160d934541e
SHA1

9f33f68852f3fc3e4028de14e54babe1860e9d9b
SHA256

8ed36de47fb703e516f63d7db1708dbfac0bc3619024d7769796d7ebeddb3603
SHA512

1548167410270a2a25bc75d2d3b2b1c9a3a8b18b56fe545614617c7290d5981d824b913e017a7d31f5ea5948af3a153238b55450b1c0132fb51a6cc491cd8160
SSDEEP

6291456:5ME4FlRDcoxNkXSm6CxxRPo8BMvm1LpkABIU:5cFlRDRE/7Pf1Bl

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\GuideDirectorMajestic\common_clang32.dll	msiexec.exe
File created	C:\Program Files\GuideDirectorMajestic\PRsFNBCyinrq.exe	msiexec.exe
File created	C:\Program Files\GuideDirectorMajestic\WMUoveSFZAOhfUNUDShs	msiexec.exe
File created	C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe	PRsFNBCyinrq.exe
File opened for modification	C:\Program Files\GuideDirectorMajestic	LyHdRfaUXB12.exe
File created	C:\Program Files\GuideDirectorMajestic\i4Tools8Setupx64.exe	msiexec.exe
File created	C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.xml	PRsFNBCyinrq.exe
File opened for modification	C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.xml	PRsFNBCyinrq.exe
File created	C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe	PRsFNBCyinrq.exe
File opened for modification	C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe	PRsFNBCyinrq.exe
File opened for modification	C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe	PRsFNBCyinrq.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f785feb.msi	msiexec.exe
File created	C:\Windows\Installer\f785fec.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6799.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f785feb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f785fee.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f785fec.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Executes dropped EXE 3 IoCs

pid	Process
3040	PRsFNBCyinrq.exe
1084	LyHdRfaUXB12.exe
568	i4Tools8Setupx64.exe

Loads dropped DLL 3 IoCs

pid	Process
1084	LyHdRfaUXB12.exe
1084	LyHdRfaUXB12.exe
1084	LyHdRfaUXB12.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2292	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PRsFNBCyinrq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LyHdRfaUXB12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i4Tools8Setupx64.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000e09be5869f13db01	i4Tools8Setupx64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	i4Tools8Setupx64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000c082f1869f13db01	i4Tools8Setupx64.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000e09be5869f13db01	i4Tools8Setupx64.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000000c0ec869f13db01	i4Tools8Setupx64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000000c0ec869f13db01	i4Tools8Setupx64.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000000c0ec869f13db01	i4Tools8Setupx64.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000000c0ec869f13db01	i4Tools8Setupx64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2F4821BE2FE83B641AFEE52ADCBD05FA\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\ProductName = "GuideDirectorMajestic"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\SourceList\PackageName = "i4Tools_ns9.9.8.6.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2F4821BE2FE83B641AFEE52ADCBD05FA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\PackageCode = "959E13194283C7442AFCC13DFA454E3F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96406823274B666478EB968B7D40B776	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\Version = "50397187"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96406823274B666478EB968B7D40B776\2F4821BE2FE83B641AFEE52ADCBD05FA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\SourceList	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2760	msiexec.exe
2760	msiexec.exe
1084	LyHdRfaUXB12.exe
568	i4Tools8Setupx64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2292	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2292	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeSecurityPrivilege	2760	msiexec.exe
Token: SeCreateTokenPrivilege	2292	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2292	msiexec.exe
Token: SeLockMemoryPrivilege	2292	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2292	msiexec.exe
Token: SeMachineAccountPrivilege	2292	msiexec.exe
Token: SeTcbPrivilege	2292	msiexec.exe
Token: SeSecurityPrivilege	2292	msiexec.exe
Token: SeTakeOwnershipPrivilege	2292	msiexec.exe
Token: SeLoadDriverPrivilege	2292	msiexec.exe
Token: SeSystemProfilePrivilege	2292	msiexec.exe
Token: SeSystemtimePrivilege	2292	msiexec.exe
Token: SeProfSingleProcessPrivilege	2292	msiexec.exe
Token: SeIncBasePriorityPrivilege	2292	msiexec.exe
Token: SeCreatePagefilePrivilege	2292	msiexec.exe
Token: SeCreatePermanentPrivilege	2292	msiexec.exe
Token: SeBackupPrivilege	2292	msiexec.exe
Token: SeRestorePrivilege	2292	msiexec.exe
Token: SeShutdownPrivilege	2292	msiexec.exe
Token: SeDebugPrivilege	2292	msiexec.exe
Token: SeAuditPrivilege	2292	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2292	msiexec.exe
Token: SeChangeNotifyPrivilege	2292	msiexec.exe
Token: SeRemoteShutdownPrivilege	2292	msiexec.exe
Token: SeUndockPrivilege	2292	msiexec.exe
Token: SeSyncAgentPrivilege	2292	msiexec.exe
Token: SeEnableDelegationPrivilege	2292	msiexec.exe
Token: SeManageVolumePrivilege	2292	msiexec.exe
Token: SeImpersonatePrivilege	2292	msiexec.exe
Token: SeCreateGlobalPrivilege	2292	msiexec.exe
Token: SeBackupPrivilege	2900	vssvc.exe
Token: SeRestorePrivilege	2900	vssvc.exe
Token: SeAuditPrivilege	2900	vssvc.exe
Token: SeBackupPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2792	DrvInst.exe
Token: SeRestorePrivilege	2792	DrvInst.exe
Token: SeRestorePrivilege	2792	DrvInst.exe
Token: SeRestorePrivilege	2792	DrvInst.exe
Token: SeRestorePrivilege	2792	DrvInst.exe
Token: SeRestorePrivilege	2792	DrvInst.exe
Token: SeRestorePrivilege	2792	DrvInst.exe
Token: SeLoadDriverPrivilege	2792	DrvInst.exe
Token: SeLoadDriverPrivilege	2792	DrvInst.exe
Token: SeLoadDriverPrivilege	2792	DrvInst.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeDebugPrivilege	568	i4Tools8Setupx64.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2292	msiexec.exe
2292	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2936	2760	msiexec.exe	33
PID 2760 wrote to memory of 2936	2760	msiexec.exe	33
PID 2760 wrote to memory of 2936	2760	msiexec.exe	33
PID 2760 wrote to memory of 2936	2760	msiexec.exe	33
PID 2760 wrote to memory of 2936	2760	msiexec.exe	33
PID 2936 wrote to memory of 3040	2936	MsiExec.exe	34
PID 2936 wrote to memory of 3040	2936	MsiExec.exe	34
PID 2936 wrote to memory of 3040	2936	MsiExec.exe	34
PID 2936 wrote to memory of 3040	2936	MsiExec.exe	34
PID 2936 wrote to memory of 1084	2936	MsiExec.exe	36
PID 2936 wrote to memory of 1084	2936	MsiExec.exe	36
PID 2936 wrote to memory of 1084	2936	MsiExec.exe	36
PID 2936 wrote to memory of 1084	2936	MsiExec.exe	36
PID 2936 wrote to memory of 568	2936	MsiExec.exe	37
PID 2936 wrote to memory of 568	2936	MsiExec.exe	37
PID 2936 wrote to memory of 568	2936	MsiExec.exe	37
PID 2936 wrote to memory of 568	2936	MsiExec.exe	37
PID 2936 wrote to memory of 568	2936	MsiExec.exe	37
PID 2936 wrote to memory of 568	2936	MsiExec.exe	37
PID 2936 wrote to memory of 568	2936	MsiExec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i4Tools_ns9.9.8.6.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2292

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 33A3C0C4C9F8DE2774F1A46324AD910F M Global\MSI0000
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Program Files\GuideDirectorMajestic\PRsFNBCyinrq.exe
    "C:\Program Files\GuideDirectorMajestic\PRsFNBCyinrq.exe" x "C:\Program Files\GuideDirectorMajestic\WMUoveSFZAOhfUNUDShs" -o"C:\Program Files\GuideDirectorMajestic\" -pUaLIpHJjhMODAzOiylZA -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3040
- - C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe
    "C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe" -number 101 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1084
- - C:\Program Files\GuideDirectorMajestic\i4Tools8Setupx64.exe
    "C:\Program Files\GuideDirectorMajestic\i4Tools8Setupx64.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E8" "00000000000003F0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f785fed.rbs

Filesize
7KB

MD5
2d5c88ea06414539228aaac8d7f62f71

SHA1
16040cc0be1b66ad70c8b4077bbecbd4e3d70a92

SHA256
017718dcfa75a42698ecd65278b58ea872d7517e184c8514b8c4c30226e818dc

SHA512
8d7409256bdec945c28a2e8972ca9383df15185a235f578294cedc042e3e741d26b06b4c2f2b0040e4d0b1159ff2dfe6dcdd0087658c13408c64e6b2141a6661

Download Submit
C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe

Filesize
2.8MB

MD5
e274e2b9cafc75fc874aa56a40f2f20b

SHA1
be492f85fa47422e0dea88ef38e87670ca698fa4

SHA256
d464844275663ca56a44d42a9401af0193f94fc82b559e71d8333926fa304424

SHA512
11c482e066678791ba98a8ce1e016aab8ab6a15864d63137f439a445721e3a802095b42e0069677ee7b6892423a3f0bbbfe934ff177866924646053cd799463b

Download Submit
C:\Program Files\GuideDirectorMajestic\PRsFNBCyinrq.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\GuideDirectorMajestic\WMUoveSFZAOhfUNUDShs

Filesize
1.6MB

MD5
c2cafebae1a025baabc17b4eeca638f6

SHA1
1fc8638271ea468e2b2fbe4f5a3502da1fe54207

SHA256
5a791f23acbb035e1d05a484eb9bd6d805a3f56464901595193f4f68e1173e47

SHA512
659834c96b72d76b4aa7d42463b56db7c9dde4e7c91fd5252f410b3ae01edd6479a6b9a606203f341f5a9acaefd73b65c34ab25c836bbec8dc8b8cb0b8156426

Download Submit
C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
memory/1084-25-0x0000000000390000-0x00000000003B7000-memory.dmp

Filesize
156KB

Download
memory/2936-12-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download