a7a6306644c25e96d94c470f5dd1b1666df2b89f83693c5f40a9beb302e5c447

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ChromeSetup.msi
Size

29.3MB
MD5

751eb88d77d640cc9b497aafb5679821
SHA1

2dc4ee60244acd2e135e7f9493bc047da5291cbd
SHA256

a7a6306644c25e96d94c470f5dd1b1666df2b89f83693c5f40a9beb302e5c447
SHA512

75898716b8e5642e20f44c843d0c4e2c3d7ff3f45096fb88ec988caa99f00a949c42bd82a783966acee031f7c150d3bf77f9ae2908236f68c846bd9279ca8d39
SSDEEP

786432:kQ05JQsO+H3nM6mU0/nKginprtaTFVn1AESToSDNGpiKv2+iW:V0TZOUSPin617SBJGpiKv2DW

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\FacilitateEngineerVigorous\DUosLfESJGRt.xml	kfQsuzzYiimC.exe
File opened for modification	C:\Program Files\FacilitateEngineerVigorous\DUosLfESJGRt.xml	kfQsuzzYiimC.exe
File created	C:\Program Files\FacilitateEngineerVigorous\DUosLfESJGRt.exe	kfQsuzzYiimC.exe
File created	C:\Program Files\FacilitateEngineerVigorous\rOzLXIpgkU16.exe	kfQsuzzYiimC.exe
File opened for modification	C:\Program Files\FacilitateEngineerVigorous\rOzLXIpgkU16.exe	kfQsuzzYiimC.exe
File created	C:\Program Files\FacilitateEngineerVigorous\kfQsuzzYiimC.exe	msiexec.exe
File created	C:\Program Files\FacilitateEngineerVigorous\qcxmbULseosLkruVhPHs	msiexec.exe
File opened for modification	C:\Program Files\FacilitateEngineerVigorous\DUosLfESJGRt.exe	kfQsuzzYiimC.exe
File opened for modification	C:\Program Files\FacilitateEngineerVigorous	rOzLXIpgkU16.exe
File created	C:\Program Files\FacilitateEngineerVigorous\ChromeSetup.exe	msiexec.exe
File created	C:\Program Files\FacilitateEngineerVigorous\uninst.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f776e1e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f776e1e.msi	msiexec.exe
File created	C:\Windows\Installer\f776e1f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6ECA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f776e1f.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f776e21.msi	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
592	kfQsuzzYiimC.exe
2728	rOzLXIpgkU16.exe
2892	ChromeSetup.exe

Loads dropped DLL 8 IoCs

pid	Process
1100	MsiExec.exe
1100	MsiExec.exe
1100	MsiExec.exe
1100	MsiExec.exe
2728	rOzLXIpgkU16.exe
2728	rOzLXIpgkU16.exe
2728	rOzLXIpgkU16.exe
2728	rOzLXIpgkU16.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2196	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kfQsuzzYiimC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rOzLXIpgkU16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\PackageCode = "7E39603FF4973AA438CDCCC95C9834E1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19016F54351614547B046AD69E73B320\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\SourceList\PackageName = "ChromeSetup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\ProductName = "FacilitateEngineerVigorous"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\Version = "589826"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\818D9BF5F105186479D3A9C63229E05B\19016F54351614547B046AD69E73B320	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\19016F54351614547B046AD69E73B320	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\818D9BF5F105186479D3A9C63229E05B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\19016F54351614547B046AD69E73B320\AdvertiseFlags = "388"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2672	msiexec.exe
2672	msiexec.exe
2728	rOzLXIpgkU16.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeSecurityPrivilege	2672	msiexec.exe
Token: SeCreateTokenPrivilege	2196	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2196	msiexec.exe
Token: SeLockMemoryPrivilege	2196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2196	msiexec.exe
Token: SeMachineAccountPrivilege	2196	msiexec.exe
Token: SeTcbPrivilege	2196	msiexec.exe
Token: SeSecurityPrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeLoadDriverPrivilege	2196	msiexec.exe
Token: SeSystemProfilePrivilege	2196	msiexec.exe
Token: SeSystemtimePrivilege	2196	msiexec.exe
Token: SeProfSingleProcessPrivilege	2196	msiexec.exe
Token: SeIncBasePriorityPrivilege	2196	msiexec.exe
Token: SeCreatePagefilePrivilege	2196	msiexec.exe
Token: SeCreatePermanentPrivilege	2196	msiexec.exe
Token: SeBackupPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeShutdownPrivilege	2196	msiexec.exe
Token: SeDebugPrivilege	2196	msiexec.exe
Token: SeAuditPrivilege	2196	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2196	msiexec.exe
Token: SeChangeNotifyPrivilege	2196	msiexec.exe
Token: SeRemoteShutdownPrivilege	2196	msiexec.exe
Token: SeUndockPrivilege	2196	msiexec.exe
Token: SeSyncAgentPrivilege	2196	msiexec.exe
Token: SeEnableDelegationPrivilege	2196	msiexec.exe
Token: SeManageVolumePrivilege	2196	msiexec.exe
Token: SeImpersonatePrivilege	2196	msiexec.exe
Token: SeCreateGlobalPrivilege	2196	msiexec.exe
Token: SeBackupPrivilege	2964	vssvc.exe
Token: SeRestorePrivilege	2964	vssvc.exe
Token: SeAuditPrivilege	2964	vssvc.exe
Token: SeBackupPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeLoadDriverPrivilege	2592	DrvInst.exe
Token: SeLoadDriverPrivilege	2592	DrvInst.exe
Token: SeLoadDriverPrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2196	msiexec.exe
2196	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 1100	2672	msiexec.exe	34
PID 2672 wrote to memory of 1100	2672	msiexec.exe	34
PID 2672 wrote to memory of 1100	2672	msiexec.exe	34
PID 2672 wrote to memory of 1100	2672	msiexec.exe	34
PID 2672 wrote to memory of 1100	2672	msiexec.exe	34
PID 2672 wrote to memory of 1100	2672	msiexec.exe	34
PID 2672 wrote to memory of 1100	2672	msiexec.exe	34
PID 1100 wrote to memory of 592	1100	MsiExec.exe	35
PID 1100 wrote to memory of 592	1100	MsiExec.exe	35
PID 1100 wrote to memory of 592	1100	MsiExec.exe	35
PID 1100 wrote to memory of 592	1100	MsiExec.exe	35
PID 1100 wrote to memory of 2728	1100	MsiExec.exe	37
PID 1100 wrote to memory of 2728	1100	MsiExec.exe	37
PID 1100 wrote to memory of 2728	1100	MsiExec.exe	37
PID 1100 wrote to memory of 2728	1100	MsiExec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ChromeSetup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2196

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B6D976A15EDF2724C2F49FA5D7C4AA22 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Program Files\FacilitateEngineerVigorous\kfQsuzzYiimC.exe
    "C:\Program Files\FacilitateEngineerVigorous\kfQsuzzYiimC.exe" x "C:\Program Files\FacilitateEngineerVigorous\qcxmbULseosLkruVhPHs" -o"C:\Program Files\FacilitateEngineerVigorous\" -pmnvoloPBJgRXdEHqjKyr -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:592
- - C:\Program Files\FacilitateEngineerVigorous\rOzLXIpgkU16.exe
    "C:\Program Files\FacilitateEngineerVigorous\rOzLXIpgkU16.exe" -number 218 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2728
- - C:\Program Files\FacilitateEngineerVigorous\ChromeSetup.exe
    "C:\Program Files\FacilitateEngineerVigorous\ChromeSetup.exe"
    3⤵
    - Executes dropped EXE
    PID:2892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005CC" "000000000000005C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f776e20.rbs

Filesize
7KB

MD5
0525289fcb293542aeaab1199d2d3957

SHA1
4b9c9fa4ee4ff53419b136986215d2db0457d58c

SHA256
2127f385eca136b401d451d4a680c40dac09cd7e37776fa63b00ff77178a7a6e

SHA512
335954c297646fd8380f688867789d702583cfda3077c5c3f67503caf30635ab8230175d535f7d64dbddc4b3d2fca032e8a432d04bc24ae1afa6f8d4baa157c1

Download Submit
C:\Program Files\FacilitateEngineerVigorous\ChromeSetup.exe

Filesize
8.5MB

MD5
5adff4313fbd074df44b4eb5b7893c5e

SHA1
d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7

SHA256
d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae

SHA512
f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60

Download Submit
C:\Program Files\FacilitateEngineerVigorous\DUosLfESJGRt.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\FacilitateEngineerVigorous\kfQsuzzYiimC.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\FacilitateEngineerVigorous\qcxmbULseosLkruVhPHs

Filesize
1.7MB

MD5
8074a26230501ebdcd7dd941db160214

SHA1
f8edb4a6d8e2693fdda38a3339027b5ea1a38ec8

SHA256
3aae95a77e6af7a12dc4ce1939bdd56a17f1f89b117d1fe40234eea3762a17f8

SHA512
ef88fda40519d320d3b25bb9101dd08d50410626a178abc64530eb41704c361822586b8dc9b3ee6e2f18c714018c051629d731d27c8ab84084e883beaeafd694

Download Submit
C:\Program Files\FacilitateEngineerVigorous\rOzLXIpgkU16.exe

Filesize
2.9MB

MD5
62238c79f5861e8e100a7fd5e573655c

SHA1
bf8a8ed429bce0323ad67cb5948dc55e3de3ec99

SHA256
c7663c91d0975cc0fa8ce01d73aa5f3d37525ce2990aefc6fca0b6d29988b704

SHA512
412eb9b8d443317a422d024e2334dd50d9ad96227cf7fbce405bf6ba716285b4305089f6525495dcfaa2dbaf73a4798310de6a350d2c17ff6fa010252a94e153

Download Submit
C:\Windows\Installer\f776e1e.msi

Filesize
29.3MB

MD5
751eb88d77d640cc9b497aafb5679821

SHA1
2dc4ee60244acd2e135e7f9493bc047da5291cbd

SHA256
a7a6306644c25e96d94c470f5dd1b1666df2b89f83693c5f40a9beb302e5c447

SHA512
75898716b8e5642e20f44c843d0c4e2c3d7ff3f45096fb88ec988caa99f00a949c42bd82a783966acee031f7c150d3bf77f9ae2908236f68c846bd9279ca8d39

Download Submit
memory/1100-12-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download