94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43

Resubmissions

29-10-2024 18:03

241029-wnd2aaxgmq 10

06-10-2024 12:18

241006-pgxrgstckn 10

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-10-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43.msi
Size

28.7MB
MD5

bffddb889b7089cc6af3b9d9efb3c89d
SHA1

977fc679569271849068e704a53c57b09009f414
SHA256

94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43
SHA512

0c3d0db3b8d0c5a071cc3a140695d8ea1b1600c36add6a4c36e24effd9d4dc579ce6953386cc624406c8fb9d6ba436b7082a5e675799d3f860fd0df6a5946e93
SSDEEP

786432:tQ05JQsMXv0z+OEoBvTT1A7IXA5hPP4WhYw70FDDV:e0Tif06OXrT1AGw70FD5

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 11 IoCs

Processes:

msiexec.exeOoRjJglzLJCL.exeojZEoSUznz17.exe

description	ioc	Process
File created	C:\Program Files\ImproveDefenderResilient\jXdmemDIXVZlyRJvLnMc	msiexec.exe
File created	C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.xml	OoRjJglzLJCL.exe
File opened for modification	C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.xml	OoRjJglzLJCL.exe
File created	C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe	OoRjJglzLJCL.exe
File opened for modification	C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe	OoRjJglzLJCL.exe
File created	C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe	OoRjJglzLJCL.exe
File opened for modification	C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe	OoRjJglzLJCL.exe
File created	C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe	msiexec.exe
File created	C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe	msiexec.exe
File created	C:\Program Files\ImproveDefenderResilient\uninst.exe	msiexec.exe
File opened for modification	C:\Program Files\ImproveDefenderResilient	ojZEoSUznz17.exe

Drops file in Windows directory 10 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76d8f2.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d8f1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76d8f4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d8f2.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76d8f1.msi	msiexec.exe

Executes dropped EXE 3 IoCs

Processes:

OoRjJglzLJCL.exeojZEoSUznz17.exeChromeSetup(1).exe

pid	Process
1200	OoRjJglzLJCL.exe
2352	ojZEoSUznz17.exe
2688	ChromeSetup(1).exe

Loads dropped DLL 4 IoCs

Processes:

ojZEoSUznz17.exe

pid	Process
2352	ojZEoSUznz17.exe
2352	ojZEoSUznz17.exe
2352	ojZEoSUznz17.exe
2352	ojZEoSUznz17.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

Processes:

msiexec.exe

pid	Process
2292	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

OoRjJglzLJCL.exeojZEoSUznz17.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OoRjJglzLJCL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojZEoSUznz17.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BB9212D88005874597EB8E356E6B59D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BB9212D88005874597EB8E356E6B59D\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\PackageCode = "B40D585BA97F40444B199AB85196619E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\Version = "50659333"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C0DD9AE90BF0CD54C863668A4519833D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\ProductName = "ImproveDefenderResilient"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C0DD9AE90BF0CD54C863668A4519833D\0BB9212D88005874597EB8E356E6B59D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BB9212D88005874597EB8E356E6B59D\SourceList\PackageName = "94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43.msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

msiexec.exeojZEoSUznz17.exe

pid	Process
2316	msiexec.exe
2316	msiexec.exe
2352	ojZEoSUznz17.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exeOoRjJglzLJCL.exe

description	pid	Process
Token: SeShutdownPrivilege	2292	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2292	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeSecurityPrivilege	2316	msiexec.exe
Token: SeCreateTokenPrivilege	2292	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2292	msiexec.exe
Token: SeLockMemoryPrivilege	2292	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2292	msiexec.exe
Token: SeMachineAccountPrivilege	2292	msiexec.exe
Token: SeTcbPrivilege	2292	msiexec.exe
Token: SeSecurityPrivilege	2292	msiexec.exe
Token: SeTakeOwnershipPrivilege	2292	msiexec.exe
Token: SeLoadDriverPrivilege	2292	msiexec.exe
Token: SeSystemProfilePrivilege	2292	msiexec.exe
Token: SeSystemtimePrivilege	2292	msiexec.exe
Token: SeProfSingleProcessPrivilege	2292	msiexec.exe
Token: SeIncBasePriorityPrivilege	2292	msiexec.exe
Token: SeCreatePagefilePrivilege	2292	msiexec.exe
Token: SeCreatePermanentPrivilege	2292	msiexec.exe
Token: SeBackupPrivilege	2292	msiexec.exe
Token: SeRestorePrivilege	2292	msiexec.exe
Token: SeShutdownPrivilege	2292	msiexec.exe
Token: SeDebugPrivilege	2292	msiexec.exe
Token: SeAuditPrivilege	2292	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2292	msiexec.exe
Token: SeChangeNotifyPrivilege	2292	msiexec.exe
Token: SeRemoteShutdownPrivilege	2292	msiexec.exe
Token: SeUndockPrivilege	2292	msiexec.exe
Token: SeSyncAgentPrivilege	2292	msiexec.exe
Token: SeEnableDelegationPrivilege	2292	msiexec.exe
Token: SeManageVolumePrivilege	2292	msiexec.exe
Token: SeImpersonatePrivilege	2292	msiexec.exe
Token: SeCreateGlobalPrivilege	2292	msiexec.exe
Token: SeBackupPrivilege	2564	vssvc.exe
Token: SeRestorePrivilege	2564	vssvc.exe
Token: SeAuditPrivilege	2564	vssvc.exe
Token: SeBackupPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2736	DrvInst.exe
Token: SeLoadDriverPrivilege	2736	DrvInst.exe
Token: SeLoadDriverPrivilege	2736	DrvInst.exe
Token: SeLoadDriverPrivilege	2736	DrvInst.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	1200	OoRjJglzLJCL.exe
Token: 35	1200	OoRjJglzLJCL.exe
Token: SeSecurityPrivilege	1200	OoRjJglzLJCL.exe
Token: SeSecurityPrivilege	1200	OoRjJglzLJCL.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
2292	msiexec.exe
2292	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	Process	procid_target
PID 2316 wrote to memory of 2476	2316	msiexec.exe	35
PID 2316 wrote to memory of 2476	2316	msiexec.exe	35
PID 2316 wrote to memory of 2476	2316	msiexec.exe	35
PID 2316 wrote to memory of 2476	2316	msiexec.exe	35
PID 2316 wrote to memory of 2476	2316	msiexec.exe	35
PID 2476 wrote to memory of 1200	2476	MsiExec.exe	36
PID 2476 wrote to memory of 1200	2476	MsiExec.exe	36
PID 2476 wrote to memory of 1200	2476	MsiExec.exe	36
PID 2476 wrote to memory of 1200	2476	MsiExec.exe	36
PID 2476 wrote to memory of 2352	2476	MsiExec.exe	38
PID 2476 wrote to memory of 2352	2476	MsiExec.exe	38
PID 2476 wrote to memory of 2352	2476	MsiExec.exe	38
PID 2476 wrote to memory of 2352	2476	MsiExec.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2292

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 86FCAAB220DB81B154A3382EC933F542 M Global\MSI0000
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe
    "C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe" x "C:\Program Files\ImproveDefenderResilient\jXdmemDIXVZlyRJvLnMc" -o"C:\Program Files\ImproveDefenderResilient\" -pBWkOspNCEXRAXyVSBPgs -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- - C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe
    "C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe" -number 264 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2352
- - C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe
    "C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe"
    3⤵
    - Executes dropped EXE
    PID:2688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004C8" "00000000000003D4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76d8f3.rbs

Filesize
7KB

MD5
6e5768d8dbbef00f08b9689d72ef9996

SHA1
7144cb8aaaa4b313536c82592acd47771840a81a

SHA256
082be9027b949d819c92b707bcf1718c828287eeba6275e606964d39efe29ad6

SHA512
292f15efebed6d5cd08c39a1fc553f3486833c5bc45bebeb8478485428bad578e6ad783895ca688f17211a713783f4a5f9b5bf36e53bae81b3073dcc0724f312

Download Submit
C:\Program Files\ImproveDefenderResilient\ChromeSetup(1).exe

Filesize
8.5MB

MD5
5adff4313fbd074df44b4eb5b7893c5e

SHA1
d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7

SHA256
d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae

SHA512
f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60

Download Submit
C:\Program Files\ImproveDefenderResilient\OoRjJglzLJCL.exe

Filesize
577KB

MD5
11fa744ebf6a17d7dd3c58dc2603046d

SHA1
d99de792fd08db53bb552cd28f0080137274f897

SHA256
1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

SHA512
424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

Download Submit
C:\Program Files\ImproveDefenderResilient\jXdmemDIXVZlyRJvLnMc

Filesize
1.1MB

MD5
04b529a6aef5e7c2a1f79a04b81be20f

SHA1
ee6a4c1f35ae62a42c0a4378362878769cd3aec1

SHA256
c7101b019dc7625c4036420b8c9f90ad4c6e7e57d847b1c60c6270cc67cf8aca

SHA512
328ed4939b78630cec8aa7ff3fc0af48ae4b1592241265d8f3d60d2945772686b1a1eb40b1ace635dad911482a12a985432793cf48ca9d637558982c53a11f81

Download Submit
C:\Program Files\ImproveDefenderResilient\lTRNmTKwQzfm.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\ImproveDefenderResilient\ojZEoSUznz17.exe

Filesize
2.4MB

MD5
f85f44f7f01ac7dfe2d379dad4386920

SHA1
2d1fefb3ac611e97845659085aaccf10b74815a1

SHA256
e2dde008486ee007b634bb8012ae1fc11f79ee4a2ce6e4d5337074cfb2582e73

SHA512
56d060093e92a6663b4c17a39c209009439d09b119856890ed9200cac51a3d2c7f726b681964cce83e0daf77a177db62fa5cf5ddb639fbe25c4be5c6fa5cc7a1

Download Submit
C:\Windows\Installer\f76d8f1.msi

Filesize
28.7MB

MD5
bffddb889b7089cc6af3b9d9efb3c89d

SHA1
977fc679569271849068e704a53c57b09009f414

SHA256
94200b3b4792c019ebe7bcfd16573fdedf385369e41309d82958568078e90c43

SHA512
0c3d0db3b8d0c5a071cc3a140695d8ea1b1600c36add6a4c36e24effd9d4dc579ce6953386cc624406c8fb9d6ba436b7082a5e675799d3f860fd0df6a5946e93

Download Submit
memory/2476-12-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download