46334ecbb566c047a2fd9fa81ca12789e9eb299f2dcc18b0c78255f8edae616a

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-10-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chrmroe-intraller.msi
Size

43.5MB
MD5

113a2eab7ccf51501146194bbaadb175
SHA1

de00c7a8ff5b49adec8bc44eba7f6332446f0e8f
SHA256

4cab134dbaf1059613f44da615292af5713a0aa3a0185abda0cf1ebf8a7dc9a4
SHA512

ce681034d9c3cad7367fa2a541401036651ce79385524b10f8ea0287c6c6e1bd307c82d339056d6f2e2fd48cbdd05e80650c1b5acb62b55772b4157d3ef9c13e
SSDEEP

786432:KPmAYqjq7J2mESTU1A2SBaUCAkEPstiz7Ngv9iJ67P3+OBrIU7:d4m5U1A2SMUxstiz7NGYJ673z9

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
1952	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 15 IoCs

Processes:

JkRyrlfVyEOH.exeqMdeNKsXYpNq.exemsiexec.exe

description	ioc	Process
File created	C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq	JkRyrlfVyEOH.exe
File created	C:\Program Files\UtilizeDynamicWorker\ChromeSetup.exe	JkRyrlfVyEOH.exe
File opened for modification	C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe	JkRyrlfVyEOH.exe
File created	C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe	JkRyrlfVyEOH.exe
File opened for modification	C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe	JkRyrlfVyEOH.exe
File opened for modification	C:\Program Files\UtilizeDynamicWorker	qMdeNKsXYpNq.exe
File created	C:\Program Files\UtilizeDynamicWorker\JkRyrlfVyEOH.exe	msiexec.exe
File created	C:\Program Files\UtilizeDynamicWorker\ZcOUMgAKFaEfsJXTUJeF	msiexec.exe
File created	C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.xml	JkRyrlfVyEOH.exe
File created	C:\Program Files\UtilizeDynamicWorker\svml_dispmd2.dll	msiexec.exe
File created	C:\Program Files\UtilizeDynamicWorker\UE4PrereqSetup_x64.exe	msiexec.exe
File opened for modification	C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq	JkRyrlfVyEOH.exe
File opened for modification	C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.xml	JkRyrlfVyEOH.exe
File created	C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe	JkRyrlfVyEOH.exe
File opened for modification	C:\Program Files\UtilizeDynamicWorker\ChromeSetup.exe	JkRyrlfVyEOH.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\f77034b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77034c.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f77034c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI483.tmp	msiexec.exe
File created	C:\Windows\Installer\f77034e.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f77034b.msi	msiexec.exe

Executes dropped EXE 3 IoCs

Processes:

JkRyrlfVyEOH.exeqMdeNKsXYpNq.exeChromeSetup.exe

pid	Process
548	JkRyrlfVyEOH.exe
2844	qMdeNKsXYpNq.exe
2784	ChromeSetup.exe

Loads dropped DLL 8 IoCs

Processes:

qMdeNKsXYpNq.exe

pid	Process
2844	qMdeNKsXYpNq.exe
2844	qMdeNKsXYpNq.exe
2844	qMdeNKsXYpNq.exe
2844	qMdeNKsXYpNq.exe
2844	qMdeNKsXYpNq.exe
2844	qMdeNKsXYpNq.exe
2844	qMdeNKsXYpNq.exe
2844	qMdeNKsXYpNq.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

Processes:

msiexec.exe

pid	Process
2380	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

JkRyrlfVyEOH.exeqMdeNKsXYpNq.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JkRyrlfVyEOH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qMdeNKsXYpNq.exe

Modifies data under HKEY_USERS 48 IoCs

Processes:

DrvInst.exemsiexec.exepowershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0ef9de05324db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FAAA8C4338A21E940BBDADEAF349A873	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\Version = "50855944"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4846854E72C53884D9F5771C7C5E0FAB\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\ProductName = "UtilizeDynamicWorker"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FAAA8C4338A21E940BBDADEAF349A873\4846854E72C53884D9F5771C7C5E0FAB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4846854E72C53884D9F5771C7C5E0FAB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\PackageCode = "946E19091C761F448A618BE71E124645"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\SourceList\PackageName = "Chrmroe-intraller.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4846854E72C53884D9F5771C7C5E0FAB\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exepowershell.exeqMdeNKsXYpNq.exe

pid	Process
2960	msiexec.exe
2960	msiexec.exe
1952	powershell.exe
2844	qMdeNKsXYpNq.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exepowershell.exeJkRyrlfVyEOH.exe

description	pid	Process
Token: SeShutdownPrivilege	2380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeTakeOwnershipPrivilege	2960	msiexec.exe
Token: SeSecurityPrivilege	2960	msiexec.exe
Token: SeCreateTokenPrivilege	2380	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2380	msiexec.exe
Token: SeLockMemoryPrivilege	2380	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2380	msiexec.exe
Token: SeMachineAccountPrivilege	2380	msiexec.exe
Token: SeTcbPrivilege	2380	msiexec.exe
Token: SeSecurityPrivilege	2380	msiexec.exe
Token: SeTakeOwnershipPrivilege	2380	msiexec.exe
Token: SeLoadDriverPrivilege	2380	msiexec.exe
Token: SeSystemProfilePrivilege	2380	msiexec.exe
Token: SeSystemtimePrivilege	2380	msiexec.exe
Token: SeProfSingleProcessPrivilege	2380	msiexec.exe
Token: SeIncBasePriorityPrivilege	2380	msiexec.exe
Token: SeCreatePagefilePrivilege	2380	msiexec.exe
Token: SeCreatePermanentPrivilege	2380	msiexec.exe
Token: SeBackupPrivilege	2380	msiexec.exe
Token: SeRestorePrivilege	2380	msiexec.exe
Token: SeShutdownPrivilege	2380	msiexec.exe
Token: SeDebugPrivilege	2380	msiexec.exe
Token: SeAuditPrivilege	2380	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2380	msiexec.exe
Token: SeChangeNotifyPrivilege	2380	msiexec.exe
Token: SeRemoteShutdownPrivilege	2380	msiexec.exe
Token: SeUndockPrivilege	2380	msiexec.exe
Token: SeSyncAgentPrivilege	2380	msiexec.exe
Token: SeEnableDelegationPrivilege	2380	msiexec.exe
Token: SeManageVolumePrivilege	2380	msiexec.exe
Token: SeImpersonatePrivilege	2380	msiexec.exe
Token: SeCreateGlobalPrivilege	2380	msiexec.exe
Token: SeBackupPrivilege	2524	vssvc.exe
Token: SeRestorePrivilege	2524	vssvc.exe
Token: SeAuditPrivilege	2524	vssvc.exe
Token: SeBackupPrivilege	2960	msiexec.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2872	DrvInst.exe
Token: SeLoadDriverPrivilege	2872	DrvInst.exe
Token: SeLoadDriverPrivilege	2872	DrvInst.exe
Token: SeLoadDriverPrivilege	2872	DrvInst.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeTakeOwnershipPrivilege	2960	msiexec.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeTakeOwnershipPrivilege	2960	msiexec.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeTakeOwnershipPrivilege	2960	msiexec.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeRestorePrivilege	548	JkRyrlfVyEOH.exe
Token: 35	548	JkRyrlfVyEOH.exe
Token: SeSecurityPrivilege	548	JkRyrlfVyEOH.exe
Token: SeSecurityPrivilege	548	JkRyrlfVyEOH.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeTakeOwnershipPrivilege	2960	msiexec.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeTakeOwnershipPrivilege	2960	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
2380	msiexec.exe
2380	msiexec.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	Process	procid_target
PID 2960 wrote to memory of 2600	2960	msiexec.exe	35
PID 2960 wrote to memory of 2600	2960	msiexec.exe	35
PID 2960 wrote to memory of 2600	2960	msiexec.exe	35
PID 2960 wrote to memory of 2600	2960	msiexec.exe	35
PID 2960 wrote to memory of 2600	2960	msiexec.exe	35
PID 2600 wrote to memory of 1952	2600	MsiExec.exe	37
PID 2600 wrote to memory of 1952	2600	MsiExec.exe	37
PID 2600 wrote to memory of 1952	2600	MsiExec.exe	37
PID 2600 wrote to memory of 548	2600	MsiExec.exe	39
PID 2600 wrote to memory of 548	2600	MsiExec.exe	39
PID 2600 wrote to memory of 548	2600	MsiExec.exe	39
PID 2600 wrote to memory of 548	2600	MsiExec.exe	39
PID 2600 wrote to memory of 2844	2600	MsiExec.exe	41
PID 2600 wrote to memory of 2844	2600	MsiExec.exe	41
PID 2600 wrote to memory of 2844	2600	MsiExec.exe	41
PID 2600 wrote to memory of 2844	2600	MsiExec.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Chrmroe-intraller.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2380

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 33DB7DE124F3D4DC27A157C75271B729 M Global\MSI0000
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UtilizeDynamicWorker'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Program Files\UtilizeDynamicWorker\JkRyrlfVyEOH.exe
    "C:\Program Files\UtilizeDynamicWorker\JkRyrlfVyEOH.exe" x "C:\Program Files\UtilizeDynamicWorker\ZcOUMgAKFaEfsJXTUJeF" -o"C:\Program Files\UtilizeDynamicWorker\" -psiCMjwFfLqezcQPgBfEe -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe
    "C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe" -number 276 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2844
- - C:\Program Files\UtilizeDynamicWorker\ChromeSetup.exe
    "C:\Program Files\UtilizeDynamicWorker\ChromeSetup.exe"
    3⤵
    - Executes dropped EXE
    PID:2784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000038C" "00000000000003B8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77034d.rbs

Filesize
7KB

MD5
0b362e03286f89668010fc67f9cd108d

SHA1
6c0182aef4f889c5b0d5556f3dfc30a1973f15fb

SHA256
2bfddc2e2e4c4cd869cf55b4292d9cf95847740ca5e8fd2fee6f47ac6d9e40cb

SHA512
f8ef4dc97c568b8ca9b1492bb375b9206adaad05d7591597d34f1122077016d9fe99f7d27b9ba66d7098d189c389f7e01f63e3e790a5e23175b3f7861420d867

Download Submit
C:\Program Files\UtilizeDynamicWorker\ChromeSetup.exe

Filesize
9.7MB

MD5
29c9848749d11cdac06f5c1ab27ae9e4

SHA1
bb6b142e7b29e8f3a523bd238697622d828a9b5a

SHA256
94b57aa9cb18f206c72031d9ac8ae1fd3dc00d9248f66cf2dc75593a156534e0

SHA512
176073947ca2be3bf05834a07a64c3db0de7ed11d77704af862164bb91aabc5f08e7d5b53a7fc7bb67fc5d8480ab322272414b81d56d9a565339ea9ead1adb18

Download Submit
C:\Program Files\UtilizeDynamicWorker\JkRyrlfVyEOH.exe

Filesize
577KB

MD5
11fa744ebf6a17d7dd3c58dc2603046d

SHA1
d99de792fd08db53bb552cd28f0080137274f897

SHA256
1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

SHA512
424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

Download Submit
C:\Program Files\UtilizeDynamicWorker\ZcOUMgAKFaEfsJXTUJeF

Filesize
4.3MB

MD5
b9b51255b7e495877496c1e6758e3871

SHA1
0c042a1ef84828b4e0f2d4e6046197c3a5eb8a7b

SHA256
7659a1bd1d45ee4dd54592de56ba0b669344cc205aa0894c4e98e2fb8003f268

SHA512
7c7a5399fdac2d7ed176b438f9475a3da715fb16e09a0b71f208f34a5620baf84287e8d16a91fdcd84284b7babc94f65a134fa92ec19ce698f97153b64ea7b29

Download Submit
C:\Program Files\UtilizeDynamicWorker\qMdeNKsXYpNq.exe

Filesize
3.0MB

MD5
57761e35f3375adb749fb9e14f423a21

SHA1
5deb274e82085ad21911ce9abb91d466e556fb4a

SHA256
08526d64f255bb798037b7f475bc8cad40a860e4fe68eeb52f9b9f0eb0ef0231

SHA512
e1f6fa277e7f34b961b51065ae10c190d5a453b9188f5ee5ced62706136fbbd6727db48efdbea3599fb82f4c6485313674fa458e5b7f9bde6cb7f0664de81c1e

Download Submit
C:\Program Files\UtilizeDynamicWorker\vKtMPwVbdMUU.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Windows\Installer\f77034b.msi

Filesize
43.5MB

MD5
113a2eab7ccf51501146194bbaadb175

SHA1
de00c7a8ff5b49adec8bc44eba7f6332446f0e8f

SHA256
4cab134dbaf1059613f44da615292af5713a0aa3a0185abda0cf1ebf8a7dc9a4

SHA512
ce681034d9c3cad7367fa2a541401036651ce79385524b10f8ea0287c6c6e1bd307c82d339056d6f2e2fd48cbdd05e80650c1b5acb62b55772b4157d3ef9c13e

Download Submit
\Program Files\UtilizeDynamicWorker\UE4PrereqSetup_x64.exe

Filesize
39.1MB

MD5
a688d249c498d4d3b89ed876c8239520

SHA1
25bdaa9b0a339099e10cf9c26e8abdcd67a9e583

SHA256
145f4e4d11e76a2612db5ffbfae8f9ab8e4385ff7660802ffd2f473c9dcb2a0d

SHA512
ca24eee29e9ae1c919b98d1f5e41b96566c86b1e40e30f3f6c7fb5c7e4049f92fb64afa4c87e8e815d3926b9cac17d0347f1f9b69d06e01303ffcb1815efecc1

Download Submit
memory/1952-17-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/1952-18-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2600-12-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download