2bd63252d1eeec4888e0674d52d5dfa80bd69d8accd64f7fb1ea6bdcbe9d4a61

Analysis

max time kernel
139s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yuanchangkuirr-intrallar.msi
Size

72.3MB
MD5

31e8ef3c0591e3ce82cb1c43fb6459c2
SHA1

2adc3a5470d7e7507c60e6bf88d86985b2d3a7b9
SHA256

9e0543dbde32aeacb27324fc070be63ae7bf679fbe69a4836e3dab627812a7b8
SHA512

c1607b5a051fe034378dee8c27aca1effbdf4ab985a500160f2260403bace6f5575117e73a21878ec3f88d1bde49f56cc99184012cb66d1cb2bdc2a7defb4994
SSDEEP

1572864:DNDFH5QOjDdexAgZt/qNOU1bpJh11+exX8t6iwwdM1ZE0d+LH:1xjDdKAqFqQCJh11/xYP50d+7

Score

8^/10

discovery execution persistence privilege_escalation upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
628	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1740-49-0x000000013F220000-0x0000000140220000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe	KXwXckjFEiVp.exe
File created	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe	KXwXckjFEiVp.exe
File created	C:\Program Files\AnalyzeGentleExplorer\common_clang32.dll	msiexec.exe
File created	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.xml	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa	KXwXckjFEiVp.exe
File created	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.xml	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer	fUsKbQztGnwa.exe
File created	C:\Program Files\AnalyzeGentleExplorer\jtsQyBozxwOIHmIoteVO	msiexec.exe
File created	C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe	msiexec.exe
File created	C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76ce09.msi	msiexec.exe
File created	C:\Windows\Installer\f76ce0a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76ce0c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ce0a.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76ce09.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICED3.tmp	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
296	KXwXckjFEiVp.exe
1840	fUsKbQztGnwa.exe
1740	SunloginClient15544x64.exe
304	SunloginClient15544x64.exe

Loads dropped DLL 3 IoCs

pid	Process
1568	MsiExec.exe
1840	fUsKbQztGnwa.exe
1840	fUsKbQztGnwa.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1968	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KXwXckjFEiVp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fUsKbQztGnwa.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	SunloginClient15544x64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\DeviceInstances	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\System	SunloginClient15544x64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties	SunloginClient15544x64.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0\GUID = e0053d4ee490ef118001444553540000	SunloginClient15544x64.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0b8730af124db01	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C6BDC420EDD7D3E42A4DC9EAE81B4DFB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Version = "67567622"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C19253CA00EB68D488C5FD8D3377BD29\C6BDC420EDD7D3E42A4DC9EAE81B4DFB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\ProductName = "AnalyzeGentleExplorer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\PackageCode = "16365A16AE1FE094B86DB5BC2E221855"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C19253CA00EB68D488C5FD8D3377BD29	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\PackageName = "yuanchangkuirr-intrallar.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1600	msiexec.exe
1600	msiexec.exe
628	powershell.exe
1840	fUsKbQztGnwa.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1968	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeSecurityPrivilege	1600	msiexec.exe
Token: SeCreateTokenPrivilege	1968	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1968	msiexec.exe
Token: SeLockMemoryPrivilege	1968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1968	msiexec.exe
Token: SeMachineAccountPrivilege	1968	msiexec.exe
Token: SeTcbPrivilege	1968	msiexec.exe
Token: SeSecurityPrivilege	1968	msiexec.exe
Token: SeTakeOwnershipPrivilege	1968	msiexec.exe
Token: SeLoadDriverPrivilege	1968	msiexec.exe
Token: SeSystemProfilePrivilege	1968	msiexec.exe
Token: SeSystemtimePrivilege	1968	msiexec.exe
Token: SeProfSingleProcessPrivilege	1968	msiexec.exe
Token: SeIncBasePriorityPrivilege	1968	msiexec.exe
Token: SeCreatePagefilePrivilege	1968	msiexec.exe
Token: SeCreatePermanentPrivilege	1968	msiexec.exe
Token: SeBackupPrivilege	1968	msiexec.exe
Token: SeRestorePrivilege	1968	msiexec.exe
Token: SeShutdownPrivilege	1968	msiexec.exe
Token: SeDebugPrivilege	1968	msiexec.exe
Token: SeAuditPrivilege	1968	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1968	msiexec.exe
Token: SeChangeNotifyPrivilege	1968	msiexec.exe
Token: SeRemoteShutdownPrivilege	1968	msiexec.exe
Token: SeUndockPrivilege	1968	msiexec.exe
Token: SeSyncAgentPrivilege	1968	msiexec.exe
Token: SeEnableDelegationPrivilege	1968	msiexec.exe
Token: SeManageVolumePrivilege	1968	msiexec.exe
Token: SeImpersonatePrivilege	1968	msiexec.exe
Token: SeCreateGlobalPrivilege	1968	msiexec.exe
Token: SeBackupPrivilege	2948	vssvc.exe
Token: SeRestorePrivilege	2948	vssvc.exe
Token: SeAuditPrivilege	2948	vssvc.exe
Token: SeBackupPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeRestorePrivilege	2852	DrvInst.exe
Token: SeLoadDriverPrivilege	2852	DrvInst.exe
Token: SeLoadDriverPrivilege	2852	DrvInst.exe
Token: SeLoadDriverPrivilege	2852	DrvInst.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeRestorePrivilege	296	KXwXckjFEiVp.exe
Token: 35	296	KXwXckjFEiVp.exe
Token: SeSecurityPrivilege	296	KXwXckjFEiVp.exe
Token: SeSecurityPrivilege	296	KXwXckjFEiVp.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1968	msiexec.exe
1968	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
304	SunloginClient15544x64.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1568	1600	msiexec.exe	35
PID 1600 wrote to memory of 1568	1600	msiexec.exe	35
PID 1600 wrote to memory of 1568	1600	msiexec.exe	35
PID 1600 wrote to memory of 1568	1600	msiexec.exe	35
PID 1600 wrote to memory of 1568	1600	msiexec.exe	35
PID 1568 wrote to memory of 628	1568	MsiExec.exe	37
PID 1568 wrote to memory of 628	1568	MsiExec.exe	37
PID 1568 wrote to memory of 628	1568	MsiExec.exe	37
PID 1568 wrote to memory of 296	1568	MsiExec.exe	39
PID 1568 wrote to memory of 296	1568	MsiExec.exe	39
PID 1568 wrote to memory of 296	1568	MsiExec.exe	39
PID 1568 wrote to memory of 296	1568	MsiExec.exe	39
PID 1568 wrote to memory of 1840	1568	MsiExec.exe	41
PID 1568 wrote to memory of 1840	1568	MsiExec.exe	41
PID 1568 wrote to memory of 1840	1568	MsiExec.exe	41
PID 1568 wrote to memory of 1840	1568	MsiExec.exe	41
PID 1568 wrote to memory of 1740	1568	MsiExec.exe	42
PID 1568 wrote to memory of 1740	1568	MsiExec.exe	42
PID 1568 wrote to memory of 1740	1568	MsiExec.exe	42
PID 1740 wrote to memory of 304	1740	SunloginClient15544x64.exe	43
PID 1740 wrote to memory of 304	1740	SunloginClient15544x64.exe	43
PID 1740 wrote to memory of 304	1740	SunloginClient15544x64.exe	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\yuanchangkuirr-intrallar.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1968

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding C129DDDC29174EC2DBA0C75F15D4FCA8 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\AnalyzeGentleExplorer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe
    "C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe" x "C:\Program Files\AnalyzeGentleExplorer\jtsQyBozxwOIHmIoteVO" -o"C:\Program Files\AnalyzeGentleExplorer\" -pjMgmEjeKlhGKaGgJyBsZ -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:296
- - C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe
    "C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe" -number 105 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1840
- - C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe
    "C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe
      "C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe" --mod=install --admin=1
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E8" "00000000000004A0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76ce0b.rbs

Filesize
7KB

MD5
bca3c7985d839da0101c3fc358f73a18

SHA1
214fbc2501dd7737f21505ab812600691bd9c249

SHA256
3484573c02b0c9449b6bbecc64ad5ed33c8bc83c0f16eeddca94a778dd0a7442

SHA512
2ae65710b9afbfdce07f3fdd0cea49fd5381e26a8ab19eab2069c733906b034694eedd38c7e58d20ac3522d4172778c3a6566f3408c15603e21685cd9f1943c1

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe

Filesize
577KB

MD5
11fa744ebf6a17d7dd3c58dc2603046d

SHA1
d99de792fd08db53bb552cd28f0080137274f897

SHA256
1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

SHA512
424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe

Filesize
2.9MB

MD5
a2e29c5a531ca5fdf5d4c7e75ba2748c

SHA1
1709ea8be99923c6ee4eb369e3971e3522d67f36

SHA256
ef86954f2831682faf3655901cf82afe0d7d6fc62e8335a2f508af5d03f03d5c

SHA512
e4fee7e410f8f199aa79f014290c0312d720fdb92a6efc48db5badea4fa4610bf344f23d3b7516b2a0e181aa8b27b00e446665a83de4b2d0acfa2e664df64434

Download Submit
C:\Program Files\AnalyzeGentleExplorer\jtsQyBozxwOIHmIoteVO

Filesize
2.1MB

MD5
5aba1a676ca0de4994c623060e05f946

SHA1
e792c676bdbecd6baf1516fd3adbba06764aec98

SHA256
0a9d3dee1cf01c5f909c19e2821975397106b70581bc32c845ae9ef584bd1c32

SHA512
55bc57941e1f76844881eecd56f65b35c2f7eff614a02a47a0f6b5ab41d2a4512b9b970fd658652b8fc56a07a78b46ce2c246798d82f5d256a80f5025ac5d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\check_sign_test.log

Filesize
310B

MD5
c256dc950a96c711ae515ce274a3c38a

SHA1
e2a639888d3faf686be8ac6f811f76e6915228eb

SHA256
930ed7283301dcbaac640c35c47f6febea808e64b6e5bd2f51863551aed2011f

SHA512
24d8f26d83c410182fd6787806d01bcf0742748d00b793d27c55e5795a50d862275e9fa3dd8004935bc7427f1d0946949194c9ee2d8cd8e04e041a4db2051a67

Download Submit
memory/628-17-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/628-18-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/1568-12-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1740-49-0x000000013F220000-0x0000000140220000-memory.dmp

Filesize
16.0MB

Download
memory/1840-50-0x00000000009C0000-0x00000000009EC000-memory.dmp

Filesize
176KB

Download