4c784bcb4e8eb70763414c3c3748aa300fcba7b215b648a42ccf0dc8ee2b603f

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chrome win10-11_130.0.6723.59_17292.msi
Size

7.1MB
MD5

20715b6531d214951d6f69d1af3f1bb7
SHA1

74bf2f89b4c2d3e04b4b0bd670e4dc5f3d469797
SHA256

42d7eb85643aa96fa9e3ef0754a5efa02a85b9bbd001fb35c1628b8b1e5bf68f
SHA512

214842d61c6a987af9ae080d226c518b3ce25fd6c74e24506a64e109d74faf78e81bed33f1ba6ad4cfbffa5fc9dceaec9555b261b3399adaa28285bb3d4892dd
SSDEEP

196608:Dgtlisd20g9l31nJaTmbcRk2HAgXXe6Vt7alk:Dg6r7lnMTmb7gXeSt7l

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
1492	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 13 IoCs

Processes:

msiexec.exegkuiNiWmSboS.exeCAzqDxoFMxlZ.exe

description	ioc	Process
File created	C:\Program Files\TrainCourageousExaminer\ChromeSetup2.exe	msiexec.exe
File created	C:\Program Files\TrainCourageousExaminer\common_clang32.dll	msiexec.exe
File created	C:\Program Files\TrainCourageousExaminer\gkuiNiWmSboS.exe	msiexec.exe
File created	C:\Program Files\TrainCourageousExaminer\CAzqDxoFMxlZ	gkuiNiWmSboS.exe
File created	C:\Program Files\TrainCourageousExaminer\ktVKycpUOhHa.xml	gkuiNiWmSboS.exe
File opened for modification	C:\Program Files\TrainCourageousExaminer\ktVKycpUOhHa.xml	gkuiNiWmSboS.exe
File created	C:\Program Files\TrainCourageousExaminer\CAzqDxoFMxlZ.exe	gkuiNiWmSboS.exe
File opened for modification	C:\Program Files\TrainCourageousExaminer\ktVKycpUOhHa.exe	gkuiNiWmSboS.exe
File opened for modification	C:\Program Files\TrainCourageousExaminer	CAzqDxoFMxlZ.exe
File created	C:\Program Files\TrainCourageousExaminer\EUHjpVDwBQiotUCpbKOm	msiexec.exe
File opened for modification	C:\Program Files\TrainCourageousExaminer\CAzqDxoFMxlZ	gkuiNiWmSboS.exe
File opened for modification	C:\Program Files\TrainCourageousExaminer\CAzqDxoFMxlZ.exe	gkuiNiWmSboS.exe
File created	C:\Program Files\TrainCourageousExaminer\ktVKycpUOhHa.exe	gkuiNiWmSboS.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	Process
File created	C:\Windows\Installer\f76d875.ipi	msiexec.exe
File created	C:\Windows\Installer\f76d877.msi	msiexec.exe
File created	C:\Windows\Installer\f76d874.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDC0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d875.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d874.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Executes dropped EXE 3 IoCs

Processes:

gkuiNiWmSboS.exeCAzqDxoFMxlZ.exeChromeSetup2.exe

pid	Process
2500	gkuiNiWmSboS.exe
2348	CAzqDxoFMxlZ.exe
1732	ChromeSetup2.exe

Loads dropped DLL 6 IoCs

Processes:

CAzqDxoFMxlZ.exe

pid	Process
2348	CAzqDxoFMxlZ.exe
2348	CAzqDxoFMxlZ.exe
2348	CAzqDxoFMxlZ.exe
2348	CAzqDxoFMxlZ.exe
2348	CAzqDxoFMxlZ.exe
2348	CAzqDxoFMxlZ.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

gkuiNiWmSboS.exeCAzqDxoFMxlZ.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gkuiNiWmSboS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CAzqDxoFMxlZ.exe

Modifies data under HKEY_USERS 48 IoCs

Processes:

DrvInst.exepowershell.exemsiexec.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c01bf9edf924db01	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\ProductName = "TrainCourageousExaminer"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\Assignment = "1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F1BC1121C585B3B4E821D2C30C562C2D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F1BC1121C585B3B4E821D2C30C562C2D\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\Version = "117571590"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\SourceList\PackageName = "chrome win10-11_130.0.6723.59_17292.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3D898BC2FD40DF046A06A7B4B207895D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3D898BC2FD40DF046A06A7B4B207895D\F1BC1121C585B3B4E821D2C30C562C2D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\PackageCode = "2657B07BBB60099449AFBFDF9689A7AA"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F1BC1121C585B3B4E821D2C30C562C2D\AdvertiseFlags = "388"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exepowershell.exeCAzqDxoFMxlZ.exe

pid	Process
2300	msiexec.exe
2300	msiexec.exe
1492	powershell.exe
2348	CAzqDxoFMxlZ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exevssvc.exeDrvInst.exepowershell.exegkuiNiWmSboS.exe

description	pid	Process
Token: SeShutdownPrivilege	2316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeSecurityPrivilege	2300	msiexec.exe
Token: SeCreateTokenPrivilege	2316	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2316	msiexec.exe
Token: SeLockMemoryPrivilege	2316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2316	msiexec.exe
Token: SeMachineAccountPrivilege	2316	msiexec.exe
Token: SeTcbPrivilege	2316	msiexec.exe
Token: SeSecurityPrivilege	2316	msiexec.exe
Token: SeTakeOwnershipPrivilege	2316	msiexec.exe
Token: SeLoadDriverPrivilege	2316	msiexec.exe
Token: SeSystemProfilePrivilege	2316	msiexec.exe
Token: SeSystemtimePrivilege	2316	msiexec.exe
Token: SeProfSingleProcessPrivilege	2316	msiexec.exe
Token: SeIncBasePriorityPrivilege	2316	msiexec.exe
Token: SeCreatePagefilePrivilege	2316	msiexec.exe
Token: SeCreatePermanentPrivilege	2316	msiexec.exe
Token: SeBackupPrivilege	2316	msiexec.exe
Token: SeRestorePrivilege	2316	msiexec.exe
Token: SeShutdownPrivilege	2316	msiexec.exe
Token: SeDebugPrivilege	2316	msiexec.exe
Token: SeAuditPrivilege	2316	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2316	msiexec.exe
Token: SeChangeNotifyPrivilege	2316	msiexec.exe
Token: SeRemoteShutdownPrivilege	2316	msiexec.exe
Token: SeUndockPrivilege	2316	msiexec.exe
Token: SeSyncAgentPrivilege	2316	msiexec.exe
Token: SeEnableDelegationPrivilege	2316	msiexec.exe
Token: SeManageVolumePrivilege	2316	msiexec.exe
Token: SeImpersonatePrivilege	2316	msiexec.exe
Token: SeCreateGlobalPrivilege	2316	msiexec.exe
Token: SeBackupPrivilege	2064	vssvc.exe
Token: SeRestorePrivilege	2064	vssvc.exe
Token: SeAuditPrivilege	2064	vssvc.exe
Token: SeBackupPrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeBackupPrivilege	2980	vssvc.exe
Token: SeRestorePrivilege	2980	vssvc.exe
Token: SeAuditPrivilege	2980	vssvc.exe
Token: SeBackupPrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2312	DrvInst.exe
Token: SeRestorePrivilege	2312	DrvInst.exe
Token: SeRestorePrivilege	2312	DrvInst.exe
Token: SeRestorePrivilege	2312	DrvInst.exe
Token: SeRestorePrivilege	2312	DrvInst.exe
Token: SeRestorePrivilege	2312	DrvInst.exe
Token: SeRestorePrivilege	2312	DrvInst.exe
Token: SeLoadDriverPrivilege	2312	DrvInst.exe
Token: SeLoadDriverPrivilege	2312	DrvInst.exe
Token: SeLoadDriverPrivilege	2312	DrvInst.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeRestorePrivilege	2500	gkuiNiWmSboS.exe
Token: 35	2500	gkuiNiWmSboS.exe
Token: SeSecurityPrivilege	2500	gkuiNiWmSboS.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
2316	msiexec.exe
2316	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

vssvc.exemsiexec.exeMsiExec.exe

description	pid	Process	procid_target
PID 2064 wrote to memory of 2140	2064	vssvc.exe	34
PID 2064 wrote to memory of 2140	2064	vssvc.exe	34
PID 2064 wrote to memory of 2140	2064	vssvc.exe	34
PID 2300 wrote to memory of 1724	2300	msiexec.exe	37
PID 2300 wrote to memory of 1724	2300	msiexec.exe	37
PID 2300 wrote to memory of 1724	2300	msiexec.exe	37
PID 2300 wrote to memory of 1724	2300	msiexec.exe	37
PID 2300 wrote to memory of 1724	2300	msiexec.exe	37
PID 1724 wrote to memory of 1492	1724	MsiExec.exe	39
PID 1724 wrote to memory of 1492	1724	MsiExec.exe	39
PID 1724 wrote to memory of 1492	1724	MsiExec.exe	39
PID 1724 wrote to memory of 2500	1724	MsiExec.exe	41
PID 1724 wrote to memory of 2500	1724	MsiExec.exe	41
PID 1724 wrote to memory of 2500	1724	MsiExec.exe	41
PID 1724 wrote to memory of 2500	1724	MsiExec.exe	41
PID 1724 wrote to memory of 2348	1724	MsiExec.exe	43
PID 1724 wrote to memory of 2348	1724	MsiExec.exe	43
PID 1724 wrote to memory of 2348	1724	MsiExec.exe	43
PID 1724 wrote to memory of 2348	1724	MsiExec.exe	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\chrome win10-11_130.0.6723.59_17292.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2316

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding E9D053DBA4715149188CC0F391C17649 M Global\MSI0000
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\TrainCourageousExaminer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Program Files\TrainCourageousExaminer\gkuiNiWmSboS.exe
    "C:\Program Files\TrainCourageousExaminer\gkuiNiWmSboS.exe" x "C:\Program Files\TrainCourageousExaminer\EUHjpVDwBQiotUCpbKOm" -o"C:\Program Files\TrainCourageousExaminer\" -pqGpRXWYVOMAlOvsWPWqo -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Program Files\TrainCourageousExaminer\CAzqDxoFMxlZ.exe
    "C:\Program Files\TrainCourageousExaminer\CAzqDxoFMxlZ.exe" -number 228 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2348
- - C:\Program Files\TrainCourageousExaminer\ChromeSetup2.exe
    "C:\Program Files\TrainCourageousExaminer\ChromeSetup2.exe"
    3⤵
    - Executes dropped EXE
    PID:1732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2064 -s 552
  2⤵
  PID:2140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003CC" "00000000000005B4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76d876.rbs

Filesize
7KB

MD5
3dbf0b1e90e99f3a91cf4634a5c81f5a

SHA1
82346c39f152ed71bbf172734ddb8d74fd31a020

SHA256
c5caa93c30da87fcff6b099032bc4a2fbb454d4abe4fe6b0caaa6ef3b6788dad

SHA512
2c565d74d4febbf075b9ecffecc721e90b92ad18e7fe112344482c4e022fc3da96a48c4b437e17eb6cdddfbf56f6ef42e4802b1234e7232ad6dd3604e854d1c2

Download Submit
C:\Program Files\TrainCourageousExaminer\CAzqDxoFMxlZ.exe

Filesize
2.9MB

MD5
389306e923d191d937a87280abaa47ed

SHA1
2e38b68b8d0cd57a137368b5fa3092ee3d875655

SHA256
dce01c2b698ad7e3e5e3efc280dd1a97bfd54a81cd18bf60851b0657ef7d2fb3

SHA512
c01e5230f4c3259141738a922d17195886ac39354af8265abc9be16bce64157e14f208ee5112176b248245c5c62780fc250192ec6bb02c53136d1e4af56c975c

Download Submit
C:\Program Files\TrainCourageousExaminer\ChromeSetup2.exe

Filesize
9.7MB

MD5
29c9848749d11cdac06f5c1ab27ae9e4

SHA1
bb6b142e7b29e8f3a523bd238697622d828a9b5a

SHA256
94b57aa9cb18f206c72031d9ac8ae1fd3dc00d9248f66cf2dc75593a156534e0

SHA512
176073947ca2be3bf05834a07a64c3db0de7ed11d77704af862164bb91aabc5f08e7d5b53a7fc7bb67fc5d8480ab322272414b81d56d9a565339ea9ead1adb18

Download Submit
C:\Program Files\TrainCourageousExaminer\EUHjpVDwBQiotUCpbKOm

Filesize
2.1MB

MD5
a745c99514fa8c9ce924f33186761704

SHA1
8f1b0063e835cb79bc2916ef00edd021732b78a7

SHA256
9e43af17106baaf595d59924646e98e212b365316bc28924ea4da73008de99f1

SHA512
f2d76c58e59e85547414bdc23e8488050456e6080e5cee0c3d014b83967233920dde9fb27a6276697d925e3d0c62646c7a34c21fdfa4174f464b9a7639f4dcc9

Download Submit
C:\Program Files\TrainCourageousExaminer\gkuiNiWmSboS.exe

Filesize
577KB

MD5
11fa744ebf6a17d7dd3c58dc2603046d

SHA1
d99de792fd08db53bb552cd28f0080137274f897

SHA256
1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

SHA512
424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

Download Submit
C:\Program Files\TrainCourageousExaminer\ktVKycpUOhHa.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Windows\Installer\f76d874.msi

Filesize
7.1MB

MD5
20715b6531d214951d6f69d1af3f1bb7

SHA1
74bf2f89b4c2d3e04b4b0bd670e4dc5f3d469797

SHA256
42d7eb85643aa96fa9e3ef0754a5efa02a85b9bbd001fb35c1628b8b1e5bf68f

SHA512
214842d61c6a987af9ae080d226c518b3ce25fd6c74e24506a64e109d74faf78e81bed33f1ba6ad4cfbffa5fc9dceaec9555b261b3399adaa28285bb3d4892dd

Download Submit
memory/1492-16-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/1492-17-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/1724-11-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download