d8848c1a3b8c464f20a99142a7e319ac9c580768e888a52404c17cefae497606

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chromestup翻译插件.msi
Size

2.6MB
MD5

75a1688aca4c2641659f060d86f6b612
SHA1

a1740d536b654d4a381c9089ce51dd2026efa819
SHA256

e7dcdf225c0edd20c920d918b05dab323ce787aae54768cd15ad406ac26e2ae9
SHA512

ce7169ac22f21c1010ea60eef8be106beae453929907d3beee8fd245fe7ec51e635846c6f8af4d80d2cd8a533bf994ae2490a3ed9b48467a009798b849baa80c
SSDEEP

49152:0FvHELEfBtQTIoWd4rUXs6kA+h5N3IaaLoWNAxOiZowguCIFVx0K5xU:0FveQQE5SBGkpIaavAQag67x0K5xU

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1532	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe	MvUlJzZBELPG.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD	msiexec.exe
File created	C:\Program Files\SupportInspiringAnalyzer\igc964.dll	msiexec.exe
File created	C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe	msiexec.exe
File created	C:\Program Files\SupportInspiringAnalyzer\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.xml	MvUlJzZBELPG.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.xml	MvUlJzZBELPG.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ	MvUlJzZBELPG.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.vbs	qDrRguPncUTJ.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIB1A3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b02e.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76b02d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b02d.msi	msiexec.exe
File created	C:\Windows\Installer\f76b02e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76b030.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1952	MvUlJzZBELPG.exe
2244	qDrRguPncUTJ.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2892	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MvUlJzZBELPG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qDrRguPncUTJ.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	qDrRguPncUTJ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	qDrRguPncUTJ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c01e24c81529db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	qDrRguPncUTJ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	qDrRguPncUTJ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\PackageName = "Chromestup翻译插件.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\ProductName = "SupportInspiringAnalyzer"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Version = "117506049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\24491C0B704EEA64697A08AA008DF996	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\24491C0B704EEA64697A08AA008DF996\B7276BE3BE1D47343BD3B84AC7AC2320	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7276BE3BE1D47343BD3B84AC7AC2320	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7276BE3BE1D47343BD3B84AC7AC2320\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\PackageCode = "7ED114DDD5473FB4B927257371DB7C73"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1952	MvUlJzZBELPG.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2728	msiexec.exe
2728	msiexec.exe
1532	powershell.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe
2244	qDrRguPncUTJ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2892	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeSecurityPrivilege	2728	msiexec.exe
Token: SeCreateTokenPrivilege	2892	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2892	msiexec.exe
Token: SeLockMemoryPrivilege	2892	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2892	msiexec.exe
Token: SeMachineAccountPrivilege	2892	msiexec.exe
Token: SeTcbPrivilege	2892	msiexec.exe
Token: SeSecurityPrivilege	2892	msiexec.exe
Token: SeTakeOwnershipPrivilege	2892	msiexec.exe
Token: SeLoadDriverPrivilege	2892	msiexec.exe
Token: SeSystemProfilePrivilege	2892	msiexec.exe
Token: SeSystemtimePrivilege	2892	msiexec.exe
Token: SeProfSingleProcessPrivilege	2892	msiexec.exe
Token: SeIncBasePriorityPrivilege	2892	msiexec.exe
Token: SeCreatePagefilePrivilege	2892	msiexec.exe
Token: SeCreatePermanentPrivilege	2892	msiexec.exe
Token: SeBackupPrivilege	2892	msiexec.exe
Token: SeRestorePrivilege	2892	msiexec.exe
Token: SeShutdownPrivilege	2892	msiexec.exe
Token: SeDebugPrivilege	2892	msiexec.exe
Token: SeAuditPrivilege	2892	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2892	msiexec.exe
Token: SeChangeNotifyPrivilege	2892	msiexec.exe
Token: SeRemoteShutdownPrivilege	2892	msiexec.exe
Token: SeUndockPrivilege	2892	msiexec.exe
Token: SeSyncAgentPrivilege	2892	msiexec.exe
Token: SeEnableDelegationPrivilege	2892	msiexec.exe
Token: SeManageVolumePrivilege	2892	msiexec.exe
Token: SeImpersonatePrivilege	2892	msiexec.exe
Token: SeCreateGlobalPrivilege	2892	msiexec.exe
Token: SeBackupPrivilege	2808	vssvc.exe
Token: SeRestorePrivilege	2808	vssvc.exe
Token: SeAuditPrivilege	2808	vssvc.exe
Token: SeBackupPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2312	DrvInst.exe
Token: SeRestorePrivilege	2312	DrvInst.exe
Token: SeRestorePrivilege	2312	DrvInst.exe
Token: SeRestorePrivilege	2312	DrvInst.exe
Token: SeRestorePrivilege	2312	DrvInst.exe
Token: SeRestorePrivilege	2312	DrvInst.exe
Token: SeRestorePrivilege	2312	DrvInst.exe
Token: SeLoadDriverPrivilege	2312	DrvInst.exe
Token: SeLoadDriverPrivilege	2312	DrvInst.exe
Token: SeLoadDriverPrivilege	2312	DrvInst.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeRestorePrivilege	1952	MvUlJzZBELPG.exe
Token: 35	1952	MvUlJzZBELPG.exe
Token: SeSecurityPrivilege	1952	MvUlJzZBELPG.exe
Token: SeSecurityPrivilege	1952	MvUlJzZBELPG.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe
Token: SeRestorePrivilege	2728	msiexec.exe
Token: SeTakeOwnershipPrivilege	2728	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2892	msiexec.exe
2892	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 332	2728	msiexec.exe	34
PID 2728 wrote to memory of 332	2728	msiexec.exe	34
PID 2728 wrote to memory of 332	2728	msiexec.exe	34
PID 2728 wrote to memory of 332	2728	msiexec.exe	34
PID 2728 wrote to memory of 332	2728	msiexec.exe	34
PID 332 wrote to memory of 1532	332	MsiExec.exe	36
PID 332 wrote to memory of 1532	332	MsiExec.exe	36
PID 332 wrote to memory of 1532	332	MsiExec.exe	36
PID 332 wrote to memory of 2400	332	MsiExec.exe	38
PID 332 wrote to memory of 2400	332	MsiExec.exe	38
PID 332 wrote to memory of 2400	332	MsiExec.exe	38
PID 2400 wrote to memory of 1952	2400	cmd.exe	40
PID 2400 wrote to memory of 1952	2400	cmd.exe	40
PID 2400 wrote to memory of 1952	2400	cmd.exe	40
PID 2400 wrote to memory of 1952	2400	cmd.exe	40
PID 332 wrote to memory of 2244	332	MsiExec.exe	43
PID 332 wrote to memory of 2244	332	MsiExec.exe	43
PID 332 wrote to memory of 2244	332	MsiExec.exe	43
PID 332 wrote to memory of 2244	332	MsiExec.exe	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Chromestup翻译插件.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2892

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 15D7BBA405154D89B793C242F8DCAD18 M Global\MSI0000
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\SupportInspiringAnalyzer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start "" "C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe" x "C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD" -o"C:\Program Files\SupportInspiringAnalyzer\" -prcyZypXSeJJwJRguypsQ -y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe
      "C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe" x "C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD" -o"C:\Program Files\SupportInspiringAnalyzer\" -prcyZypXSeJJwJRguypsQ -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:1952
- - C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe
    "C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe" -number 148 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:2244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003CC" "00000000000003C4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76b02f.rbs

Filesize
7KB

MD5
8ff714140110ef3b71c6e04e55550006

SHA1
808c39809947b9543d2da446d94b1e3ecdd30959

SHA256
c455862f016e1cf5bfaf025bc3d41a3a2ee3470c69c5df36f2a74494ca144ec8

SHA512
55ecf7ca2bae7c306f2c14231e91492b1c33402088707783fb43aec83f4f12a30b5c054a17631508ab9a7a6e22da3521d06a7c9c5b7b4babf94b6eb1a79ec97a

Download Submit
C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD

Filesize
2.1MB

MD5
c7cdf5fa91fac8b086ba6edc3ae1b9ab

SHA1
368c29d03ed4d63dfccadc084f0a9bdc0d73d05a

SHA256
2cae8d7add88dee6f87be346aa29d0230d7e0b6e60d9a63bb93778151a7687c2

SHA512
eac0accda6562d66e328e8f0cf0b6e356ffc4436ab3bacd1eed8d0a80699db0491b97fd4c30dcc8976b10986f7d9810a334196297840543373836f0f19e4b9dc

Download Submit
C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe

Filesize
2.8MB

MD5
b96aaab7556936945af7a07a91c79052

SHA1
b259e2d3e190fc0f52f3007303e3662eafc28d66

SHA256
e84b46614d3d41be225904cdcdeb1bb3fe57cb3c26b397591d803fb8e10546db

SHA512
e1c08a5ea793f7daadf3746d1bbae62d96637e4d00d39162803aaec140c60146bba6ff372221146416d7ad93fee51cf800b8e0626fb8ec355c6659104959502f

Download Submit
C:\Windows\Installer\f76b02d.msi

Filesize
2.6MB

MD5
75a1688aca4c2641659f060d86f6b612

SHA1
a1740d536b654d4a381c9089ce51dd2026efa819

SHA256
e7dcdf225c0edd20c920d918b05dab323ce787aae54768cd15ad406ac26e2ae9

SHA512
ce7169ac22f21c1010ea60eef8be106beae453929907d3beee8fd245fe7ec51e635846c6f8af4d80d2cd8a533bf994ae2490a3ed9b48467a009798b849baa80c

Download Submit
memory/332-12-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/1532-17-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1532-18-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2244-44-0x000000002B210000-0x000000002B23F000-memory.dmp

Filesize
188KB

Download