Analysis

  • max time kernel
    144s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2024 05:55

General

  • Target

    0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi

  • Size

    44.6MB

  • MD5

    a4d9f86c09bef236ea991b8801af8ebf

  • SHA1

    dd7f0c051958471cd01005544f43a61323e7f108

  • SHA256

    0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5

  • SHA512

    75f31cb0b4b26b2c255f6029625928fed21170cf7e82e07b186f9978884659336d6201769d4cd345eb1c41c61eab884a16149d92bea5dec5e16dae1c4da4bb56

  • SSDEEP

    786432:ozXyL7usprI6tyioiFbiOHwWNHwKlyU0yBtmFFfNGdzRAK1uJMXGkd9hCvytof/H:Ki2sUUWOHwWnv0yTmFdNG4KxxCKWX33

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 7 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 55 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2124
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding A73CE193CF33C9120F535CD0860ED9B6 M Global\MSI0000
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2340
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1028
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"35009!&EFXcU7Bzs|Z&Q" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci" -x!1_ZhObbZwOavDN.exe -o"C:\Program Files\UpgradeValiantSupervisor\" -p"40889}.;o[;I83iQKVI5" -y
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:680
        • C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
          "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"35009!&EFXcU7Bzs|Z&Q" -y
          4⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:776
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1 -n 2
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2804
        • C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
          "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci" -x!1_ZhObbZwOavDN.exe -o"C:\Program Files\UpgradeValiantSupervisor\" -p"40889}.;o[;I83iQKVI5" -y
          4⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2016
      • C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
        "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 293 -file file3 -mode mode3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2444
      • C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
        "C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp" /SL5="$C01AE,44246395,814592,C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"
          4⤵
          • Drops file in System32 directory
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:408
          • C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
            "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
            5⤵
            • Drops file in System32 directory
            • Executes dropped EXE
            • Loads dropped DLL
            • Enumerates system info in registry
            • Modifies data under HKEY_USERS
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:2216
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2396
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000394" "00000000000005E0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:3056

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76c209.rbs

    Filesize

    7KB

    MD5

    00be8c3086a7a0addf66daab8d4414ab

    SHA1

    830e12b0daffec8f3423302bfd2f25bbf7b4f549

    SHA256

    83f5cc72523b19fc16d571b6d3349c0c6b48c72be159ffbaf89d20cecd52ecc7

    SHA512

    637162c6598c1b861c2695813ac1650165294c9e1ad60a518de7d9622dca050434815927fc0dd72deccc4f4082ece98b7da5a699c7ab2576206aefc539c3cdaa

  • C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe

    Filesize

    2.1MB

    MD5

    2a9aa3a122ff15917a565ba28e77c533

    SHA1

    698ba5909e1633fbd640e80c1804097a3d356628

    SHA256

    7dc4adf24defbc98d5bbaa7a89d30dc87dfc7a0eb8606acaf73fb845f272ccd9

    SHA512

    a3f6d10bc6f5652699f080a35e3af8794b315c70eb307f52a0e869d3de3f0a6302f421ce10aba34ec9fb6d2dc5a6f2460b8c97c403e75692e73f18d4b9870263

  • C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ

    Filesize

    1.5MB

    MD5

    6101e66d187d929fc28c617b17d9e8ab

    SHA1

    0b8e6f9340cdefdd74221a9b0ad0e570e2a5af3d

    SHA256

    b4ba63b8872d6a4dadecef5fed82bff1ef01db274388a99d5cf358512c3c3d75

    SHA512

    f748b6a05f3b6fe7587218d26e969f67e4ef79313333137e77860b20e71f02fc1c8163ba62b682aadabd568a442e99ef36a75aa5e374e6ef845f7e101376cde3

  • C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe

    Filesize

    577KB

    MD5

    c31c4b04558396c6fabab64dcf366534

    SHA1

    fa836d92edc577d6a17ded47641ba1938589b09a

    SHA256

    9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

    SHA512

    814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

  • C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci

    Filesize

    1.5MB

    MD5

    5e0b75c71015883973f333fa502e8bf6

    SHA1

    77f442eeddd17e6815c7672c4db948cb62870dc1

    SHA256

    be5db62a4a38dbd19c4a223a339692e8868a88a28f1b720585bc5bf6572ec0f6

    SHA512

    8a85dab48d4a35998bd60212d18e56144dab4e4cacb56d86c7a16702af347dd0477421f59e5ac3f1934ba97ce05589f95f241969f73baf9d0cb5cb97ff115fc8

  • C:\Program Files\UpgradeValiantSupervisor\tsetup.exe

    Filesize

    43.1MB

    MD5

    8a53cf72375f6899082463c36422d411

    SHA1

    161d9d3b21bf0d9a9790b92013ec76c6d839af06

    SHA256

    1b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65

    SHA512

    daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190

  • C:\Users\Admin\AppData\Local\Temp\Cab365E.tmp

    Filesize

    29KB

    MD5

    d59a6b36c5a94916241a3ead50222b6f

    SHA1

    e274e9486d318c383bc4b9812844ba56f0cff3c6

    SHA256

    a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

    SHA512

    17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Telegram Desktop\Telegram.lnk

    Filesize

    1KB

    MD5

    d87917dbb14a54190693a451515416f4

    SHA1

    63fab43c99cfb5cb25d396b96fda431a13e07791

    SHA256

    7a650d67c7407dda4b8e5e3d99b02e115a29b453da6b4af0c6ffb43310eaa448

    SHA512

    5742e52e7d2c5178b53d8952029313ee954c1a699c056cbdb2ce6822dc263a8fc22d8a860212471e39430517c23078e48e98b7af48802f71af6db49a681e157a

  • C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

    Filesize

    4.7MB

    MD5

    a7349236212b0e5cec2978f2cfa49a1a

    SHA1

    5abb08949162fd1985b89ffad40aaf5fc769017e

    SHA256

    a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082

    SHA512

    c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

  • C:\Windows\Installer\f76c207.msi

    Filesize

    44.6MB

    MD5

    a4d9f86c09bef236ea991b8801af8ebf

    SHA1

    dd7f0c051958471cd01005544f43a61323e7f108

    SHA256

    0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5

    SHA512

    75f31cb0b4b26b2c255f6029625928fed21170cf7e82e07b186f9978884659336d6201769d4cd345eb1c41c61eab884a16149d92bea5dec5e16dae1c4da4bb56

  • C:\Windows\SysWOW64\config\systemprofile\Saved Games\desktop.ini

    Filesize

    282B

    MD5

    b441cf59b5a64f74ac3bed45be9fadfc

    SHA1

    3da72a52e451a26ca9a35611fa8716044a7c0bbc

    SHA256

    e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311

    SHA512

    fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3

  • \Users\Admin\AppData\Local\Temp\is-19OF9.tmp\tsetup.tmp

    Filesize

    3.0MB

    MD5

    d90927477dbf0725af0a10e151c184c4

    SHA1

    4cd69b23ee9c1efe9bd539f0fef841a09a4a773e

    SHA256

    43182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029

    SHA512

    bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98

  • memory/408-126-0x0000000000400000-0x0000000000710000-memory.dmp

    Filesize

    3.1MB

  • memory/408-68-0x0000000000400000-0x0000000000710000-memory.dmp

    Filesize

    3.1MB

  • memory/1028-18-0x0000000001D70000-0x0000000001D78000-memory.dmp

    Filesize

    32KB

  • memory/1028-17-0x000000001B6B0000-0x000000001B992000-memory.dmp

    Filesize

    2.9MB

  • memory/2216-144-0x00000000024B0000-0x00000000024BA000-memory.dmp

    Filesize

    40KB

  • memory/2216-197-0x0000000000130000-0x000000000013A000-memory.dmp

    Filesize

    40KB

  • memory/2216-120-0x0000000000130000-0x000000000013A000-memory.dmp

    Filesize

    40KB

  • memory/2216-119-0x0000000000130000-0x000000000013A000-memory.dmp

    Filesize

    40KB

  • memory/2216-210-0x00000000024B0000-0x00000000024BA000-memory.dmp

    Filesize

    40KB

  • memory/2216-206-0x00000000024B0000-0x00000000024BA000-memory.dmp

    Filesize

    40KB

  • memory/2216-139-0x00000000024B0000-0x00000000024BA000-memory.dmp

    Filesize

    40KB

  • memory/2216-138-0x00000000024B0000-0x00000000024BA000-memory.dmp

    Filesize

    40KB

  • memory/2216-207-0x00000000024B0000-0x00000000024BA000-memory.dmp

    Filesize

    40KB

  • memory/2216-143-0x00000000024B0000-0x00000000024BA000-memory.dmp

    Filesize

    40KB

  • memory/2216-198-0x0000000000130000-0x000000000013A000-memory.dmp

    Filesize

    40KB

  • memory/2300-127-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

  • memory/2300-44-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

  • memory/2300-67-0x0000000000400000-0x00000000004D4000-memory.dmp

    Filesize

    848KB

  • memory/2340-12-0x0000000000200000-0x0000000000210000-memory.dmp

    Filesize

    64KB

  • memory/2444-63-0x000000000A7C0000-0x000000000A7EF000-memory.dmp

    Filesize

    188KB