gh0strat | 0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi
Size

44.6MB
MD5

a4d9f86c09bef236ea991b8801af8ebf
SHA1

dd7f0c051958471cd01005544f43a61323e7f108
SHA256

0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5
SHA512

75f31cb0b4b26b2c255f6029625928fed21170cf7e82e07b186f9978884659336d6201769d4cd345eb1c41c61eab884a16149d92bea5dec5e16dae1c4da4bb56
SSDEEP

786432:ozXyL7usprI6tyioiFbiOHwWNHwKlyU0yBtmFFfNGdzRAK1uJMXGkd9hCvytof/H:Ki2sUUWOHwWnv0yTmFdNG4KxxCKWX33

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 6 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/1728-112-0x000000002BD40000-0x000000002BEFC000-memory.dmp	purplefox_rootkit
behavioral2/memory/1728-114-0x000000002BD40000-0x000000002BEFC000-memory.dmp	purplefox_rootkit
behavioral2/memory/1728-115-0x000000002BD40000-0x000000002BEFC000-memory.dmp	purplefox_rootkit
behavioral2/memory/1728-116-0x000000002BD40000-0x000000002BEFC000-memory.dmp	purplefox_rootkit
behavioral2/memory/1728-236-0x000000002BD40000-0x000000002BEFC000-memory.dmp	purplefox_rootkit
behavioral2/memory/1728-238-0x000000002BD40000-0x000000002BEFC000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/memory/1728-112-0x000000002BD40000-0x000000002BEFC000-memory.dmp	family_gh0strat
behavioral2/memory/1728-114-0x000000002BD40000-0x000000002BEFC000-memory.dmp	family_gh0strat
behavioral2/memory/1728-115-0x000000002BD40000-0x000000002BEFC000-memory.dmp	family_gh0strat
behavioral2/memory/1728-116-0x000000002BD40000-0x000000002BEFC000-memory.dmp	family_gh0strat
behavioral2/memory/1728-236-0x000000002BD40000-0x000000002BEFC000-memory.dmp	family_gh0strat
behavioral2/memory/1728-238-0x000000002BD40000-0x000000002BEFC000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1812	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	ZhObbZwOavDN.exe
File opened (read-only)	\??\S:	ZhObbZwOavDN.exe
File opened (read-only)	\??\V:	ZhObbZwOavDN.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	ZhObbZwOavDN.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	ZhObbZwOavDN.exe
File opened (read-only)	\??\M:	ZhObbZwOavDN.exe
File opened (read-only)	\??\P:	ZhObbZwOavDN.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	ZhObbZwOavDN.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	ZhObbZwOavDN.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	ZhObbZwOavDN.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	ZhObbZwOavDN.exe
File opened (read-only)	\??\O:	ZhObbZwOavDN.exe
File opened (read-only)	\??\X:	ZhObbZwOavDN.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	ZhObbZwOavDN.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	ZhObbZwOavDN.exe
File opened (read-only)	\??\N:	ZhObbZwOavDN.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	ZhObbZwOavDN.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	ZhObbZwOavDN.exe
File opened (read-only)	\??\R:	ZhObbZwOavDN.exe
File opened (read-only)	\??\Y:	ZhObbZwOavDN.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QtrVrzdIjlZB.exe.log	QtrVrzdIjlZB.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\Saved Games	tsetup.tmp
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	Telegram.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Telegram.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
File created	C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
File created	C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log	QtrVrzdIjlZB.exe
File created	C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs	ZhObbZwOavDN.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor	ZhObbZwOavDN.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log	QtrVrzdIjlZB.exe
File created	C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ	msiexec.exe
File created	C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe	MsiExec.exe
File created	C:\Program Files\UpgradeValiantSupervisor\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
File created	C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
File created	C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe	MsiExec.exe
File created	C:\Program Files\UpgradeValiantSupervisor\tsetup.exe	msiexec.exe
File created	C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe	msiexec.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log	QtrVrzdIjlZB.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIA519.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a3a4.msi	msiexec.exe
File created	C:\Windows\Installer\e57a3a2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a3a2.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9EACC170-77C4-49C0-82B8-0229967CDE70}	msiexec.exe

Executes dropped EXE 11 IoCs

pid	Process
3412	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
3128	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
3348	ZhObbZwOavDN.exe
2296	tsetup.exe
3516	QtrVrzdIjlZB.exe
4580	tsetup.tmp
3468	QtrVrzdIjlZB.exe
3700	QtrVrzdIjlZB.exe
556	ZhObbZwOavDN.exe
1728	ZhObbZwOavDN.exe
1560	Telegram.exe

Loads dropped DLL 1 IoCs

pid	Process
1560	Telegram.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2276	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZhObbZwOavDN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZhObbZwOavDN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZhObbZwOavDN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsetup.tmp

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1980	cmd.exe
2240	PING.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ZhObbZwOavDN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ZhObbZwOavDN.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager	tsetup.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\tg\ = "URL:Telegram Link"	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Telegram.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\EstimatedSize = "163980"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\tg\URL Protocol	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Telegram.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Telegram.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\tg\shell\open	Telegram.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities\ApplicationDescription = "Telegram Desktop"	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\RegisteredApplications\Telegram Desktop = "SOFTWARE\\TelegramDesktop\\Capabilities"	Telegram.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	tsetup.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = a80e2ef987a029d792bf182414d851905c3dcd5707d47dbe0e20a639e16318ae	tsetup.tmp
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayIcon = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe"	tsetup.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\MinorVersion = "2"	tsetup.tmp
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMinor = "2"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\DefaultIcon	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\NoRepair = "1"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: User = "SYSTEM"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\TelegramDesktop	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Telegram.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMajor = "5"	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Deselected Tasks	tsetup.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	Telegram.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AC14C41ED6CF2947B4F7ADE34E99984	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AC14C41ED6CF2947B4F7ADE34E99984\071CCAE94C770C94288B209269C7ED07	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\071CCAE94C770C94288B209269C7ED07	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\ProductName = "UpgradeValiantSupervisor"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\PackageCode = "B2FCB3C3AE4D29B4F88C48506EB40769"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\PackageName = "0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\071CCAE94C770C94288B209269C7ED07\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\Version = "34078724"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\071CCAE94C770C94288B209269C7ED07\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2240	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1560	Telegram.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1492	msiexec.exe
1492	msiexec.exe
1812	powershell.exe
1812	powershell.exe
1812	powershell.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe
3348	ZhObbZwOavDN.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2276	msiexec.exe
Token: SeSecurityPrivilege	1492	msiexec.exe
Token: SeCreateTokenPrivilege	2276	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2276	msiexec.exe
Token: SeLockMemoryPrivilege	2276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2276	msiexec.exe
Token: SeMachineAccountPrivilege	2276	msiexec.exe
Token: SeTcbPrivilege	2276	msiexec.exe
Token: SeSecurityPrivilege	2276	msiexec.exe
Token: SeTakeOwnershipPrivilege	2276	msiexec.exe
Token: SeLoadDriverPrivilege	2276	msiexec.exe
Token: SeSystemProfilePrivilege	2276	msiexec.exe
Token: SeSystemtimePrivilege	2276	msiexec.exe
Token: SeProfSingleProcessPrivilege	2276	msiexec.exe
Token: SeIncBasePriorityPrivilege	2276	msiexec.exe
Token: SeCreatePagefilePrivilege	2276	msiexec.exe
Token: SeCreatePermanentPrivilege	2276	msiexec.exe
Token: SeBackupPrivilege	2276	msiexec.exe
Token: SeRestorePrivilege	2276	msiexec.exe
Token: SeShutdownPrivilege	2276	msiexec.exe
Token: SeDebugPrivilege	2276	msiexec.exe
Token: SeAuditPrivilege	2276	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2276	msiexec.exe
Token: SeChangeNotifyPrivilege	2276	msiexec.exe
Token: SeRemoteShutdownPrivilege	2276	msiexec.exe
Token: SeUndockPrivilege	2276	msiexec.exe
Token: SeSyncAgentPrivilege	2276	msiexec.exe
Token: SeEnableDelegationPrivilege	2276	msiexec.exe
Token: SeManageVolumePrivilege	2276	msiexec.exe
Token: SeImpersonatePrivilege	2276	msiexec.exe
Token: SeCreateGlobalPrivilege	2276	msiexec.exe
Token: SeBackupPrivilege	4564	vssvc.exe
Token: SeRestorePrivilege	4564	vssvc.exe
Token: SeAuditPrivilege	4564	vssvc.exe
Token: SeBackupPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeBackupPrivilege	1808	srtasks.exe
Token: SeRestorePrivilege	1808	srtasks.exe
Token: SeSecurityPrivilege	1808	srtasks.exe
Token: SeTakeOwnershipPrivilege	1808	srtasks.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeBackupPrivilege	1808	srtasks.exe
Token: SeRestorePrivilege	1808	srtasks.exe
Token: SeSecurityPrivilege	1808	srtasks.exe
Token: SeTakeOwnershipPrivilege	1808	srtasks.exe
Token: SeRestorePrivilege	3412	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
Token: 35	3412	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
Token: SeSecurityPrivilege	3412	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
Token: SeSecurityPrivilege	3412	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
Token: SeRestorePrivilege	3128	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
Token: 35	3128	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
Token: SeSecurityPrivilege	3128	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
Token: SeSecurityPrivilege	3128	YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2276	msiexec.exe
2276	msiexec.exe
4580	tsetup.tmp
1560	Telegram.exe
1560	Telegram.exe
1560	Telegram.exe
1560	Telegram.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1560	Telegram.exe
1560	Telegram.exe
1560	Telegram.exe
1560	Telegram.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1560	Telegram.exe
1560	Telegram.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1808	1492	msiexec.exe	98
PID 1492 wrote to memory of 1808	1492	msiexec.exe	98
PID 1492 wrote to memory of 4664	1492	msiexec.exe	100
PID 1492 wrote to memory of 4664	1492	msiexec.exe	100
PID 4664 wrote to memory of 1812	4664	MsiExec.exe	101
PID 4664 wrote to memory of 1812	4664	MsiExec.exe	101
PID 4664 wrote to memory of 1980	4664	MsiExec.exe	103
PID 4664 wrote to memory of 1980	4664	MsiExec.exe	103
PID 1980 wrote to memory of 3412	1980	cmd.exe	105
PID 1980 wrote to memory of 3412	1980	cmd.exe	105
PID 1980 wrote to memory of 3412	1980	cmd.exe	105
PID 1980 wrote to memory of 2240	1980	cmd.exe	106
PID 1980 wrote to memory of 2240	1980	cmd.exe	106
PID 1980 wrote to memory of 3128	1980	cmd.exe	108
PID 1980 wrote to memory of 3128	1980	cmd.exe	108
PID 1980 wrote to memory of 3128	1980	cmd.exe	108
PID 4664 wrote to memory of 3348	4664	MsiExec.exe	110
PID 4664 wrote to memory of 3348	4664	MsiExec.exe	110
PID 4664 wrote to memory of 3348	4664	MsiExec.exe	110
PID 4664 wrote to memory of 2296	4664	MsiExec.exe	112
PID 4664 wrote to memory of 2296	4664	MsiExec.exe	112
PID 4664 wrote to memory of 2296	4664	MsiExec.exe	112
PID 2296 wrote to memory of 4580	2296	tsetup.exe	116
PID 2296 wrote to memory of 4580	2296	tsetup.exe	116
PID 2296 wrote to memory of 4580	2296	tsetup.exe	116
PID 3700 wrote to memory of 556	3700	QtrVrzdIjlZB.exe	120
PID 3700 wrote to memory of 556	3700	QtrVrzdIjlZB.exe	120
PID 3700 wrote to memory of 556	3700	QtrVrzdIjlZB.exe	120
PID 556 wrote to memory of 1728	556	ZhObbZwOavDN.exe	122
PID 556 wrote to memory of 1728	556	ZhObbZwOavDN.exe	122
PID 556 wrote to memory of 1728	556	ZhObbZwOavDN.exe	122
PID 4580 wrote to memory of 1560	4580	tsetup.tmp	128
PID 4580 wrote to memory of 1560	4580	tsetup.tmp	128

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2276

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 9004D59FE2A96EDDF284D602CCDAAA5A E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"35009!&EFXcU7Bzs|Z&Q" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci" -x!1_ZhObbZwOavDN.exe -o"C:\Program Files\UpgradeValiantSupervisor\" -p"40889}.;o[;I83iQKVI5" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
      "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"35009!&EFXcU7Bzs|Z&Q" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3412
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2240
  - - C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe
      "C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe" x "C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci" -x!1_ZhObbZwOavDN.exe -o"C:\Program Files\UpgradeValiantSupervisor\" -p"40889}.;o[;I83iQKVI5" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3128
- - C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
    "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 293 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3348
- - C:\Program Files\UpgradeValiantSupervisor\tsetup.exe
    "C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp" /SL5="$9016A,44246395,814592,C:\Program Files\UpgradeValiantSupervisor\tsetup.exe"
      4⤵
      Drops file in System32 directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
        5⤵
        Drops file in System32 directory
        Executes dropped EXE
        Loads dropped DLL
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:1352

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:3516

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:3468

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
  "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 242 -file file3 -mode mode3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
    "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 62 -file file3 -mode mode3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a3a3.rbs

Filesize
8KB

MD5
89b009b713481257a55d1673cd52752e

SHA1
e8f880240559adadd4a826a810e5fcc457ed3db1

SHA256
f8b53df266bbd5f4fb81784598827f60b00a4a5998b32da9bc28d20ea5a4eb7e

SHA512
cb10aa543ed66e942719e9db486927aef10675ab79fe5cde65078c67a2778cdd1f13e2e22072fef7bc327318799eb73e917259c3aa4bbb0807e59817cbef0ac2

Download Submit
C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe

Filesize
2.1MB

MD5
2a9aa3a122ff15917a565ba28e77c533

SHA1
698ba5909e1633fbd640e80c1804097a3d356628

SHA256
7dc4adf24defbc98d5bbaa7a89d30dc87dfc7a0eb8606acaf73fb845f272ccd9

SHA512
a3f6d10bc6f5652699f080a35e3af8794b315c70eb307f52a0e869d3de3f0a6302f421ce10aba34ec9fb6d2dc5a6f2460b8c97c403e75692e73f18d4b9870263

Download Submit
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

Filesize
278B

MD5
9f8647fc4e7f1c51d363d79ee6436b3e

SHA1
e86f865b34f86a6fd83fe8e0af374f7a0ae03285

SHA256
feee34168222e1363e858104e98b40bb2eb80970ef285a47c001743db7b66eac

SHA512
aabba360926fdb5215837d95694ca3c0d516c9fdbb4f7b6a098f2485006d3bcf450fd0c58648a64e877b031b38a0ca48219ec5be608d6fab993c058f68c2bc90

Download Submit
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

Filesize
504B

MD5
39cb6bb8702b3aa67cd488f9495dd641

SHA1
2ef89f56c9a1ac16ac1d6116a0dcb5232661969e

SHA256
1ec7a98489eabb15159a62af341fc6528de91711484de0313fd908039d5a8967

SHA512
3d2a4a6737d0a4349348bf53e3d116ef09f9764cce7eacf63942c849ab930ebd48484bead9a616a7faab05ae0b94848b04cd2e296e2f09841f82e8a1c9106b4b

Download Submit
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

Filesize
612B

MD5
6d5ffa724d7a510ab64b760e3ec9c19a

SHA1
fcd204705358e0e17302569083b120d6d0d59c5b

SHA256
d750bbbc03d4c407ca25622b84eee0961c8f5a7e94b6b975c8d7d170e90ad636

SHA512
23bc5dee5f0490871475c477af8c613daa694dc74e6f73361ab566321883b76f605b085efdbda20b83b32c598e7455129970970a1320b0b5670d4cc969dec8ae

Download Submit
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

Filesize
749B

MD5
acba25681de8e28d318365192250a3f7

SHA1
a1715c8689d52aabbcccc1ea208c9a29d5f1d3a2

SHA256
96ce2b09379c29edb5db2f060fec5c0fb5cfb9d5d18c339888530c895cf1f9f8

SHA512
f5771b0d9e4abb797aec802a4fe46908d29a872eeff3a6017418fc5580d93c6d2aa00ca9b4a046c74fd0aad38d1f564a344b1719d7c883b9fdaa6763751e50c2

Download Submit
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml

Filesize
434B

MD5
4ee2e5cfef0b61980880c759eebacd1c

SHA1
d338d574e5178264ffbdb2020aa909e6cea10bf1

SHA256
2a42cb86659c84a47872b40b226db56f74d6de5c3f0e83369321a6a5e2f0c383

SHA512
ed9b9c2fd43c42da14099a4c4e0cba8c92d6c525a67453ac9d6892b68386ec684f81edf68a61edfc8a94b46c3fae380afe863d545d1df52c2455e05cb985c3fa

Download Submit
C:\Program Files\UpgradeValiantSupervisor\XxMFzCVZZJpNZFlEMxgrehoQiPqhbQ

Filesize
1.5MB

MD5
6101e66d187d929fc28c617b17d9e8ab

SHA1
0b8e6f9340cdefdd74221a9b0ad0e570e2a5af3d

SHA256
b4ba63b8872d6a4dadecef5fed82bff1ef01db274388a99d5cf358512c3c3d75

SHA512
f748b6a05f3b6fe7587218d26e969f67e4ef79313333137e77860b20e71f02fc1c8163ba62b682aadabd568a442e99ef36a75aa5e374e6ef845f7e101376cde3

Download Submit
C:\Program Files\UpgradeValiantSupervisor\YpXQrlWUJEFwOxBWTXNvgrRAXMmTQw.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs

Filesize
2KB

MD5
31cb7c228337b05b262877c9d1d31f40

SHA1
c67ef4beb96061c1bdf53334e125dde65d079e2a

SHA256
f3acc593d2324d95131363105f89f5e97a0d251a997eab95486b8f0ffe76baee

SHA512
fda05de734d8dadd6250687bdd9e74a1ee833f860ddb296faac2e7c1251cd2a346e31e68590d6694ab504982815482b888b9328ab5248a431d6ae9df30997be8

Download Submit
C:\Program Files\UpgradeValiantSupervisor\iRlgheBCPWUcwhQjzNGDiXyPXDubci

Filesize
1.5MB

MD5
5e0b75c71015883973f333fa502e8bf6

SHA1
77f442eeddd17e6815c7672c4db948cb62870dc1

SHA256
be5db62a4a38dbd19c4a223a339692e8868a88a28f1b720585bc5bf6572ec0f6

SHA512
8a85dab48d4a35998bd60212d18e56144dab4e4cacb56d86c7a16702af347dd0477421f59e5ac3f1934ba97ce05589f95f241969f73baf9d0cb5cb97ff115fc8

Download Submit
C:\Program Files\UpgradeValiantSupervisor\tsetup.exe

Filesize
43.1MB

MD5
8a53cf72375f6899082463c36422d411

SHA1
161d9d3b21bf0d9a9790b92013ec76c6d839af06

SHA256
1b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65

SHA512
daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gik2pb4n.pmq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-14FMU.tmp\tsetup.tmp

Filesize
3.0MB

MD5
d90927477dbf0725af0a10e151c184c4

SHA1
4cd69b23ee9c1efe9bd539f0fef841a09a4a773e

SHA256
43182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029

SHA512
bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Telegram Desktop\Telegram.lnk

Filesize
1KB

MD5
91acf87684e0ffb8954255d67faec978

SHA1
d84a6532278935f560ed3492de5b32c7227d7744

SHA256
a240f260addf3b2c058b1b86bbfb1f723d8d5b41c8eeaeda08994508321e37cf

SHA512
1a4d42956417e99411be9de7d488bf93ea237f1d33a7d0acc3fe0524e25e96ca672997f7d522854b4ca32f81acd49a39e394e92946d714d4d7b08c9851a08504

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7349236212b0e5cec2978f2cfa49a1a

SHA1
5abb08949162fd1985b89ffad40aaf5fc769017e

SHA256
a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082

SHA512
c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

Download Submit
C:\Windows\Installer\e57a3a2.msi

Filesize
44.6MB

MD5
a4d9f86c09bef236ea991b8801af8ebf

SHA1
dd7f0c051958471cd01005544f43a61323e7f108

SHA256
0861964bb9167b631b1f21f54f31072353d148188e92b25adc7437f33d2d1ea5

SHA512
75f31cb0b4b26b2c255f6029625928fed21170cf7e82e07b186f9978884659336d6201769d4cd345eb1c41c61eab884a16149d92bea5dec5e16dae1c4da4bb56

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QtrVrzdIjlZB.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
a1e3a2ae95c90167523c9ea17bd5c60e

SHA1
23a065b41aa390587f40c730c990e4ddcabeee39

SHA256
e2b356fae4d11280da85167aa3e4a4ece17b6a1788c1c619ac973b91cd4d7e4c

SHA512
54c975306f470f42756d50c2ecd627b266f44f51e22d742da2d67bf65653e05bce9347da7ba869664b9097433980585d5e63b9ef8a8409f8019b611fd5767501

Download Submit
\??\Volume{1541411d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3c2b8586-62e0-4015-8e96-08d623ec8a34}_OnDiskSnapshotProp

Filesize
6KB

MD5
83743d03bf637873029231bac94b57d8

SHA1
6bb16b64e6f8285f23f8c1f7227d70b5cc471424

SHA256
8562cd5aee25ae17bd79f78d64689807f41726a69a1b25986bdcad1ee0983399

SHA512
c8fbbaf7334429b749692597d2fcc9bb8ffdca070a3799b7ac132b7b245cdf9849be9919367ae7f9122937be8fd2918899ffd6ff2ca2828f75be9fd5dcc36193

Download Submit
memory/1728-114-0x000000002BD40000-0x000000002BEFC000-memory.dmp

Filesize
1.7MB

Download
memory/1728-109-0x000000002A140000-0x000000002A18D000-memory.dmp

Filesize
308KB

Download
memory/1728-238-0x000000002BD40000-0x000000002BEFC000-memory.dmp

Filesize
1.7MB

Download
memory/1728-112-0x000000002BD40000-0x000000002BEFC000-memory.dmp

Filesize
1.7MB

Download
memory/1728-115-0x000000002BD40000-0x000000002BEFC000-memory.dmp

Filesize
1.7MB

Download
memory/1728-116-0x000000002BD40000-0x000000002BEFC000-memory.dmp

Filesize
1.7MB

Download
memory/1728-236-0x000000002BD40000-0x000000002BEFC000-memory.dmp

Filesize
1.7MB

Download
memory/1812-15-0x000002D1C6B40000-0x000002D1C6B62000-memory.dmp

Filesize
136KB

Download
memory/2296-110-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2296-61-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2296-155-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/3348-54-0x0000000029F40000-0x0000000029F6F000-memory.dmp

Filesize
188KB

Download
memory/3516-78-0x0000000000CB0000-0x0000000000D86000-memory.dmp

Filesize
856KB

Download
memory/4580-154-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4580-121-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/4580-111-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download