08734e0c77e055be3c43066f2cbcfd84537a819434d1e1f6d41c984ff7a4d865

General

Target

ChromeSetupz.5516.25.msi
Size

20.2MB
MD5

92f66429d4ad77c68f77060cb18dcce0
SHA1

cde034910f4ad24df46f6bc7e4e6d467ac8baa31
SHA256

08734e0c77e055be3c43066f2cbcfd84537a819434d1e1f6d41c984ff7a4d865
SHA512

de04850632071600f6d1b9efaa3d4272ef4176e474ab8feb0caf029c300fb4c0d5a0d9f28a037c4b61a9ddaa9ca2fc89d82f09c414bffc9580935b05f1b59cc7
SSDEEP

393216:0Q0Frf5krXSujs/7rYMB6z4GGFTfuN0+O6r7a7n25K5Q0quXbenFJldPYjzhEiA8:0Q05JQs/gZzdGFyHre7n250PbenFtPQl

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2908 powershell.exe

pid	process
2908	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 17 IoCs

Processes:

qQYSSihgyoxprPyXJXzhAKmSpDJpse.exemsiexec.exeqQYSSihgyoxprPyXJXzhAKmSpDJpse.exeMsiExec.exeyrjwPObnoqyg.exe

description	ioc	process
File created	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
File created	C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe	msiexec.exe
File created	C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
File created	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
File created	C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
File created	C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe	msiexec.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
File created	C:\Program Files\DriveHumbleTechnician\XjPDFEditCore.dll	msiexec.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe	MsiExec.exe
File created	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.vbs	yrjwPObnoqyg.exe
File created	C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe	MsiExec.exe
File created	C:\Program Files\DriveHumbleTechnician\XSMdjOpzlHEtnonzAHdFfqjsKAHetr	msiexec.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
File created	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
File opened for modification	C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe

Drops file in Windows directory 10 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76fbb0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDA0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76fbae.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76fbad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76fbad.msi	msiexec.exe
File created	C:\Windows\Installer\f76fbae.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 4 IoCs

Processes:

qQYSSihgyoxprPyXJXzhAKmSpDJpse.exeqQYSSihgyoxprPyXJXzhAKmSpDJpse.exeyrjwPObnoqyg.exeC1h2r3a6ais7up.exe

pid process

1708 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
2524 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
2652 yrjwPObnoqyg.exe
1088 C1h2r3a6ais7up.exe
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

1980 msiexec.exe

pid	process
1708	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
2524	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
2652	yrjwPObnoqyg.exe
1088	C1h2r3a6ais7up.exe

pid	process
1980	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

qQYSSihgyoxprPyXJXzhAKmSpDJpse.exeqQYSSihgyoxprPyXJXzhAKmSpDJpse.exeyrjwPObnoqyg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yrjwPObnoqyg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

1728 cmd.exe
620 PING.EXE

pid	process
1728	cmd.exe
620	PING.EXE

Modifies data under HKEY_USERS 48 IoCs

Processes:

DrvInst.exemsiexec.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 9066b515a039db01	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\PackageCode = "057E34CA8B228F74186C96793AFD7D82"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\Version = "524290"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6785353EFDC7D474B987CFA4A9EDDFC7\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FB24B910C1788D5469B1AA3A1A3667BB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6785353EFDC7D474B987CFA4A9EDDFC7	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\ProductName = "DriveHumbleTechnician"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FB24B910C1788D5469B1AA3A1A3667BB\6785353EFDC7D474B987CFA4A9EDDFC7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\PackageName = "ChromeSetupz.5516.25.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

620 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

qQYSSihgyoxprPyXJXzhAKmSpDJpse.exeqQYSSihgyoxprPyXJXzhAKmSpDJpse.exe

pid process

1708 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
2524 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe

pid	process
620	PING.EXE

pid	process
1708	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
2524	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

msiexec.exepowershell.exeyrjwPObnoqyg.exe

pid	process
2396	msiexec.exe
2396	msiexec.exe
2908	powershell.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe
2652	yrjwPObnoqyg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exepowershell.exeqQYSSihgyoxprPyXJXzhAKmSpDJpse.exeqQYSSihgyoxprPyXJXzhAKmSpDJpse.exe

description	pid	process
Token: SeShutdownPrivilege	1980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	2396	msiexec.exe
Token: SeTakeOwnershipPrivilege	2396	msiexec.exe
Token: SeSecurityPrivilege	2396	msiexec.exe
Token: SeCreateTokenPrivilege	1980	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1980	msiexec.exe
Token: SeLockMemoryPrivilege	1980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1980	msiexec.exe
Token: SeMachineAccountPrivilege	1980	msiexec.exe
Token: SeTcbPrivilege	1980	msiexec.exe
Token: SeSecurityPrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeLoadDriverPrivilege	1980	msiexec.exe
Token: SeSystemProfilePrivilege	1980	msiexec.exe
Token: SeSystemtimePrivilege	1980	msiexec.exe
Token: SeProfSingleProcessPrivilege	1980	msiexec.exe
Token: SeIncBasePriorityPrivilege	1980	msiexec.exe
Token: SeCreatePagefilePrivilege	1980	msiexec.exe
Token: SeCreatePermanentPrivilege	1980	msiexec.exe
Token: SeBackupPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeShutdownPrivilege	1980	msiexec.exe
Token: SeDebugPrivilege	1980	msiexec.exe
Token: SeAuditPrivilege	1980	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1980	msiexec.exe
Token: SeChangeNotifyPrivilege	1980	msiexec.exe
Token: SeRemoteShutdownPrivilege	1980	msiexec.exe
Token: SeUndockPrivilege	1980	msiexec.exe
Token: SeSyncAgentPrivilege	1980	msiexec.exe
Token: SeEnableDelegationPrivilege	1980	msiexec.exe
Token: SeManageVolumePrivilege	1980	msiexec.exe
Token: SeImpersonatePrivilege	1980	msiexec.exe
Token: SeCreateGlobalPrivilege	1980	msiexec.exe
Token: SeBackupPrivilege	2368	vssvc.exe
Token: SeRestorePrivilege	2368	vssvc.exe
Token: SeAuditPrivilege	2368	vssvc.exe
Token: SeBackupPrivilege	2396	msiexec.exe
Token: SeRestorePrivilege	2396	msiexec.exe
Token: SeRestorePrivilege	2880	DrvInst.exe
Token: SeRestorePrivilege	2880	DrvInst.exe
Token: SeRestorePrivilege	2880	DrvInst.exe
Token: SeRestorePrivilege	2880	DrvInst.exe
Token: SeRestorePrivilege	2880	DrvInst.exe
Token: SeRestorePrivilege	2880	DrvInst.exe
Token: SeRestorePrivilege	2880	DrvInst.exe
Token: SeLoadDriverPrivilege	2880	DrvInst.exe
Token: SeLoadDriverPrivilege	2880	DrvInst.exe
Token: SeLoadDriverPrivilege	2880	DrvInst.exe
Token: SeRestorePrivilege	2396	msiexec.exe
Token: SeTakeOwnershipPrivilege	2396	msiexec.exe
Token: SeRestorePrivilege	2396	msiexec.exe
Token: SeTakeOwnershipPrivilege	2396	msiexec.exe
Token: SeRestorePrivilege	2396	msiexec.exe
Token: SeTakeOwnershipPrivilege	2396	msiexec.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeRestorePrivilege	1708	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
Token: 35	1708	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
Token: SeSecurityPrivilege	1708	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
Token: SeSecurityPrivilege	1708	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
Token: SeRestorePrivilege	2524	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
Token: 35	2524	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
Token: SeSecurityPrivilege	2524	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
Token: SeSecurityPrivilege	2524	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1980 msiexec.exe
1980 msiexec.exe

pid	process
1980	msiexec.exe
1980	msiexec.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

msiexec.exeMsiExec.execmd.exe

description	pid	process	target process
PID 2396 wrote to memory of 1288	2396	msiexec.exe	MsiExec.exe
PID 2396 wrote to memory of 1288	2396	msiexec.exe	MsiExec.exe
PID 2396 wrote to memory of 1288	2396	msiexec.exe	MsiExec.exe
PID 2396 wrote to memory of 1288	2396	msiexec.exe	MsiExec.exe
PID 2396 wrote to memory of 1288	2396	msiexec.exe	MsiExec.exe
PID 1288 wrote to memory of 2908	1288	MsiExec.exe	powershell.exe
PID 1288 wrote to memory of 2908	1288	MsiExec.exe	powershell.exe
PID 1288 wrote to memory of 2908	1288	MsiExec.exe	powershell.exe
PID 1288 wrote to memory of 1728	1288	MsiExec.exe	cmd.exe
PID 1288 wrote to memory of 1728	1288	MsiExec.exe	cmd.exe
PID 1288 wrote to memory of 1728	1288	MsiExec.exe	cmd.exe
PID 1728 wrote to memory of 1708	1728	cmd.exe	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1728 wrote to memory of 1708	1728	cmd.exe	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1728 wrote to memory of 1708	1728	cmd.exe	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1728 wrote to memory of 1708	1728	cmd.exe	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1728 wrote to memory of 620	1728	cmd.exe	PING.EXE
PID 1728 wrote to memory of 620	1728	cmd.exe	PING.EXE
PID 1728 wrote to memory of 620	1728	cmd.exe	PING.EXE
PID 1728 wrote to memory of 2524	1728	cmd.exe	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1728 wrote to memory of 2524	1728	cmd.exe	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1728 wrote to memory of 2524	1728	cmd.exe	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1728 wrote to memory of 2524	1728	cmd.exe	qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
PID 1288 wrote to memory of 2652	1288	MsiExec.exe	yrjwPObnoqyg.exe
PID 1288 wrote to memory of 2652	1288	MsiExec.exe	yrjwPObnoqyg.exe
PID 1288 wrote to memory of 2652	1288	MsiExec.exe	yrjwPObnoqyg.exe
PID 1288 wrote to memory of 2652	1288	MsiExec.exe	yrjwPObnoqyg.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ChromeSetupz.5516.25.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1980

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 24DBB2A1855E59B6F8A4A032F90EAD22 M Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DriveHumbleTechnician'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\XSMdjOpzlHEtnonzAHdFfqjsKAHetr" -o"C:\Program Files\DriveHumbleTechnician\" -p"373357|xZmCie].{GTlD" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"91844v.Gsd9S^{PzzOfj" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
      "C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\XSMdjOpzlHEtnonzAHdFfqjsKAHetr" -o"C:\Program Files\DriveHumbleTechnician\" -p"373357|xZmCie].{GTlD" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:1708
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:620
  - - C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe
      "C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"91844v.Gsd9S^{PzzOfj" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:2524
- - C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
    "C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe" -number 121 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2652
- - C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe
    "C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe"
    3⤵
    - Executes dropped EXE
    PID:1088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000558"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Privilege Escalation

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Defense Evasion

System Binary Proxy Execution

1

T1218

Msiexec

1

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76fbaf.rbs

Filesize
7KB

MD5
0f42b5d9f26491d750e86c977b647358

SHA1
75e5f6ec305fac5312eed841a03b966529ac5edc

SHA256
ffea657e8eb6a528e857f80ac637ae2ac458eab5e0ea844d73ed5ae8d8e29c28

SHA512
2e3c41f3c7fddf8b9fd7cb2bb67fc8d7464e4f19bfe398dbcefa700af397550f01b8ef9eb57871b7305551cd14bf43c983fcdc0d1403c58b221988f5cfbb3433

Download Submit
C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe

Filesize
2.1MB

MD5
d9a41a6ce1809032f7e409a79766fbe6

SHA1
c011b1122fb750ce3b393fc35df623d7fb21ebaa

SHA256
0099f9e565c7bb368d24fa3e497fb6cad33463ef13a02017f8d072bfb7185520

SHA512
23d324a40aca1ecc022a42646826632d43c67496722004fe155df7d76e1175a02a3a69595606d452834ad61cbc119fa4fe8c98b7a39845b4fefaece34d4a92e1

Download Submit
C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe

Filesize
8.5MB

MD5
5adff4313fbd074df44b4eb5b7893c5e

SHA1
d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7

SHA256
d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae

SHA512
f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60

Download Submit
C:\Program Files\DriveHumbleTechnician\XSMdjOpzlHEtnonzAHdFfqjsKAHetr

Filesize
1.5MB

MD5
4f8c76acd4909457be94c24638d582ad

SHA1
aa8c712b920ccf8c50de26f32fc1e4cc471bc8eb

SHA256
69dfc5f0598bee73b850e4b8958ad345188b99767f674f1f54dc1a68a270595f

SHA512
c7a7ca2a882446191b1a961011b59deca8849ca8ae71cde19cdced727a3a9883efe7b5c1f5a247bb39c3b19f08d7da28db102d76da1627d69613c3d6dd7dc6cf

Download Submit
C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir

Filesize
1.5MB

MD5
277d195bb1d050281da36e259c851e0c

SHA1
e5281f027d44e6da9eb041acfaaf0404db6ba1d8

SHA256
2b189cd2b037480fc4eada82dc53d2339327372c9979dba7fa7b66c8b7e11652

SHA512
d499fd7fbf37421736deb1d96011707a3709b8c59294b37afd5e50fd2664fccdc2e75258816e3c9526f45e1716a18b9ad72e94dfa555d1f44a3baadb9cbbb77b

Download Submit
C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Windows\Installer\f76fbad.msi

Filesize
20.2MB

MD5
92f66429d4ad77c68f77060cb18dcce0

SHA1
cde034910f4ad24df46f6bc7e4e6d467ac8baa31

SHA256
08734e0c77e055be3c43066f2cbcfd84537a819434d1e1f6d41c984ff7a4d865

SHA512
de04850632071600f6d1b9efaa3d4272ef4176e474ab8feb0caf029c300fb4c0d5a0d9f28a037c4b61a9ddaa9ca2fc89d82f09c414bffc9580935b05f1b59cc7

Download Submit
memory/1288-12-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/2652-56-0x000000002B0E0000-0x000000002B10F000-memory.dmp

Filesize
188KB

Download
memory/2908-17-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2908-18-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads