Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 09:55
Static task
static1
Behavioral task
behavioral1
Sample
ChromeSetupz.5516.25.msi
Resource
win7-20241023-en
General
-
Target
ChromeSetupz.5516.25.msi
-
Size
20.2MB
-
MD5
92f66429d4ad77c68f77060cb18dcce0
-
SHA1
cde034910f4ad24df46f6bc7e4e6d467ac8baa31
-
SHA256
08734e0c77e055be3c43066f2cbcfd84537a819434d1e1f6d41c984ff7a4d865
-
SHA512
de04850632071600f6d1b9efaa3d4272ef4176e474ab8feb0caf029c300fb4c0d5a0d9f28a037c4b61a9ddaa9ca2fc89d82f09c414bffc9580935b05f1b59cc7
-
SSDEEP
393216:0Q0Frf5krXSujs/7rYMB6z4GGFTfuN0+O6r7a7n25K5Q0quXbenFJldPYjzhEiA8:0Q05JQs/gZzdGFyHre7n250PbenFtPQl
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2908 powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe File created C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe msiexec.exe File created C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe File created C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe File created C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe File opened for modification C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe File created C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe msiexec.exe File opened for modification C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe File created C:\Program Files\DriveHumbleTechnician\XjPDFEditCore.dll msiexec.exe File opened for modification C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe MsiExec.exe File created C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.vbs yrjwPObnoqyg.exe File created C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe MsiExec.exe File created C:\Program Files\DriveHumbleTechnician\XSMdjOpzlHEtnonzAHdFfqjsKAHetr msiexec.exe File opened for modification C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe File created C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe File opened for modification C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe File opened for modification C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76fbb0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFDA0.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76fbae.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f76fbad.msi msiexec.exe File opened for modification C:\Windows\Installer\f76fbad.msi msiexec.exe File created C:\Windows\Installer\f76fbae.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 4 IoCs
pid Process 1708 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe 2524 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe 2652 yrjwPObnoqyg.exe 1088 C1h2r3a6ais7up.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1980 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yrjwPObnoqyg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1728 cmd.exe 620 PING.EXE -
Modifies data under HKEY_USERS 48 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 9066b515a039db01 powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\PackageCode = "057E34CA8B228F74186C96793AFD7D82" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\Version = "524290" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6785353EFDC7D474B987CFA4A9EDDFC7\ProductFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FB24B910C1788D5469B1AA3A1A3667BB msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6785353EFDC7D474B987CFA4A9EDDFC7 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\ProductName = "DriveHumbleTechnician" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\FB24B910C1788D5469B1AA3A1A3667BB\6785353EFDC7D474B987CFA4A9EDDFC7 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\PackageName = "ChromeSetupz.5516.25.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6785353EFDC7D474B987CFA4A9EDDFC7\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 620 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
pid Process 1708 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe 2524 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 2396 msiexec.exe 2396 msiexec.exe 2908 powershell.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe 2652 yrjwPObnoqyg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1980 msiexec.exe Token: SeIncreaseQuotaPrivilege 1980 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeSecurityPrivilege 2396 msiexec.exe Token: SeCreateTokenPrivilege 1980 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1980 msiexec.exe Token: SeLockMemoryPrivilege 1980 msiexec.exe Token: SeIncreaseQuotaPrivilege 1980 msiexec.exe Token: SeMachineAccountPrivilege 1980 msiexec.exe Token: SeTcbPrivilege 1980 msiexec.exe Token: SeSecurityPrivilege 1980 msiexec.exe Token: SeTakeOwnershipPrivilege 1980 msiexec.exe Token: SeLoadDriverPrivilege 1980 msiexec.exe Token: SeSystemProfilePrivilege 1980 msiexec.exe Token: SeSystemtimePrivilege 1980 msiexec.exe Token: SeProfSingleProcessPrivilege 1980 msiexec.exe Token: SeIncBasePriorityPrivilege 1980 msiexec.exe Token: SeCreatePagefilePrivilege 1980 msiexec.exe Token: SeCreatePermanentPrivilege 1980 msiexec.exe Token: SeBackupPrivilege 1980 msiexec.exe Token: SeRestorePrivilege 1980 msiexec.exe Token: SeShutdownPrivilege 1980 msiexec.exe Token: SeDebugPrivilege 1980 msiexec.exe Token: SeAuditPrivilege 1980 msiexec.exe Token: SeSystemEnvironmentPrivilege 1980 msiexec.exe Token: SeChangeNotifyPrivilege 1980 msiexec.exe Token: SeRemoteShutdownPrivilege 1980 msiexec.exe Token: SeUndockPrivilege 1980 msiexec.exe Token: SeSyncAgentPrivilege 1980 msiexec.exe Token: SeEnableDelegationPrivilege 1980 msiexec.exe Token: SeManageVolumePrivilege 1980 msiexec.exe Token: SeImpersonatePrivilege 1980 msiexec.exe Token: SeCreateGlobalPrivilege 1980 msiexec.exe Token: SeBackupPrivilege 2368 vssvc.exe Token: SeRestorePrivilege 2368 vssvc.exe Token: SeAuditPrivilege 2368 vssvc.exe Token: SeBackupPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2880 DrvInst.exe Token: SeRestorePrivilege 2880 DrvInst.exe Token: SeRestorePrivilege 2880 DrvInst.exe Token: SeRestorePrivilege 2880 DrvInst.exe Token: SeRestorePrivilege 2880 DrvInst.exe Token: SeRestorePrivilege 2880 DrvInst.exe Token: SeRestorePrivilege 2880 DrvInst.exe Token: SeLoadDriverPrivilege 2880 DrvInst.exe Token: SeLoadDriverPrivilege 2880 DrvInst.exe Token: SeLoadDriverPrivilege 2880 DrvInst.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeRestorePrivilege 1708 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe Token: 35 1708 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe Token: SeSecurityPrivilege 1708 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe Token: SeSecurityPrivilege 1708 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe Token: SeRestorePrivilege 2524 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe Token: 35 2524 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe Token: SeSecurityPrivilege 2524 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe Token: SeSecurityPrivilege 2524 qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1980 msiexec.exe 1980 msiexec.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2396 wrote to memory of 1288 2396 msiexec.exe 35 PID 2396 wrote to memory of 1288 2396 msiexec.exe 35 PID 2396 wrote to memory of 1288 2396 msiexec.exe 35 PID 2396 wrote to memory of 1288 2396 msiexec.exe 35 PID 2396 wrote to memory of 1288 2396 msiexec.exe 35 PID 1288 wrote to memory of 2908 1288 MsiExec.exe 37 PID 1288 wrote to memory of 2908 1288 MsiExec.exe 37 PID 1288 wrote to memory of 2908 1288 MsiExec.exe 37 PID 1288 wrote to memory of 1728 1288 MsiExec.exe 39 PID 1288 wrote to memory of 1728 1288 MsiExec.exe 39 PID 1288 wrote to memory of 1728 1288 MsiExec.exe 39 PID 1728 wrote to memory of 1708 1728 cmd.exe 41 PID 1728 wrote to memory of 1708 1728 cmd.exe 41 PID 1728 wrote to memory of 1708 1728 cmd.exe 41 PID 1728 wrote to memory of 1708 1728 cmd.exe 41 PID 1728 wrote to memory of 620 1728 cmd.exe 43 PID 1728 wrote to memory of 620 1728 cmd.exe 43 PID 1728 wrote to memory of 620 1728 cmd.exe 43 PID 1728 wrote to memory of 2524 1728 cmd.exe 44 PID 1728 wrote to memory of 2524 1728 cmd.exe 44 PID 1728 wrote to memory of 2524 1728 cmd.exe 44 PID 1728 wrote to memory of 2524 1728 cmd.exe 44 PID 1288 wrote to memory of 2652 1288 MsiExec.exe 46 PID 1288 wrote to memory of 2652 1288 MsiExec.exe 46 PID 1288 wrote to memory of 2652 1288 MsiExec.exe 46 PID 1288 wrote to memory of 2652 1288 MsiExec.exe 46 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ChromeSetupz.5516.25.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1980
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 24DBB2A1855E59B6F8A4A032F90EAD22 M Global\MSI00002⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DriveHumbleTechnician'3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\XSMdjOpzlHEtnonzAHdFfqjsKAHetr" -o"C:\Program Files\DriveHumbleTechnician\" -p"373357|xZmCie].{GTlD" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"91844v.Gsd9S^{PzzOfj" -y3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe"C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\XSMdjOpzlHEtnonzAHdFfqjsKAHetr" -o"C:\Program Files\DriveHumbleTechnician\" -p"373357|xZmCie].{GTlD" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:620
-
-
C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe"C:\Program Files\DriveHumbleTechnician\qQYSSihgyoxprPyXJXzhAKmSpDJpse.exe" x "C:\Program Files\DriveHumbleTechnician\eaKqUwGXuXSKSERTyFiFfxKGAgTAir" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"91844v.Gsd9S^{PzzOfj" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
-
C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe"C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe" -number 121 -file file3 -mode mode33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2652
-
-
C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe"C:\Program Files\DriveHumbleTechnician\C1h2r3a6ais7up.exe"3⤵
- Executes dropped EXE
PID:1088
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "0000000000000558"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD50f42b5d9f26491d750e86c977b647358
SHA175e5f6ec305fac5312eed841a03b966529ac5edc
SHA256ffea657e8eb6a528e857f80ac637ae2ac458eab5e0ea844d73ed5ae8d8e29c28
SHA5122e3c41f3c7fddf8b9fd7cb2bb67fc8d7464e4f19bfe398dbcefa700af397550f01b8ef9eb57871b7305551cd14bf43c983fcdc0d1403c58b221988f5cfbb3433
-
Filesize
2.1MB
MD5d9a41a6ce1809032f7e409a79766fbe6
SHA1c011b1122fb750ce3b393fc35df623d7fb21ebaa
SHA2560099f9e565c7bb368d24fa3e497fb6cad33463ef13a02017f8d072bfb7185520
SHA51223d324a40aca1ecc022a42646826632d43c67496722004fe155df7d76e1175a02a3a69595606d452834ad61cbc119fa4fe8c98b7a39845b4fefaece34d4a92e1
-
Filesize
8.5MB
MD55adff4313fbd074df44b4eb5b7893c5e
SHA1d27388ef6cf34d40e0e7666f6381fcc5bbafa0f7
SHA256d0c7a4390bdd6b442b96fc76f8a38f7b756ba2c16752ea259844420161865cae
SHA512f5d639922b91878cf83d97563288a3aa4cba94db3ad5e8ac11d24ef7c44b019383a4414aeba6171b4c7bfa83ea1eafc1231cc9233e3b82b5ca7dc0b3ffacbf60
-
Filesize
1.5MB
MD54f8c76acd4909457be94c24638d582ad
SHA1aa8c712b920ccf8c50de26f32fc1e4cc471bc8eb
SHA25669dfc5f0598bee73b850e4b8958ad345188b99767f674f1f54dc1a68a270595f
SHA512c7a7ca2a882446191b1a961011b59deca8849ca8ae71cde19cdced727a3a9883efe7b5c1f5a247bb39c3b19f08d7da28db102d76da1627d69613c3d6dd7dc6cf
-
Filesize
1.5MB
MD5277d195bb1d050281da36e259c851e0c
SHA1e5281f027d44e6da9eb041acfaaf0404db6ba1d8
SHA2562b189cd2b037480fc4eada82dc53d2339327372c9979dba7fa7b66c8b7e11652
SHA512d499fd7fbf37421736deb1d96011707a3709b8c59294b37afd5e50fd2664fccdc2e75258816e3c9526f45e1716a18b9ad72e94dfa555d1f44a3baadb9cbbb77b
-
Filesize
577KB
MD5c31c4b04558396c6fabab64dcf366534
SHA1fa836d92edc577d6a17ded47641ba1938589b09a
SHA2569d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99
-
Filesize
20.2MB
MD592f66429d4ad77c68f77060cb18dcce0
SHA1cde034910f4ad24df46f6bc7e4e6d467ac8baa31
SHA25608734e0c77e055be3c43066f2cbcfd84537a819434d1e1f6d41c984ff7a4d865
SHA512de04850632071600f6d1b9efaa3d4272ef4176e474ab8feb0caf029c300fb4c0d5a0d9f28a037c4b61a9ddaa9ca2fc89d82f09c414bffc9580935b05f1b59cc7