blackmoon | 7f7abbdbd82cc7e2142636e764b13547bd1e309221693a9e3d1ceab5299c0af6

Resubmissions

22-11-2024 05:12

241122-fv4mhs1kgp 10

19-11-2024 04:06

241119-epln3szmft 10

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

i4.msi
Size

414.8MB
MD5

5458ded6540ceaa02e7c1b74b38fa8ba
SHA1

77f63bfb0c37b76005b9105e3544a63dd2240f77
SHA256

7f7abbdbd82cc7e2142636e764b13547bd1e309221693a9e3d1ceab5299c0af6
SHA512

cac691c9c69e6db69e4e9d16a60aa9e01f2cf6f2fc7bafc15b9ba88d13dc0bcfb2f966e9e7b888aafa547cb49f2ca6df625fe555b6eb6d757e30aa601ea8feec
SSDEEP

12582912:kGJfvUrxERbTpxS6bJSPeXi2ffucxlgJIerR:kGq9Mp9bJSWXi2fpxOIerR

Score

10^/10

blackmoon banker discovery persistence privilege_escalation trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/memory/548-872-0x0000000002B80000-0x0000000003495000-memory.dmp	family_blackmoon

Blocklisted process makes network request 64 IoCs

flow	pid	Process
49	920	MsiExec.exe
51	920	MsiExec.exe
53	920	MsiExec.exe
55	920	MsiExec.exe
64	920	MsiExec.exe
67	920	MsiExec.exe
68	920	MsiExec.exe
70	920	MsiExec.exe
71	920	MsiExec.exe
72	920	MsiExec.exe
73	920	MsiExec.exe
74	920	MsiExec.exe
75	920	MsiExec.exe
76	920	MsiExec.exe
77	920	MsiExec.exe
78	920	MsiExec.exe
79	920	MsiExec.exe
80	920	MsiExec.exe
81	920	MsiExec.exe
82	920	MsiExec.exe
83	920	MsiExec.exe
84	920	MsiExec.exe
85	920	MsiExec.exe
86	920	MsiExec.exe
87	920	MsiExec.exe
88	920	MsiExec.exe
89	920	MsiExec.exe
90	920	MsiExec.exe
91	920	MsiExec.exe
92	920	MsiExec.exe
93	920	MsiExec.exe
94	920	MsiExec.exe
96	920	MsiExec.exe
97	920	MsiExec.exe
98	920	MsiExec.exe
99	920	MsiExec.exe
100	920	MsiExec.exe
101	920	MsiExec.exe
102	920	MsiExec.exe
103	920	MsiExec.exe
104	920	MsiExec.exe
105	920	MsiExec.exe
106	920	MsiExec.exe
107	920	MsiExec.exe
108	920	MsiExec.exe
109	920	MsiExec.exe
110	920	MsiExec.exe
111	920	MsiExec.exe
112	920	MsiExec.exe
113	920	MsiExec.exe
114	920	MsiExec.exe
115	920	MsiExec.exe
116	920	MsiExec.exe
117	920	MsiExec.exe
118	920	MsiExec.exe
119	920	MsiExec.exe
120	920	MsiExec.exe
121	920	MsiExec.exe
122	920	MsiExec.exe
123	920	MsiExec.exe
124	920	MsiExec.exe
125	920	MsiExec.exe
126	920	MsiExec.exe
127	920	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
548	TomatoWallPaper.exe
548	TomatoWallPaper.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4823.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A18.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI514E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI718B.tmp	msiexec.exe
File created	C:\Windows\Installer\e584253.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A96.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{19C746AC-46B2-488C-B026-36DFC3AFFC0F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI544D.tmp	msiexec.exe
File created	C:\Windows\Installer\{19C746AC-46B2-488C-B026-36DFC3AFFC0F}\HaloTray_1.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4708.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4795.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{19C746AC-46B2-488C-B026-36DFC3AFFC0F}\HaloTray_1.exe	msiexec.exe
File created	C:\Windows\Installer\e584255.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI45BE.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e584253.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5391.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
548	TomatoWallPaper.exe

Loads dropped DLL 24 IoCs

pid	Process
920	MsiExec.exe
920	MsiExec.exe
1364	MsiExec.exe
1364	MsiExec.exe
1364	MsiExec.exe
1364	MsiExec.exe
1364	MsiExec.exe
1364	MsiExec.exe
1364	MsiExec.exe
1364	MsiExec.exe
1364	MsiExec.exe
1364	MsiExec.exe
4268	MsiExec.exe
4268	MsiExec.exe
4268	MsiExec.exe
4268	MsiExec.exe
4268	MsiExec.exe
4268	MsiExec.exe
4268	MsiExec.exe
4268	MsiExec.exe
4860	MsiExec.exe
1364	MsiExec.exe
548	TomatoWallPaper.exe
548	TomatoWallPaper.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4456	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TomatoWallPaper.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CA647C912B64C8840B6263FD3CFACFF0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C0921AD850DC9B3489C424E569BE40D8\CA647C912B64C8840B6263FD3CFACFF0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\PackageCode = "3518CA3F3B7A4E34EB634866B45CFAD7"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C0921AD850DC9B3489C424E569BE40D8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CA647C912B64C8840B6263FD3CFACFF0\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Version = "136118272"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\ProductName = "Win64-爱思助手V8.29"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\PackageName = "i4.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1364	MsiExec.exe
1364	MsiExec.exe
228	msiexec.exe
228	msiexec.exe
548	TomatoWallPaper.exe
548	TomatoWallPaper.exe
548	TomatoWallPaper.exe
548	TomatoWallPaper.exe
548	TomatoWallPaper.exe
548	TomatoWallPaper.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4456	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4456	msiexec.exe
Token: SeSecurityPrivilege	228	msiexec.exe
Token: SeCreateTokenPrivilege	4456	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4456	msiexec.exe
Token: SeLockMemoryPrivilege	4456	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4456	msiexec.exe
Token: SeMachineAccountPrivilege	4456	msiexec.exe
Token: SeTcbPrivilege	4456	msiexec.exe
Token: SeSecurityPrivilege	4456	msiexec.exe
Token: SeTakeOwnershipPrivilege	4456	msiexec.exe
Token: SeLoadDriverPrivilege	4456	msiexec.exe
Token: SeSystemProfilePrivilege	4456	msiexec.exe
Token: SeSystemtimePrivilege	4456	msiexec.exe
Token: SeProfSingleProcessPrivilege	4456	msiexec.exe
Token: SeIncBasePriorityPrivilege	4456	msiexec.exe
Token: SeCreatePagefilePrivilege	4456	msiexec.exe
Token: SeCreatePermanentPrivilege	4456	msiexec.exe
Token: SeBackupPrivilege	4456	msiexec.exe
Token: SeRestorePrivilege	4456	msiexec.exe
Token: SeShutdownPrivilege	4456	msiexec.exe
Token: SeDebugPrivilege	4456	msiexec.exe
Token: SeAuditPrivilege	4456	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4456	msiexec.exe
Token: SeChangeNotifyPrivilege	4456	msiexec.exe
Token: SeRemoteShutdownPrivilege	4456	msiexec.exe
Token: SeUndockPrivilege	4456	msiexec.exe
Token: SeSyncAgentPrivilege	4456	msiexec.exe
Token: SeEnableDelegationPrivilege	4456	msiexec.exe
Token: SeManageVolumePrivilege	4456	msiexec.exe
Token: SeImpersonatePrivilege	4456	msiexec.exe
Token: SeCreateGlobalPrivilege	4456	msiexec.exe
Token: SeCreateTokenPrivilege	4456	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4456	msiexec.exe
Token: SeLockMemoryPrivilege	4456	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4456	msiexec.exe
Token: SeMachineAccountPrivilege	4456	msiexec.exe
Token: SeTcbPrivilege	4456	msiexec.exe
Token: SeSecurityPrivilege	4456	msiexec.exe
Token: SeTakeOwnershipPrivilege	4456	msiexec.exe
Token: SeLoadDriverPrivilege	4456	msiexec.exe
Token: SeSystemProfilePrivilege	4456	msiexec.exe
Token: SeSystemtimePrivilege	4456	msiexec.exe
Token: SeProfSingleProcessPrivilege	4456	msiexec.exe
Token: SeIncBasePriorityPrivilege	4456	msiexec.exe
Token: SeCreatePagefilePrivilege	4456	msiexec.exe
Token: SeCreatePermanentPrivilege	4456	msiexec.exe
Token: SeBackupPrivilege	4456	msiexec.exe
Token: SeRestorePrivilege	4456	msiexec.exe
Token: SeShutdownPrivilege	4456	msiexec.exe
Token: SeDebugPrivilege	4456	msiexec.exe
Token: SeAuditPrivilege	4456	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4456	msiexec.exe
Token: SeChangeNotifyPrivilege	4456	msiexec.exe
Token: SeRemoteShutdownPrivilege	4456	msiexec.exe
Token: SeUndockPrivilege	4456	msiexec.exe
Token: SeSyncAgentPrivilege	4456	msiexec.exe
Token: SeEnableDelegationPrivilege	4456	msiexec.exe
Token: SeManageVolumePrivilege	4456	msiexec.exe
Token: SeImpersonatePrivilege	4456	msiexec.exe
Token: SeCreateGlobalPrivilege	4456	msiexec.exe
Token: SeCreateTokenPrivilege	4456	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4456	msiexec.exe
Token: SeLockMemoryPrivilege	4456	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4456	msiexec.exe
4456	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
548	TomatoWallPaper.exe
548	TomatoWallPaper.exe
548	TomatoWallPaper.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 920	228	msiexec.exe	84
PID 228 wrote to memory of 920	228	msiexec.exe	84
PID 228 wrote to memory of 920	228	msiexec.exe	84
PID 228 wrote to memory of 1364	228	msiexec.exe	87
PID 228 wrote to memory of 1364	228	msiexec.exe	87
PID 228 wrote to memory of 1364	228	msiexec.exe	87
PID 228 wrote to memory of 4636	228	msiexec.exe	109
PID 228 wrote to memory of 4636	228	msiexec.exe	109
PID 228 wrote to memory of 4268	228	msiexec.exe	111
PID 228 wrote to memory of 4268	228	msiexec.exe	111
PID 228 wrote to memory of 4268	228	msiexec.exe	111
PID 228 wrote to memory of 4860	228	msiexec.exe	113
PID 228 wrote to memory of 4860	228	msiexec.exe	113
PID 228 wrote to memory of 4860	228	msiexec.exe	113
PID 1364 wrote to memory of 548	1364	MsiExec.exe	116
PID 1364 wrote to memory of 548	1364	MsiExec.exe	116
PID 1364 wrote to memory of 548	1364	MsiExec.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i4.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4456

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F474873D03CBB462AC3882A4F19375FD U
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:920
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 29FB2D488B911C2B813DE344086DEC42 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe
    "C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe" -skin_ui
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:548
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4636
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6B809AC1C5C17B92D19E22EC806D18C0
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4268
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A66CAFD8953347DF3F4F41FA2A5DA727 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e584254.rbs

Filesize
75KB

MD5
d21e393f4c43d0b93a025f90f6ff093c

SHA1
6168af81cbac5247d3010ea6094a5e60d4f25382

SHA256
c44d827b05b65791e0eccc3b8294acde16f2fddcd96f45c894c941bfca4d630a

SHA512
18698f0d5871596882e27a7f28cb5a7920c81f04d0196788b744e54f32a2c062822143225e97ebbca587f5d9b2d1909dd447d98f71d45ef54cdfcb7341220903

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\tracking.ini

Filesize
84B

MD5
ec95bcb6aeb25808d7b7b7816f7be13b

SHA1
6bfeb0825e8b4304e5e1643e82a318adf0581eec

SHA256
8edf77b7abe55db55a4a12bd44bd5f68cedf260832ab0d51b34c0229003dd147

SHA512
695017054ed58c421f36a6ba5e5e7e8cd067718c0c13e320e7722846027e86fe78e2ac838cd97546bc054ded75e30d4a812575f281471e8e3a878fe977407d46

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\tracking.ini

Filesize
84B

MD5
e50bff99eaa23b46eb1dfb53305ee668

SHA1
35c732e9ab3e61b82035c4fda2e730770c7f554a

SHA256
29af58b2c7130e0af68aae6fd2ce219bdf33d1728d6081e9436c31f2eebe30d2

SHA512
73ee0b15f71a949ed80b22bea16b3b6f14f82d93d3a51db80fc17cc9bd216eff4dad4e32b3928f55412b33ad6c4da3d65522087d06eaa354b9477a7571321890

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session

Filesize
33KB

MD5
151254b9ce0a2013b43f774819aea0d8

SHA1
26301ec08636e2362151a0e4c8682b930be491d4

SHA256
32bfebbd6361f15ce0a5c22e606f066c7485b233fb11d0857bdaac5c81e3a58f

SHA512
15c15b4ea94180f50bee13240b9687c451eb0280aa3c041e28865e441132a33ec3ded0017587c01453c24c2a87c00436b47231627e1ed44703db016cb32e6c18

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session

Filesize
35KB

MD5
8d068d65054022ad94906bfbf99de622

SHA1
bf4968d0ad6e0cd44185dd3c4ede231ad50044ab

SHA256
dfc0908dbdaf485b5e9a5b6b839fd026a5d27d0bad386f2fb0721ce1d20b0735

SHA512
63ebce2d1d2ae44538c235afa022b1274bee6a25c4a95c68e944b85a0e59f0f86bedbca68247a4db16d80f8a42027a5b3ce76b88e7088cb0aacf23422de392bc

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session

Filesize
18KB

MD5
83003ac1cdb306f26f80f65fe529e7f4

SHA1
da31ea9acbc284a547c0b6aa8ccaf66a0891e222

SHA256
d5b56129d3e4ce53a4fab28a9932b299e5e5a27cd903835ee86dee7eeccd5ce1

SHA512
ba0aa02076dd1fb4fb1a32e8944254069eda38e9796206ac4e5f2f1ccfbe43d27da8b4453f2a98dcfcea60549726a6ef060e10135e4011fe36f885c182a09e80

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session

Filesize
33KB

MD5
42b35754de0de0a94d1c7043917ec717

SHA1
fcfb33889a7e51a3cfd52fe85f2b87f11308fe54

SHA256
ca24ad8e80eaa6797b4dd71ec72e29759624f3ad81a97a2642a0e26865687992

SHA512
635cd32c5c0965f3e73206e6b601f3bf88b958e7dc0cec66dd165f03a18eb52b73a00c73ac5e61b5bd1db1d3e7973737266fc99345fe34ace8b097ab7286f02f

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session

Filesize
38KB

MD5
4e5597da7a83d458ed1586c09a30817e

SHA1
29ba95875b2bc02b2caaca76771574ede5795793

SHA256
3fda8751411748747c9b5f1efa77dde2b9e14849bb140ec4a999d10b2e6968be

SHA512
19e9ca986b3a9478e6658c02d7a861111494f832305e6cce83d629ddccee4ad1134577db07c3608a0eb5ecded2f2e1ddce3d0098084d71b0b615f5e5c330dcdf

Download Submit
C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe

Filesize
109KB

MD5
cc6c4bfd3c92394b968e6026ef40e51a

SHA1
cb6e3548cf53b5bf102eefbb51abdafdfe634946

SHA256
6dcd14a0e77bc3db07aa2899c59d6024e2092e2f51c37856b884c54f32e85131

SHA512
1a86b80422952cf8d903fdb9bcfdec0957e77d67540ac96932498336b44b073acac2a9fec6486f7e61e844d573dc5cf71e53eb0fdca4bf9d13f49c84385cdff1

Download Submit
C:\Users\Admin\AppData\Local\Bin\VCRUNTIME140.dll

Filesize
82KB

MD5
d0520569180accd7e17ed9697711d6ec

SHA1
46cb7e2db7efda70b9a5b75b2fe0bb6038499008

SHA256
13026df002b3575564f32927b7f791d59b4cc571f30ccc28075c4edb4afef67c

SHA512
86e96f5648d714914469a576693a656390291a547ea9dd5903c85853ac63c68f69129e54f95e5fc7aec781b883232ffaf0d5a536302226f4243d1f2e517e2034

Download Submit
C:\Users\Admin\AppData\Local\Bin\config.ini

Filesize
104B

MD5
83b15cb203aa5d3f8db433708d9aee71

SHA1
4a2207c1e6b092f78802740342e5c0a5807bbda1

SHA256
41e87dbb9b716c5c760c92b74fec2b7a9d1473d34b182272ee81d212ec4c2a2c

SHA512
b717553a2ea09d6f9730f01602d0f16608356a8486b94b8db1fe2a1980bf0a2a3b0a14f57c412791fe564c2e222de25f13daa517327be28af22f0d31ef91fcea

Download Submit
C:\Users\Admin\AppData\Local\Bin\res\theme\azure.she

Filesize
64KB

MD5
636f6a2c1521c82a3a503be1f3f6210f

SHA1
68410eefac45eef85465db572db78362bbc16208

SHA256
3835bd02c8f252236b41ca94bf69a034e6abd34daf44dbc7d4e2d074ddeca7fd

SHA512
5904bf6054c6c07355b0121c54559aaba6a0833286b0811aca30dcdf06f1447c4ed845c6176e6ee881dd815043d584d0259d382d9f2e0993a8bc89354ca5d872

Download Submit
C:\Users\Admin\AppData\Local\Bin\res\theme\purple.she

Filesize
8.9MB

MD5
99210799292be3af0d97fa8adbe7bf11

SHA1
afb7d83cb013fbad4df9c51bbc7e0d13074d3336

SHA256
b860cc992c20d581dff09c6e1d50306dfd9c7638990fdc8fc7b311d54872bd0d

SHA512
b584fef2178e28b1963d5d8c8df5217720b843d17fb7f17a7f53b313ca1095c30800d1a933beead1438239a1b33055674cfea72d9091b14f7cd879ec02c4e3b1

Download Submit
C:\Users\Admin\AppData\Local\Bin\stardict-editor.dll

Filesize
28.2MB

MD5
75b7eff9a94923767ea1ac13cb945d14

SHA1
76b7fad58f04904c46ccfae6882fdacef8326cd7

SHA256
051bbfc721ef023bd4173eb620c680ca92e3493ba48fb010fa2570f331dbf3a8

SHA512
59f501621397c9c33d8a589a439df882fd416fc3edb12e64b9e24d70d89052658f4aecafc589cfe613210367d7e8a1c34be6c482df214367c288eb001989dac0

Download Submit
C:\Users\Admin\AppData\Local\HaloTray.exe

Filesize
1.6MB

MD5
be482d41d38c6a6691010e58fb8e1876

SHA1
06b0e9638874d716c028d5fc38fa7edf349575e9

SHA256
e26eff452d61191588add27666ea8e0377bd0927ac8d327cee16b820633aba81

SHA512
99f46c4918effa367ab96497f143661826fb8f7e8ddfc30502cf69e2438ad6146b0d56c74d9d57116c2193c5637f98dbf782ea950bcf19b46d280a15a1c90ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI27708\InstallerAnalytics.dll

Filesize
1.0MB

MD5
806e65956064190d6154d5de5cc96a5e

SHA1
f2fa1b10dec6f4166b79e710d81147c9028c4198

SHA256
17f79990c5455ac18abbca13fcd8f8584518881487f9fedcbd7cbbdbe003c6f8

SHA512
ae72ec2fe5895ca5e9e44b6c5e677356f9b7ba342d686a59be42b16027013d4b7c8c83ed0530705d792ac7b5881d10ec72dff546c2ee3c1452372d363501c62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI27708\embeddeduiproxy.dll

Filesize
23KB

MD5
6671824509f40eb0ddb8fad2a2c66886

SHA1
ab8e4380b5f0d104476793351334631e2fa6054f

SHA256
8ffa276ce0b7ceb444d1a1e898d80a46b87c5f506655f49c94b39f0a7581092f

SHA512
3b7570deeb144ead27165791c5a6eb3ab813fe19834ccb311c09aee04ab94a1fb08bae4236e5bacd02f62092689eac3292bef80a77933600cb0e3b70738b9258

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICF17.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID363.tmp

Filesize
1.1MB

MD5
58c6476771f68f57661d0f6533cb70ef

SHA1
8080de39939f0a8f1e0c529cca30bf38b0e6abf2

SHA256
7eb240ef6e75de05b2a199bc55fdc8d13f467d5b4e58457011653312fffcc65f

SHA512
2b4b4e4466a7eea2d28631a80f257ced0a7263aa81c945105b793371534580dff1b66779bab36b9157b596c352c234a19c568e105faa1ba8681aa39feb5950c5

Download Submit
C:\Users\Admin\AppData\Local\cache\devices_table\iPhone14Pro.svg

Filesize
28KB

MD5
77cb737208ff7f38f85efb31f6482be3

SHA1
5a11798b21d406c4a642c546d3da9f7a07f4c436

SHA256
cbb1b92b25021deae953793e911d417ca87814b7c3ae3a89f614266c35a4d886

SHA512
78cfddd3a71e0c22d75c8c67e0153c3b625d0672ba98af8b76f169286f6655d0175bcc93dee2d8c740bb4ac73bf1e3110ee9d49590767ff2a8b2496ee4b3a9da

Download Submit
C:\Users\Admin\AppData\Roaming\config.ini

Filesize
83B

MD5
ee1a600c8079bfc88f139aa52c27347d

SHA1
c478aecf481344867822c2bb3111c2b40c1d9d5c

SHA256
9ff6a379ac980293b8d485b3a7bb1b0ed332b73886ca1d531097d73aa4d05681

SHA512
bf0d4af18be0cfb16a951f156025399ef08b99408243f8d83473594e5959a32c290fa45dac4af468f74b9cebb7025d04d08b82d30848a0c50b39fc3ed945673a

Download Submit
C:\Users\Public\Desktop\爱思助手8.0.lnk

Filesize
2KB

MD5
b5f3833264d709102e7eb6433bd07f57

SHA1
6fd8cec45816cdfbbbcb887c3844ee5e62e78faa

SHA256
099c1c4ef2d2484cb64ee9727d7ca6761660265d8d483886d3ea591f567d001c

SHA512
3357c9014acb3eee25f041d6b78448f64e7eb2f6bd25e4b06dd1294cf46ac8ba541c863a3f40019276586b6ea54629ad1bb95e4b89b11552c005255bb41926cb

Download Submit
C:\Users\Public\Desktop\爱思助手8.0.lnk~RFe587162.TMP

Filesize
2KB

MD5
dce769d17de2f705608a35edee66dbd7

SHA1
3954ceb5dfdc34187872e025f0e10d9d1f74cea7

SHA256
b6b9a35a295f457d842f8b138828cda90f6e0ff1a383b6541ba63aa10ac3007f

SHA512
f71e6dfb969cb77161b09fa0e61916ba4086c641bddc68853e9ac5b4c04651779cb7b99ff0183fd566b5066d452e4af5a49344234db9ecc9ed8ecf82ac6b5a11

Download Submit
C:\Windows\Installer\MSI5391.tmp

Filesize
399KB

MD5
17209841138816c79e9d11c0d61ecba1

SHA1
362a1bbb99d2900b3b4abae1f3ac848d7adb76eb

SHA256
d695712b3d54481af4c01bf7604443c7ac9ee5728671049562de35b76fae0a19

SHA512
a0ecc7a2d8102d05b10cab4064469176879340aea99dbb05e77777755fb2eb87abef00e7cb6148a83e0411d22916f1453789acdb3babe367d25a253d8fafd95d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
1d70999a7d92435ce6e8f668d785ebaf

SHA1
36f03b92b722911a08ddb502e4a63b431fd5ce76

SHA256
83b567bb2634c46867bb2740d7f1e554ca062a1f79a46ad024dd96789d3043b3

SHA512
b8dae108e19be5ead5a03ff246fb098a0dd93398476d4bac2d6c874b63d52c694471e91963026ef911887f0ebd7a9680c386ab648399d760c587a4c325796ce7

Download Submit
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b8821804-5faa-4bdf-ba52-d694a32e5f7d}_OnDiskSnapshotProp

Filesize
6KB

MD5
26d35da6456520a1cb4eaad8b0145b15

SHA1
ec452e7dcc509c3e0715a6068ab0c79be1edcecc

SHA256
6d1c4f659a0b906636d1ff8f923d71f1be0b2ea55b4baef3624fe3c9d36b53bb

SHA512
792e02273d44051e0e7c8315d03c1a2c94771753134bdd170a5ac391c6c50c73d50069e241bd5aab764b1319cbbcb35377951e2f8ef87d27d79f4a820e8c8750

Download Submit
memory/548-840-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/548-893-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-841-0x0000000010000000-0x0000000011C53000-memory.dmp

Filesize
28.3MB

Download
memory/548-839-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/548-837-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/548-836-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/548-835-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/548-872-0x0000000002B80000-0x0000000003495000-memory.dmp

Filesize
9.1MB

Download
memory/548-881-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-890-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-899-0x0000000003740000-0x0000000003898000-memory.dmp

Filesize
1.3MB

Download
memory/548-898-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-897-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-896-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-894-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-838-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/548-892-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-891-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-889-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-888-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-887-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-886-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-885-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-884-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-883-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-882-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-880-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-895-0x0000000004840000-0x0000000004A62000-memory.dmp

Filesize
2.1MB

Download
memory/548-901-0x0000000006300000-0x0000000006327000-memory.dmp

Filesize
156KB

Download
memory/548-834-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/548-833-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/548-904-0x0000000003740000-0x0000000003898000-memory.dmp

Filesize
1.3MB

Download