c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wpsupdate.msi
Size

28.2MB
MD5

ef294458016f546c5eebd07d2dd98bad
SHA1

66bb14f670055272e12899d401b8668cad15fac9
SHA256

c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a
SHA512

97ee150f49bb587147f30d2215174f5376420abd5d659a2c68d58bc67f823715030cc328eab7e11623f4ee8504f1f080ceb44ac2d6fca7c636ea8d7c936f0333
SSDEEP

786432:r3pUIX4j1lP1FYKJGIC6rO9HN47EbHxjprMfy6s0A:zpUIIj1l9FxJGIzcteEt2e0A

Score

8^/10

bootkit discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2936	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	wpsupdate.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
File created	C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
File created	C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
File created	C:\Program Files\TransformOptimisticContributor\WSEcydALszNI	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
File created	C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
File created	C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
File opened for modification	C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe	MsiExec.exe
File created	C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe	msiexec.exe
File created	C:\Program Files\TransformOptimisticContributor\VC_redist.x64.exe	msiexec.exe
File opened for modification	C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
File opened for modification	C:\Program Files\TransformOptimisticContributor\pvugBgEMyjnfIRZnnRolAMMekSRFAr	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
File created	C:\Program Files\TransformOptimisticContributor\wpsupdate.exe	msiexec.exe
File created	C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw	msiexec.exe
File created	C:\Program Files\TransformOptimisticContributor\pvugBgEMyjnfIRZnnRolAMMekSRFAr	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
File created	C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe	MsiExec.exe
File created	C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.vbs	WSEcydALszNI.exe
File opened for modification	C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
File opened for modification	C:\Program Files\TransformOptimisticContributor\WSEcydALszNI	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
File opened for modification	C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f779176.msi	msiexec.exe
File created	C:\Windows\Installer\f779177.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9398.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f779176.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f779179.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f779177.ipi	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
844	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
2144	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
1608	WSEcydALszNI.exe
612	wpsupdate.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2772	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WSEcydALszNI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpsupdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1088	cmd.exe
672	PING.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wpsupdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3Verify_C = 32003000320034002d00310031002d00310039007c00570044004300200032002e0035002b00320033003200310033003800380030003400310036003500200020002000200020002000200020007c00440045002d00380043002d00460041002d00300044002d00370037002d00390031000000	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0ed38ba3e3adb01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoLastHardInfo	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHDt = "19"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft	wpsupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD = "0ca3b9e96ee0caa1964f7df64a0e12d5"	wpsupdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3t = "19"	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0	wpsupdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoHDModifiedType = "hdidRecalByOldHdidFromRegIsEmpty\|2024-11-19"	wpsupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3_C = "0ca3b9e96ee0caa1964f7df64a0e12d5"	wpsupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoCurHardInfo = "29a56b8a14940c3acb7a4a6443907c56\|e4e4a4398a3b0b769cabd9f30bb48026"	wpsupdate.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\ProductName = "TransformOptimisticContributor"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\PackageCode = "CCD296EAB4068834AB0FC3DB62EF5779"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Version = "100859912"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\PackageName = "wpsupdate.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0FEBA7E590D91C9459F27EF33A43D970	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED4346F32F1F8CA46B2D014BA47DCC9B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0FEBA7E590D91C9459F27EF33A43D970\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED4346F32F1F8CA46B2D014BA47DCC9B\0FEBA7E590D91C9459F27EF33A43D970	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Media	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
672	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
844	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
2144	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2180	msiexec.exe
2180	msiexec.exe
2936	powershell.exe
612	wpsupdate.exe
612	wpsupdate.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe
1608	WSEcydALszNI.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeSecurityPrivilege	2180	msiexec.exe
Token: SeCreateTokenPrivilege	2772	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2772	msiexec.exe
Token: SeLockMemoryPrivilege	2772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2772	msiexec.exe
Token: SeMachineAccountPrivilege	2772	msiexec.exe
Token: SeTcbPrivilege	2772	msiexec.exe
Token: SeSecurityPrivilege	2772	msiexec.exe
Token: SeTakeOwnershipPrivilege	2772	msiexec.exe
Token: SeLoadDriverPrivilege	2772	msiexec.exe
Token: SeSystemProfilePrivilege	2772	msiexec.exe
Token: SeSystemtimePrivilege	2772	msiexec.exe
Token: SeProfSingleProcessPrivilege	2772	msiexec.exe
Token: SeIncBasePriorityPrivilege	2772	msiexec.exe
Token: SeCreatePagefilePrivilege	2772	msiexec.exe
Token: SeCreatePermanentPrivilege	2772	msiexec.exe
Token: SeBackupPrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	2772	msiexec.exe
Token: SeShutdownPrivilege	2772	msiexec.exe
Token: SeDebugPrivilege	2772	msiexec.exe
Token: SeAuditPrivilege	2772	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2772	msiexec.exe
Token: SeChangeNotifyPrivilege	2772	msiexec.exe
Token: SeRemoteShutdownPrivilege	2772	msiexec.exe
Token: SeUndockPrivilege	2772	msiexec.exe
Token: SeSyncAgentPrivilege	2772	msiexec.exe
Token: SeEnableDelegationPrivilege	2772	msiexec.exe
Token: SeManageVolumePrivilege	2772	msiexec.exe
Token: SeImpersonatePrivilege	2772	msiexec.exe
Token: SeCreateGlobalPrivilege	2772	msiexec.exe
Token: SeBackupPrivilege	2896	vssvc.exe
Token: SeRestorePrivilege	2896	vssvc.exe
Token: SeAuditPrivilege	2896	vssvc.exe
Token: SeBackupPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	336	DrvInst.exe
Token: SeRestorePrivilege	336	DrvInst.exe
Token: SeRestorePrivilege	336	DrvInst.exe
Token: SeRestorePrivilege	336	DrvInst.exe
Token: SeRestorePrivilege	336	DrvInst.exe
Token: SeRestorePrivilege	336	DrvInst.exe
Token: SeRestorePrivilege	336	DrvInst.exe
Token: SeLoadDriverPrivilege	336	DrvInst.exe
Token: SeLoadDriverPrivilege	336	DrvInst.exe
Token: SeLoadDriverPrivilege	336	DrvInst.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeRestorePrivilege	2180	msiexec.exe
Token: SeTakeOwnershipPrivilege	2180	msiexec.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeRestorePrivilege	844	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
Token: 35	844	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
Token: SeSecurityPrivilege	844	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
Token: SeSecurityPrivilege	844	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
Token: SeRestorePrivilege	2144	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
Token: 35	2144	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
Token: SeSecurityPrivilege	2144	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
Token: SeSecurityPrivilege	2144	QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2772	msiexec.exe
2772	msiexec.exe
612	wpsupdate.exe
612	wpsupdate.exe
612	wpsupdate.exe
612	wpsupdate.exe
612	wpsupdate.exe
612	wpsupdate.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
612	wpsupdate.exe
612	wpsupdate.exe
612	wpsupdate.exe
612	wpsupdate.exe
612	wpsupdate.exe
612	wpsupdate.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2088	2180	msiexec.exe	34
PID 2180 wrote to memory of 2088	2180	msiexec.exe	34
PID 2180 wrote to memory of 2088	2180	msiexec.exe	34
PID 2180 wrote to memory of 2088	2180	msiexec.exe	34
PID 2180 wrote to memory of 2088	2180	msiexec.exe	34
PID 2088 wrote to memory of 2936	2088	MsiExec.exe	36
PID 2088 wrote to memory of 2936	2088	MsiExec.exe	36
PID 2088 wrote to memory of 2936	2088	MsiExec.exe	36
PID 2088 wrote to memory of 1088	2088	MsiExec.exe	38
PID 2088 wrote to memory of 1088	2088	MsiExec.exe	38
PID 2088 wrote to memory of 1088	2088	MsiExec.exe	38
PID 1088 wrote to memory of 844	1088	cmd.exe	40
PID 1088 wrote to memory of 844	1088	cmd.exe	40
PID 1088 wrote to memory of 844	1088	cmd.exe	40
PID 1088 wrote to memory of 844	1088	cmd.exe	40
PID 1088 wrote to memory of 672	1088	cmd.exe	41
PID 1088 wrote to memory of 672	1088	cmd.exe	41
PID 1088 wrote to memory of 672	1088	cmd.exe	41
PID 1088 wrote to memory of 2144	1088	cmd.exe	43
PID 1088 wrote to memory of 2144	1088	cmd.exe	43
PID 1088 wrote to memory of 2144	1088	cmd.exe	43
PID 1088 wrote to memory of 2144	1088	cmd.exe	43
PID 2088 wrote to memory of 1608	2088	MsiExec.exe	45
PID 2088 wrote to memory of 1608	2088	MsiExec.exe	45
PID 2088 wrote to memory of 1608	2088	MsiExec.exe	45
PID 2088 wrote to memory of 1608	2088	MsiExec.exe	45
PID 2088 wrote to memory of 612	2088	MsiExec.exe	47
PID 2088 wrote to memory of 612	2088	MsiExec.exe	47
PID 2088 wrote to memory of 612	2088	MsiExec.exe	47
PID 2088 wrote to memory of 612	2088	MsiExec.exe	47
PID 2088 wrote to memory of 612	2088	MsiExec.exe	47
PID 2088 wrote to memory of 612	2088	MsiExec.exe	47
PID 2088 wrote to memory of 612	2088	MsiExec.exe	47

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2772

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A5A41B0E270329F1C0B286E9D77DBADF M Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\TransformOptimisticContributor','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
      "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:844
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:672
  - - C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
      "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:2144
- - C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
    "C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 177 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1608
- - C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
    "C:\Program Files\TransformOptimisticContributor\wpsupdate.exe"
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000588" "00000000000005B0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f779178.rbs

Filesize
7KB

MD5
ea9c96d2913d4fbcefe1cc0e1b580fa9

SHA1
1a38abb197532eac75fc27b259e6831be18205e8

SHA256
2611dd6940254a9db0963e27ef7eec2fdd591cbcf76435898f4d2004b8d21e42

SHA512
f3b44809c4949991187b5972e7f8f53ead852b377c1a3e8e52c5c955b31b12cf9da5302c9af13f932442abe867228916b265ddaef32f58d8f51d6ac89dac3cf6

Download Submit
C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe

Filesize
2.1MB

MD5
fb22fb79f366c65257b7adb24c70d843

SHA1
ca6d29a4806d52350e1a50c7b71526dfaab2d525

SHA256
44f2ea5b5dd47fc256a341dee1d2dacfc24adba395a49fd8c4ad3613bfe2d43d

SHA512
c4dfb9273bd937f5480646e12d77073a476719f1f15ee5885e0999f0bbc68f80b1909489f7bd78a3bfb4687a55442f655f4538fda20afe4a7b87623e9bdfe7d9

Download Submit
C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL

Filesize
1.5MB

MD5
d045828473a8165effd59a97232e6107

SHA1
f86bd9763d6c70ec3ca79134598de4fa44c6bc94

SHA256
9aaae0f7b3bdab287ad703c7eb4baa1a0746b6d353e57ae74d985b10a2102016

SHA512
07e77aa6a433d4541d80276d37e682012509b480a6861f9fbe3cd89929b352d6754cc649526f95c4bd76cf4e1c8bceb275a0217c38193ab88891166934d79659

Download Submit
C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw

Filesize
1.5MB

MD5
831ff4029b30419da4ac4d32bf8ff05c

SHA1
8c121d0cd017ce5f7ca8cbf6abd8909b2fe445bc

SHA256
ab281716242897be222c1d4cc979fd5de9e7d1cde56e70ac1010e6b3dc76826d

SHA512
17f2efdb891dcf9ceacb8b24801ec59866f969baa55d1c92c15a7150c13f18cc3f481984b5971456e1ad0f204db016698bfe012c086ffa2028582c1d9302a8c5

Download Submit
C:\Program Files\TransformOptimisticContributor\wpsupdate.exe

Filesize
6.0MB

MD5
57dadd6a929f64c2b1efe2d52c1c4985

SHA1
962cb227f81f885f23826c3e040aa9dbc97659cf

SHA256
996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5

SHA512
3f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf

Download Submit
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_11_19.log

Filesize
2KB

MD5
389392e8cb2a84e9ae0e9e501d9bc0bb

SHA1
bb76285ed018efe778b9bd1ca7b6e5e95a38a390

SHA256
38cfc855bbf0b5ea523f92b78195f04a043123d9093f176a72f73539f92fbe45

SHA512
9bd81bc468bfaea6b0ae437937cf21c4eeb1136125a3e742a405f4c0e0297ee51c43bcb1fcfb2b5615f5643bd73d2605a0c5d5853c17bd1b324137426f0741ea

Download Submit
C:\Windows\Installer\f779176.msi

Filesize
28.2MB

MD5
ef294458016f546c5eebd07d2dd98bad

SHA1
66bb14f670055272e12899d401b8668cad15fac9

SHA256
c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a

SHA512
97ee150f49bb587147f30d2215174f5376420abd5d659a2c68d58bc67f823715030cc328eab7e11623f4ee8504f1f080ceb44ac2d6fca7c636ea8d7c936f0333

Download Submit
memory/1608-62-0x0000000001F30000-0x0000000001F5F000-memory.dmp

Filesize
188KB

Download
memory/2088-12-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2936-17-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/2936-18-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download