Analysis

  • max time kernel
    118s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-11-2024 04:56

General

  • Target

    wpsupdate.msi

  • Size

    28.2MB

  • MD5

    ef294458016f546c5eebd07d2dd98bad

  • SHA1

    66bb14f670055272e12899d401b8668cad15fac9

  • SHA256

    c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a

  • SHA512

    97ee150f49bb587147f30d2215174f5376420abd5d659a2c68d58bc67f823715030cc328eab7e11623f4ee8504f1f080ceb44ac2d6fca7c636ea8d7c936f0333

  • SSDEEP

    786432:r3pUIX4j1lP1FYKJGIC6rO9HN47EbHxjprMfy6s0A:zpUIIj1l9FxJGIzcteEt2e0A

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 19 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 4 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 55 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2516
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding A73CA5812756B6C0B64396F1AD59FC9C M Global\MSI0000
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:560
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\TransformOptimisticContributor','C:\Program Files','C:\Program Files'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2792
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:1016
        • C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
          "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y
          4⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1668
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1 -n 2
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1884
        • C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe
          "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y
          4⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2672
      • C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe
        "C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 177 -file file3 -mode mode3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1220
      • C:\Program Files\TransformOptimisticContributor\wpsupdate.exe
        "C:\Program Files\TransformOptimisticContributor\wpsupdate.exe"
        3⤵
        • Writes to the Master Boot Record (MBR)
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2444
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2884
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D8" "00000000000005A4"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76b933.rbs

    Filesize

    7KB

    MD5

    a4a8ce0ddf6ab88bb915a101d04f043e

    SHA1

    531bf0452cf8c833397af429808f7c03e30ec507

    SHA256

    cb25460926ba0b6cbc61b505926ec12e9852b92fada8bd37ef854a18be2dcaf8

    SHA512

    318e4ccb6669ca3a6da25bd199ce909005006ede2f69a581a35b0020421cffb5f130fbcbe0748b2bc9ffe6bb8c3241d8a01793fbcd1f36bd864b4b8acf4adfe8

  • C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe

    Filesize

    2.1MB

    MD5

    fb22fb79f366c65257b7adb24c70d843

    SHA1

    ca6d29a4806d52350e1a50c7b71526dfaab2d525

    SHA256

    44f2ea5b5dd47fc256a341dee1d2dacfc24adba395a49fd8c4ad3613bfe2d43d

    SHA512

    c4dfb9273bd937f5480646e12d77073a476719f1f15ee5885e0999f0bbc68f80b1909489f7bd78a3bfb4687a55442f655f4538fda20afe4a7b87623e9bdfe7d9

  • C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe

    Filesize

    577KB

    MD5

    c31c4b04558396c6fabab64dcf366534

    SHA1

    fa836d92edc577d6a17ded47641ba1938589b09a

    SHA256

    9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

    SHA512

    814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

  • C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL

    Filesize

    1.5MB

    MD5

    d045828473a8165effd59a97232e6107

    SHA1

    f86bd9763d6c70ec3ca79134598de4fa44c6bc94

    SHA256

    9aaae0f7b3bdab287ad703c7eb4baa1a0746b6d353e57ae74d985b10a2102016

    SHA512

    07e77aa6a433d4541d80276d37e682012509b480a6861f9fbe3cd89929b352d6754cc649526f95c4bd76cf4e1c8bceb275a0217c38193ab88891166934d79659

  • C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw

    Filesize

    1.5MB

    MD5

    831ff4029b30419da4ac4d32bf8ff05c

    SHA1

    8c121d0cd017ce5f7ca8cbf6abd8909b2fe445bc

    SHA256

    ab281716242897be222c1d4cc979fd5de9e7d1cde56e70ac1010e6b3dc76826d

    SHA512

    17f2efdb891dcf9ceacb8b24801ec59866f969baa55d1c92c15a7150c13f18cc3f481984b5971456e1ad0f204db016698bfe012c086ffa2028582c1d9302a8c5

  • C:\Program Files\TransformOptimisticContributor\wpsupdate.exe

    Filesize

    6.0MB

    MD5

    57dadd6a929f64c2b1efe2d52c1c4985

    SHA1

    962cb227f81f885f23826c3e040aa9dbc97659cf

    SHA256

    996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5

    SHA512

    3f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf

  • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_11_19.log

    Filesize

    2KB

    MD5

    c313ef3605773ce19c1d74c4cf92990e

    SHA1

    75f90116d63472a7173fb2f1e2413d98b2aa09b1

    SHA256

    d1f1280e89caa8ead1024f56614aad8e4a3dd0f5d697a57a2f660170abac1da7

    SHA512

    13239ff124d6e39d5195f208197fac1bf929e7abce4b9a401e3f4dab5e3e09250fc8560eb5f835e76354b194d7e5d7e4b24bed424bda0b126cd2b0f36f0d7bfd

  • C:\Windows\Installer\f76b931.msi

    Filesize

    28.2MB

    MD5

    ef294458016f546c5eebd07d2dd98bad

    SHA1

    66bb14f670055272e12899d401b8668cad15fac9

    SHA256

    c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a

    SHA512

    97ee150f49bb587147f30d2215174f5376420abd5d659a2c68d58bc67f823715030cc328eab7e11623f4ee8504f1f080ceb44ac2d6fca7c636ea8d7c936f0333

  • memory/560-12-0x0000000000300000-0x0000000000310000-memory.dmp

    Filesize

    64KB

  • memory/1220-61-0x00000000003C0000-0x00000000003EF000-memory.dmp

    Filesize

    188KB

  • memory/2792-18-0x00000000002F0000-0x00000000002F8000-memory.dmp

    Filesize

    32KB

  • memory/2792-17-0x000000001B650000-0x000000001B932000-memory.dmp

    Filesize

    2.9MB