Analysis
-
max time kernel
139s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 08:40
Static task
static1
Behavioral task
behavioral1
Sample
4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
Resource
win10v2004-20241007-en
General
-
Target
4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
-
Size
27.1MB
-
MD5
756b1b81669fb5b5d745c83ced428cb1
-
SHA1
c573e1f1d32780c808db53e5fd5e571d617816e6
-
SHA256
4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d
-
SHA512
d9fd646383ff4fa82a920068b2141a94bd10424c5465040066d28be78be83ad730915b50bf1dfea9c2ed03b4a6b2287a19078a235a78aa835148a0381f5b00da
-
SSDEEP
786432:G3OL1MXJ/fZz/yft39ldEQk9EzbR8VP0wiVD8Kyt:iOL1MXJ3Zz/etDdEQfHm10LU
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 580 powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs hHILqDIvDmMm.exe File created C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe msiexec.exe File created C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL msiexec.exe File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe MsiExec.exe File created C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe fXlHSNCgjpwhjcbESorcUuElETFupI.exe File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe fXlHSNCgjpwhjcbESorcUuElETFupI.exe File created C:\Program Files\CPUAimLinux\WhatsApp1.exe msiexec.exe File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml fXlHSNCgjpwhjcbESorcUuElETFupI.exe File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm fXlHSNCgjpwhjcbESorcUuElETFupI.exe File created C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe MsiExec.exe File created C:\Program Files\CPUAimLinux\VC_redist.x64.exe msiexec.exe File opened for modification C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm fXlHSNCgjpwhjcbESorcUuElETFupI.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSID6CF.tmp msiexec.exe File created C:\Windows\Installer\f76d58a.msi msiexec.exe File opened for modification C:\Windows\Installer\f76d588.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f76d587.msi msiexec.exe File created C:\Windows\Installer\f76d588.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f76d587.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 4 IoCs
pid Process 796 fXlHSNCgjpwhjcbESorcUuElETFupI.exe 2128 fXlHSNCgjpwhjcbESorcUuElETFupI.exe 2636 hHILqDIvDmMm.exe 1512 WhatsApp1.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2440 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hHILqDIvDmMm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fXlHSNCgjpwhjcbESorcUuElETFupI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fXlHSNCgjpwhjcbESorcUuElETFupI.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2336 cmd.exe 808 PING.EXE -
Kills process with taskkill 1 IoCs
pid Process 1800 taskkill.exe -
Modifies data under HKEY_USERS 48 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e09d2fb95e3adb01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Version = "84344839" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE\81E1A12860514854ABF64A65117DF8A4 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\ProductName = "CPUAimLinux" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\PackageCode = "C9E0E5BB8EB593F42ABE1AE58FB7B24A" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4\ProductFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\PackageName = "4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\DeploymentFlags = "3" msiexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 808 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
pid Process 796 fXlHSNCgjpwhjcbESorcUuElETFupI.exe 2128 fXlHSNCgjpwhjcbESorcUuElETFupI.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 1964 msiexec.exe 1964 msiexec.exe 580 powershell.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe 2636 hHILqDIvDmMm.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2440 msiexec.exe Token: SeIncreaseQuotaPrivilege 2440 msiexec.exe Token: SeRestorePrivilege 1964 msiexec.exe Token: SeTakeOwnershipPrivilege 1964 msiexec.exe Token: SeSecurityPrivilege 1964 msiexec.exe Token: SeCreateTokenPrivilege 2440 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2440 msiexec.exe Token: SeLockMemoryPrivilege 2440 msiexec.exe Token: SeIncreaseQuotaPrivilege 2440 msiexec.exe Token: SeMachineAccountPrivilege 2440 msiexec.exe Token: SeTcbPrivilege 2440 msiexec.exe Token: SeSecurityPrivilege 2440 msiexec.exe Token: SeTakeOwnershipPrivilege 2440 msiexec.exe Token: SeLoadDriverPrivilege 2440 msiexec.exe Token: SeSystemProfilePrivilege 2440 msiexec.exe Token: SeSystemtimePrivilege 2440 msiexec.exe Token: SeProfSingleProcessPrivilege 2440 msiexec.exe Token: SeIncBasePriorityPrivilege 2440 msiexec.exe Token: SeCreatePagefilePrivilege 2440 msiexec.exe Token: SeCreatePermanentPrivilege 2440 msiexec.exe Token: SeBackupPrivilege 2440 msiexec.exe Token: SeRestorePrivilege 2440 msiexec.exe Token: SeShutdownPrivilege 2440 msiexec.exe Token: SeDebugPrivilege 2440 msiexec.exe Token: SeAuditPrivilege 2440 msiexec.exe Token: SeSystemEnvironmentPrivilege 2440 msiexec.exe Token: SeChangeNotifyPrivilege 2440 msiexec.exe Token: SeRemoteShutdownPrivilege 2440 msiexec.exe Token: SeUndockPrivilege 2440 msiexec.exe Token: SeSyncAgentPrivilege 2440 msiexec.exe Token: SeEnableDelegationPrivilege 2440 msiexec.exe Token: SeManageVolumePrivilege 2440 msiexec.exe Token: SeImpersonatePrivilege 2440 msiexec.exe Token: SeCreateGlobalPrivilege 2440 msiexec.exe Token: SeBackupPrivilege 880 vssvc.exe Token: SeRestorePrivilege 880 vssvc.exe Token: SeAuditPrivilege 880 vssvc.exe Token: SeBackupPrivilege 1964 msiexec.exe Token: SeRestorePrivilege 1964 msiexec.exe Token: SeRestorePrivilege 2732 DrvInst.exe Token: SeRestorePrivilege 2732 DrvInst.exe Token: SeRestorePrivilege 2732 DrvInst.exe Token: SeRestorePrivilege 2732 DrvInst.exe Token: SeRestorePrivilege 2732 DrvInst.exe Token: SeRestorePrivilege 2732 DrvInst.exe Token: SeRestorePrivilege 2732 DrvInst.exe Token: SeLoadDriverPrivilege 2732 DrvInst.exe Token: SeLoadDriverPrivilege 2732 DrvInst.exe Token: SeLoadDriverPrivilege 2732 DrvInst.exe Token: SeRestorePrivilege 1964 msiexec.exe Token: SeTakeOwnershipPrivilege 1964 msiexec.exe Token: SeRestorePrivilege 1964 msiexec.exe Token: SeTakeOwnershipPrivilege 1964 msiexec.exe Token: SeRestorePrivilege 1964 msiexec.exe Token: SeTakeOwnershipPrivilege 1964 msiexec.exe Token: SeDebugPrivilege 580 powershell.exe Token: SeRestorePrivilege 796 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: 35 796 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeSecurityPrivilege 796 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeSecurityPrivilege 796 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeRestorePrivilege 2128 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: 35 2128 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeSecurityPrivilege 2128 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeSecurityPrivilege 2128 fXlHSNCgjpwhjcbESorcUuElETFupI.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2440 msiexec.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1964 wrote to memory of 1452 1964 msiexec.exe 35 PID 1964 wrote to memory of 1452 1964 msiexec.exe 35 PID 1964 wrote to memory of 1452 1964 msiexec.exe 35 PID 1964 wrote to memory of 1452 1964 msiexec.exe 35 PID 1964 wrote to memory of 1452 1964 msiexec.exe 35 PID 1452 wrote to memory of 580 1452 MsiExec.exe 37 PID 1452 wrote to memory of 580 1452 MsiExec.exe 37 PID 1452 wrote to memory of 580 1452 MsiExec.exe 37 PID 1452 wrote to memory of 2336 1452 MsiExec.exe 39 PID 1452 wrote to memory of 2336 1452 MsiExec.exe 39 PID 1452 wrote to memory of 2336 1452 MsiExec.exe 39 PID 2336 wrote to memory of 796 2336 cmd.exe 41 PID 2336 wrote to memory of 796 2336 cmd.exe 41 PID 2336 wrote to memory of 796 2336 cmd.exe 41 PID 2336 wrote to memory of 796 2336 cmd.exe 41 PID 2336 wrote to memory of 808 2336 cmd.exe 42 PID 2336 wrote to memory of 808 2336 cmd.exe 42 PID 2336 wrote to memory of 808 2336 cmd.exe 42 PID 2336 wrote to memory of 2128 2336 cmd.exe 44 PID 2336 wrote to memory of 2128 2336 cmd.exe 44 PID 2336 wrote to memory of 2128 2336 cmd.exe 44 PID 2336 wrote to memory of 2128 2336 cmd.exe 44 PID 1452 wrote to memory of 2636 1452 MsiExec.exe 46 PID 1452 wrote to memory of 2636 1452 MsiExec.exe 46 PID 1452 wrote to memory of 2636 1452 MsiExec.exe 46 PID 1452 wrote to memory of 2636 1452 MsiExec.exe 46 PID 1452 wrote to memory of 1512 1452 MsiExec.exe 47 PID 1452 wrote to memory of 1512 1452 MsiExec.exe 47 PID 1452 wrote to memory of 1512 1452 MsiExec.exe 47 PID 1452 wrote to memory of 1800 1452 MsiExec.exe 48 PID 1452 wrote to memory of 1800 1452 MsiExec.exe 48 PID 1452 wrote to memory of 1800 1452 MsiExec.exe 48 PID 1512 wrote to memory of 1356 1512 WhatsApp1.exe 51 PID 1512 wrote to memory of 1356 1512 WhatsApp1.exe 51 PID 1512 wrote to memory of 1356 1512 WhatsApp1.exe 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2440
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 56B252D9CF853C7DDBDBC70503BA860F M Global\MSI00002⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe"C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:796
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:808
-
-
C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe"C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
-
C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 169 -file file3 -mode mode33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2636
-
-
C:\Program Files\CPUAimLinux\WhatsApp1.exe"C:\Program Files\CPUAimLinux\WhatsApp1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1512 -s 6324⤵PID:1356
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe3⤵
- Kills process with taskkill
PID:1800
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:880
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000005A4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:2092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5fe2040449600ff19d25aa62cc1c51104
SHA1b32b83378744727730180a52f6904c3ff001ce16
SHA256eb688de283a2318e5167e1e10a22105e22161a8b22b197d5ab57a7ef82b3d75b
SHA512a045ab5432d10c9e67cbdb874fa72e3dbb44e73ac3e63b2edc35766e6038f65741d519f7a949cc9757d29e569450bd5e41b18a4a2c3db0b8ac27b5f8844473ad
-
Filesize
3.1MB
MD5db6688b70f3255877e15541970145e68
SHA15f69edadeb9e7dae7f4b034031cb325ce1c7f2bd
SHA256208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb
SHA51272f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce
-
Filesize
1.0MB
MD5f90ddf18d65bb3153bcdfdc4856ce2a5
SHA1611376391f17207d60ca8c2ec81354933f8dac45
SHA25662eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce
SHA512f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316
-
Filesize
2.4MB
MD51b772652a5b64c119b00ec06c00311db
SHA1afeb3bfba34eccadce4d2141d6d59707c83e9583
SHA256c98f9a50e0240455ce52e01d4b4e94453438a5a5614c2d424bb485ce1db8fbd4
SHA5125cb2761839634a45c4047cbbe31fc30bf140829630d57104fc27fc770a68b2c7d8209181aba17ace9fe85a3f7b705467c14b2ddbc206aca3c3fd542e666f7882
-
Filesize
577KB
MD5c31c4b04558396c6fabab64dcf366534
SHA1fa836d92edc577d6a17ded47641ba1938589b09a
SHA2569d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99
-
Filesize
2.4MB
MD5048cee96f68a4c516b3aa1a8a4781e46
SHA15582bb564630c5ead8704d06bcdb427dd9840de5
SHA256835e566ab875a5dd955882f57ea01cb2dcc5a82755821a6e951d6eb5a4005293
SHA5122bf13570a5c83b4912ed04759c082a24ba8e53ce0dfae74d80032c075f7a1bc55e47c29014bd71332ff87b5c1f2065259b4b24c285bcddc109263204a0f57c32