4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d

General

Target

4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
Size

27.1MB
MD5

756b1b81669fb5b5d745c83ced428cb1
SHA1

c573e1f1d32780c808db53e5fd5e571d617816e6
SHA256

4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d
SHA512

d9fd646383ff4fa82a920068b2141a94bd10424c5465040066d28be78be83ad730915b50bf1dfea9c2ed03b4a6b2287a19078a235a78aa835148a0381f5b00da
SSDEEP

786432:G3OL1MXJ/fZz/yft39ldEQk9EzbR8VP0wiVD8Kyt:iOL1MXJ3Zz/etDdEQfHm10LU

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2608 powershell.exe

pid	process
2608	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 17 IoCs

Processes:

msiexec.exefXlHSNCgjpwhjcbESorcUuElETFupI.exeMsiExec.exehHILqDIvDmMm.exefXlHSNCgjpwhjcbESorcUuElETFupI.exe

description	ioc	process
File created	C:\Program Files\CPUAimLinux\WhatsApp1.exe	msiexec.exe
File created	C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File created	C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe	MsiExec.exe
File created	C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs	hHILqDIvDmMm.exe
File created	C:\Program Files\CPUAimLinux\VC_redist.x64.exe	msiexec.exe
File created	C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File opened for modification	C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File opened for modification	C:\Program Files\CPUAimLinux\hHILqDIvDmMm	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File opened for modification	C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe	MsiExec.exe
File created	C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe	msiexec.exe
File created	C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL	msiexec.exe
File opened for modification	C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File created	C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File opened for modification	C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File created	C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File opened for modification	C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File created	C:\Program Files\CPUAimLinux\hHILqDIvDmMm	fXlHSNCgjpwhjcbESorcUuElETFupI.exe

Drops file in Windows directory 10 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f770b47.msi	msiexec.exe
File created	C:\Windows\Installer\f770b48.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f770b47.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAE.tmp	msiexec.exe
File created	C:\Windows\Installer\f770b4a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770b48.ipi	msiexec.exe

Executes dropped EXE 4 IoCs

Processes:

fXlHSNCgjpwhjcbESorcUuElETFupI.exefXlHSNCgjpwhjcbESorcUuElETFupI.exehHILqDIvDmMm.exeWhatsApp1.exe

pid process

1552 fXlHSNCgjpwhjcbESorcUuElETFupI.exe
304 fXlHSNCgjpwhjcbESorcUuElETFupI.exe
848 hHILqDIvDmMm.exe
1020 WhatsApp1.exe
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

1236 msiexec.exe

pid	process
1552	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
304	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
848	hHILqDIvDmMm.exe
1020	WhatsApp1.exe

pid	process
1236	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fXlHSNCgjpwhjcbESorcUuElETFupI.exefXlHSNCgjpwhjcbESorcUuElETFupI.exehHILqDIvDmMm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hHILqDIvDmMm.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

1612 cmd.exe
1516 PING.EXE
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3024 taskkill.exe

pid	process
1612	cmd.exe
1516	PING.EXE

pid	process
3024	taskkill.exe

Modifies data under HKEY_USERS 48 IoCs

Processes:

DrvInst.exepowershell.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 3069283f603adb01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\ProductName = "CPUAimLinux"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\PackageCode = "C9E0E5BB8EB593F42ABE1AE58FB7B24A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Version = "84344839"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\PackageName = "4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE\81E1A12860514854ABF64A65117DF8A4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1516 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

fXlHSNCgjpwhjcbESorcUuElETFupI.exefXlHSNCgjpwhjcbESorcUuElETFupI.exe

pid process

1552 fXlHSNCgjpwhjcbESorcUuElETFupI.exe
304 fXlHSNCgjpwhjcbESorcUuElETFupI.exe

pid	process
1516	PING.EXE

pid	process
1552	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
304	fXlHSNCgjpwhjcbESorcUuElETFupI.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

msiexec.exepowershell.exehHILqDIvDmMm.exe

pid	process
332	msiexec.exe
332	msiexec.exe
2608	powershell.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe
848	hHILqDIvDmMm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exepowershell.exefXlHSNCgjpwhjcbESorcUuElETFupI.exefXlHSNCgjpwhjcbESorcUuElETFupI.exe

description	pid	process
Token: SeShutdownPrivilege	1236	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1236	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeSecurityPrivilege	332	msiexec.exe
Token: SeCreateTokenPrivilege	1236	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1236	msiexec.exe
Token: SeLockMemoryPrivilege	1236	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1236	msiexec.exe
Token: SeMachineAccountPrivilege	1236	msiexec.exe
Token: SeTcbPrivilege	1236	msiexec.exe
Token: SeSecurityPrivilege	1236	msiexec.exe
Token: SeTakeOwnershipPrivilege	1236	msiexec.exe
Token: SeLoadDriverPrivilege	1236	msiexec.exe
Token: SeSystemProfilePrivilege	1236	msiexec.exe
Token: SeSystemtimePrivilege	1236	msiexec.exe
Token: SeProfSingleProcessPrivilege	1236	msiexec.exe
Token: SeIncBasePriorityPrivilege	1236	msiexec.exe
Token: SeCreatePagefilePrivilege	1236	msiexec.exe
Token: SeCreatePermanentPrivilege	1236	msiexec.exe
Token: SeBackupPrivilege	1236	msiexec.exe
Token: SeRestorePrivilege	1236	msiexec.exe
Token: SeShutdownPrivilege	1236	msiexec.exe
Token: SeDebugPrivilege	1236	msiexec.exe
Token: SeAuditPrivilege	1236	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1236	msiexec.exe
Token: SeChangeNotifyPrivilege	1236	msiexec.exe
Token: SeRemoteShutdownPrivilege	1236	msiexec.exe
Token: SeUndockPrivilege	1236	msiexec.exe
Token: SeSyncAgentPrivilege	1236	msiexec.exe
Token: SeEnableDelegationPrivilege	1236	msiexec.exe
Token: SeManageVolumePrivilege	1236	msiexec.exe
Token: SeImpersonatePrivilege	1236	msiexec.exe
Token: SeCreateGlobalPrivilege	1236	msiexec.exe
Token: SeBackupPrivilege	2336	vssvc.exe
Token: SeRestorePrivilege	2336	vssvc.exe
Token: SeAuditPrivilege	2336	vssvc.exe
Token: SeBackupPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeRestorePrivilege	2712	DrvInst.exe
Token: SeRestorePrivilege	2712	DrvInst.exe
Token: SeRestorePrivilege	2712	DrvInst.exe
Token: SeRestorePrivilege	2712	DrvInst.exe
Token: SeRestorePrivilege	2712	DrvInst.exe
Token: SeRestorePrivilege	2712	DrvInst.exe
Token: SeRestorePrivilege	2712	DrvInst.exe
Token: SeLoadDriverPrivilege	2712	DrvInst.exe
Token: SeLoadDriverPrivilege	2712	DrvInst.exe
Token: SeLoadDriverPrivilege	2712	DrvInst.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeRestorePrivilege	1552	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: 35	1552	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: SeSecurityPrivilege	1552	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: SeSecurityPrivilege	1552	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: SeRestorePrivilege	304	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: 35	304	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: SeSecurityPrivilege	304	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: SeSecurityPrivilege	304	fXlHSNCgjpwhjcbESorcUuElETFupI.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1236 msiexec.exe

pid	process
1236	msiexec.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

msiexec.exeMsiExec.execmd.exeWhatsApp1.exe

description	pid	process	target process
PID 332 wrote to memory of 1520	332	msiexec.exe	MsiExec.exe
PID 332 wrote to memory of 1520	332	msiexec.exe	MsiExec.exe
PID 332 wrote to memory of 1520	332	msiexec.exe	MsiExec.exe
PID 332 wrote to memory of 1520	332	msiexec.exe	MsiExec.exe
PID 332 wrote to memory of 1520	332	msiexec.exe	MsiExec.exe
PID 1520 wrote to memory of 2608	1520	MsiExec.exe	powershell.exe
PID 1520 wrote to memory of 2608	1520	MsiExec.exe	powershell.exe
PID 1520 wrote to memory of 2608	1520	MsiExec.exe	powershell.exe
PID 1520 wrote to memory of 1612	1520	MsiExec.exe	cmd.exe
PID 1520 wrote to memory of 1612	1520	MsiExec.exe	cmd.exe
PID 1520 wrote to memory of 1612	1520	MsiExec.exe	cmd.exe
PID 1612 wrote to memory of 1552	1612	cmd.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1612 wrote to memory of 1552	1612	cmd.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1612 wrote to memory of 1552	1612	cmd.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1612 wrote to memory of 1552	1612	cmd.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1612 wrote to memory of 1516	1612	cmd.exe	PING.EXE
PID 1612 wrote to memory of 1516	1612	cmd.exe	PING.EXE
PID 1612 wrote to memory of 1516	1612	cmd.exe	PING.EXE
PID 1612 wrote to memory of 304	1612	cmd.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1612 wrote to memory of 304	1612	cmd.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1612 wrote to memory of 304	1612	cmd.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1612 wrote to memory of 304	1612	cmd.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1520 wrote to memory of 848	1520	MsiExec.exe	hHILqDIvDmMm.exe
PID 1520 wrote to memory of 848	1520	MsiExec.exe	hHILqDIvDmMm.exe
PID 1520 wrote to memory of 848	1520	MsiExec.exe	hHILqDIvDmMm.exe
PID 1520 wrote to memory of 848	1520	MsiExec.exe	hHILqDIvDmMm.exe
PID 1520 wrote to memory of 1020	1520	MsiExec.exe	WhatsApp1.exe
PID 1520 wrote to memory of 1020	1520	MsiExec.exe	WhatsApp1.exe
PID 1520 wrote to memory of 1020	1520	MsiExec.exe	WhatsApp1.exe
PID 1520 wrote to memory of 3024	1520	MsiExec.exe	taskkill.exe
PID 1520 wrote to memory of 3024	1520	MsiExec.exe	taskkill.exe
PID 1520 wrote to memory of 3024	1520	MsiExec.exe	taskkill.exe
PID 1020 wrote to memory of 3000	1020	WhatsApp1.exe	WerFault.exe
PID 1020 wrote to memory of 3000	1020	WhatsApp1.exe	WerFault.exe
PID 1020 wrote to memory of 3000	1020	WhatsApp1.exe	WerFault.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1236

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 7DC72E46DDD054285256FC31F8F424C0 M Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
      "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:1552
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1516
  - - C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
      "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:304
- - C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
    "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 169 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:848
- - C:\Program Files\CPUAimLinux\WhatsApp1.exe
    "C:\Program Files\CPUAimLinux\WhatsApp1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1020 -s 632
      4⤵
      PID:3000
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe
    3⤵
    - Kills process with taskkill
    PID:3024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "00000000000005A8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Privilege Escalation

Event Triggered Execution

1

T1546

Installer Packages

1

T1546.016

Defense Evasion

System Binary Proxy Execution

1

T1218

Msiexec

1

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f770b49.rbs

Filesize
7KB

MD5
4aca8d053a5f2d4f1304bed01cd88609

SHA1
9018177ee075a5a260a7e6f9b1dd91180b3e7bdf

SHA256
8282941d0e99fbb637d91b750d0577f34274f878d803c498ec7b3d5544911520

SHA512
d96455542a7efc68d8b2f46305d561a16a764c4d66e8ecbf187dfbfe24fed97fc30c7c3afef2bc40af42f9519a0f6f830959f0397e481c640a69b722d26fb390

Download Submit
C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe

Filesize
3.1MB

MD5
db6688b70f3255877e15541970145e68

SHA1
5f69edadeb9e7dae7f4b034031cb325ce1c7f2bd

SHA256
208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb

SHA512
72f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce

Download Submit
C:\Program Files\CPUAimLinux\WhatsApp1.exe

Filesize
1.0MB

MD5
f90ddf18d65bb3153bcdfdc4856ce2a5

SHA1
611376391f17207d60ca8c2ec81354933f8dac45

SHA256
62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce

SHA512
f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316

Download Submit
C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX

Filesize
2.4MB

MD5
1b772652a5b64c119b00ec06c00311db

SHA1
afeb3bfba34eccadce4d2141d6d59707c83e9583

SHA256
c98f9a50e0240455ce52e01d4b4e94453438a5a5614c2d424bb485ce1db8fbd4

SHA512
5cb2761839634a45c4047cbbe31fc30bf140829630d57104fc27fc770a68b2c7d8209181aba17ace9fe85a3f7b705467c14b2ddbc206aca3c3fd542e666f7882

Download Submit
C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL

Filesize
2.4MB

MD5
048cee96f68a4c516b3aa1a8a4781e46

SHA1
5582bb564630c5ead8704d06bcdb427dd9840de5

SHA256
835e566ab875a5dd955882f57ea01cb2dcc5a82755821a6e951d6eb5a4005293

SHA512
2bf13570a5c83b4912ed04759c082a24ba8e53ce0dfae74d80032c075f7a1bc55e47c29014bd71332ff87b5c1f2065259b4b24c285bcddc109263204a0f57c32

Download Submit
memory/848-55-0x000000000A7C0000-0x000000000A7EF000-memory.dmp

Filesize
188KB

Download
memory/1020-54-0x0000000001110000-0x0000000001212000-memory.dmp

Filesize
1.0MB

Download
memory/1520-12-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2608-17-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2608-18-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads