gh0strat | 4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
Size

27.1MB
MD5

756b1b81669fb5b5d745c83ced428cb1
SHA1

c573e1f1d32780c808db53e5fd5e571d617816e6
SHA256

4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d
SHA512

d9fd646383ff4fa82a920068b2141a94bd10424c5465040066d28be78be83ad730915b50bf1dfea9c2ed03b4a6b2287a19078a235a78aa835148a0381f5b00da
SSDEEP

786432:G3OL1MXJ/fZz/yft39ldEQk9EzbR8VP0wiVD8Kyt:iOL1MXJ3Zz/etDdEQfHm10LU

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/1124-131-0x000000002C4D0000-0x000000002C68C000-memory.dmp	purplefox_rootkit
behavioral2/memory/1124-134-0x000000002C4D0000-0x000000002C68C000-memory.dmp	purplefox_rootkit
behavioral2/memory/1124-135-0x000000002C4D0000-0x000000002C68C000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1124-131-0x000000002C4D0000-0x000000002C68C000-memory.dmp	family_gh0strat
behavioral2/memory/1124-134-0x000000002C4D0000-0x000000002C68C000-memory.dmp	family_gh0strat
behavioral2/memory/1124-135-0x000000002C4D0000-0x000000002C68C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4076 powershell.exe

pid	process
4076	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exehHILqDIvDmMm.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	hHILqDIvDmMm.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	hHILqDIvDmMm.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	hHILqDIvDmMm.exe
File opened (read-only)	\??\P:	hHILqDIvDmMm.exe
File opened (read-only)	\??\T:	hHILqDIvDmMm.exe
File opened (read-only)	\??\V:	hHILqDIvDmMm.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	hHILqDIvDmMm.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	hHILqDIvDmMm.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	hHILqDIvDmMm.exe
File opened (read-only)	\??\W:	hHILqDIvDmMm.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	hHILqDIvDmMm.exe
File opened (read-only)	\??\R:	hHILqDIvDmMm.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	hHILqDIvDmMm.exe
File opened (read-only)	\??\Q:	hHILqDIvDmMm.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	hHILqDIvDmMm.exe
File opened (read-only)	\??\J:	hHILqDIvDmMm.exe
File opened (read-only)	\??\Y:	hHILqDIvDmMm.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	hHILqDIvDmMm.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	hHILqDIvDmMm.exe
File opened (read-only)	\??\Z:	hHILqDIvDmMm.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

DRrFaPIBzOdg.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DRrFaPIBzOdg.exe.log	DRrFaPIBzOdg.exe

Drops file in Program Files directory 21 IoCs

Processes:

MsiExec.exehHILqDIvDmMm.exeDRrFaPIBzOdg.exeDRrFaPIBzOdg.exemsiexec.exefXlHSNCgjpwhjcbESorcUuElETFupI.exefXlHSNCgjpwhjcbESorcUuElETFupI.exeDRrFaPIBzOdg.exe

description	ioc	process
File opened for modification	C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe	MsiExec.exe
File created	C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs	hHILqDIvDmMm.exe
File opened for modification	C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log	DRrFaPIBzOdg.exe
File opened for modification	C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log	DRrFaPIBzOdg.exe
File created	C:\Program Files\CPUAimLinux\WhatsApp1.exe	msiexec.exe
File created	C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File opened for modification	C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File created	C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe	MsiExec.exe
File created	C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File opened for modification	C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File opened for modification	C:\Program Files\CPUAimLinux\hHILqDIvDmMm	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File created	C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File opened for modification	C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File opened for modification	C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log	DRrFaPIBzOdg.exe
File created	C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File opened for modification	C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File created	C:\Program Files\CPUAimLinux\hHILqDIvDmMm	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
File opened for modification	C:\Program Files\CPUAimLinux	hHILqDIvDmMm.exe
File created	C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe	msiexec.exe
File created	C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL	msiexec.exe
File created	C:\Program Files\CPUAimLinux\VC_redist.x64.exe	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIF145.tmp	msiexec.exe
File created	C:\Windows\Installer\e57efb1.msi	msiexec.exe
File created	C:\Windows\Installer\e57efaf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57efaf.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{821A1E18-1506-4584-BA6F-A45611D78F4A}	msiexec.exe

Executes dropped EXE 9 IoCs

Processes:

fXlHSNCgjpwhjcbESorcUuElETFupI.exefXlHSNCgjpwhjcbESorcUuElETFupI.exehHILqDIvDmMm.exeWhatsApp1.exeDRrFaPIBzOdg.exeDRrFaPIBzOdg.exeDRrFaPIBzOdg.exehHILqDIvDmMm.exehHILqDIvDmMm.exe

pid	process
320	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
1384	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
3396	hHILqDIvDmMm.exe
1872	WhatsApp1.exe
4508	DRrFaPIBzOdg.exe
2308	DRrFaPIBzOdg.exe
3432	DRrFaPIBzOdg.exe
4048	hHILqDIvDmMm.exe
1124	hHILqDIvDmMm.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

5092 msiexec.exe

pid	process
5092	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

hHILqDIvDmMm.exehHILqDIvDmMm.exehHILqDIvDmMm.exefXlHSNCgjpwhjcbESorcUuElETFupI.exefXlHSNCgjpwhjcbESorcUuElETFupI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hHILqDIvDmMm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hHILqDIvDmMm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hHILqDIvDmMm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fXlHSNCgjpwhjcbESorcUuElETFupI.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXE

pid process

3132 cmd.exe
4304 PING.EXE

pid	process
3132	cmd.exe
4304	PING.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

hHILqDIvDmMm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	hHILqDIvDmMm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	hHILqDIvDmMm.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4772 taskkill.exe

pid	process
4772	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeWhatsApp1.exemsiexec.exeOpenWith.exeWScript.exeMsiExec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	WhatsApp1.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\CTF\CUAS\DefaultCompositionWindow	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	WhatsApp1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow\Top = "0"	WhatsApp1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000022e7064d603adb01	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	WhatsApp1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	WhatsApp1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 0100000000000000e455c74c603adb01	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow\Left = "0"	WhatsApp1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer"	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	WhatsApp1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WhatsApp1.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Version = "84344839"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\ProductName = "CPUAimLinux"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\PackageCode = "C9E0E5BB8EB593F42ABE1AE58FB7B24A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE\81E1A12860514854ABF64A65117DF8A4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\PackageName = "4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4\ProductFeature	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Clients = 3a0000000000	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4304 PING.EXE

pid	process
4304	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exepowershell.exehHILqDIvDmMm.exe

pid	process
2068	msiexec.exe
2068	msiexec.exe
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe
3396	hHILqDIvDmMm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exepowershell.exefXlHSNCgjpwhjcbESorcUuElETFupI.exefXlHSNCgjpwhjcbESorcUuElETFupI.exe

description	pid	process
Token: SeShutdownPrivilege	5092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5092	msiexec.exe
Token: SeSecurityPrivilege	2068	msiexec.exe
Token: SeCreateTokenPrivilege	5092	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5092	msiexec.exe
Token: SeLockMemoryPrivilege	5092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5092	msiexec.exe
Token: SeMachineAccountPrivilege	5092	msiexec.exe
Token: SeTcbPrivilege	5092	msiexec.exe
Token: SeSecurityPrivilege	5092	msiexec.exe
Token: SeTakeOwnershipPrivilege	5092	msiexec.exe
Token: SeLoadDriverPrivilege	5092	msiexec.exe
Token: SeSystemProfilePrivilege	5092	msiexec.exe
Token: SeSystemtimePrivilege	5092	msiexec.exe
Token: SeProfSingleProcessPrivilege	5092	msiexec.exe
Token: SeIncBasePriorityPrivilege	5092	msiexec.exe
Token: SeCreatePagefilePrivilege	5092	msiexec.exe
Token: SeCreatePermanentPrivilege	5092	msiexec.exe
Token: SeBackupPrivilege	5092	msiexec.exe
Token: SeRestorePrivilege	5092	msiexec.exe
Token: SeShutdownPrivilege	5092	msiexec.exe
Token: SeDebugPrivilege	5092	msiexec.exe
Token: SeAuditPrivilege	5092	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5092	msiexec.exe
Token: SeChangeNotifyPrivilege	5092	msiexec.exe
Token: SeRemoteShutdownPrivilege	5092	msiexec.exe
Token: SeUndockPrivilege	5092	msiexec.exe
Token: SeSyncAgentPrivilege	5092	msiexec.exe
Token: SeEnableDelegationPrivilege	5092	msiexec.exe
Token: SeManageVolumePrivilege	5092	msiexec.exe
Token: SeImpersonatePrivilege	5092	msiexec.exe
Token: SeCreateGlobalPrivilege	5092	msiexec.exe
Token: SeBackupPrivilege	996	vssvc.exe
Token: SeRestorePrivilege	996	vssvc.exe
Token: SeAuditPrivilege	996	vssvc.exe
Token: SeBackupPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeRestorePrivilege	320	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: 35	320	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: SeSecurityPrivilege	320	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: SeSecurityPrivilege	320	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: SeRestorePrivilege	1384	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: 35	1384	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: SeSecurityPrivilege	1384	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: SeSecurityPrivilege	1384	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

5092 msiexec.exe
5092 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4016 OpenWith.exe

pid	process
5092	msiexec.exe
5092	msiexec.exe

pid	process
4016	OpenWith.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

msiexec.exeMsiExec.execmd.exeDRrFaPIBzOdg.exehHILqDIvDmMm.exe

description	pid	process	target process
PID 2068 wrote to memory of 4092	2068	msiexec.exe	srtasks.exe
PID 2068 wrote to memory of 4092	2068	msiexec.exe	srtasks.exe
PID 2068 wrote to memory of 4048	2068	msiexec.exe	MsiExec.exe
PID 2068 wrote to memory of 4048	2068	msiexec.exe	MsiExec.exe
PID 4048 wrote to memory of 4076	4048	MsiExec.exe	powershell.exe
PID 4048 wrote to memory of 4076	4048	MsiExec.exe	powershell.exe
PID 4048 wrote to memory of 3132	4048	MsiExec.exe	cmd.exe
PID 4048 wrote to memory of 3132	4048	MsiExec.exe	cmd.exe
PID 3132 wrote to memory of 320	3132	cmd.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3132 wrote to memory of 320	3132	cmd.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3132 wrote to memory of 320	3132	cmd.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3132 wrote to memory of 4304	3132	cmd.exe	PING.EXE
PID 3132 wrote to memory of 4304	3132	cmd.exe	PING.EXE
PID 3132 wrote to memory of 1384	3132	cmd.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3132 wrote to memory of 1384	3132	cmd.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3132 wrote to memory of 1384	3132	cmd.exe	fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 4048 wrote to memory of 3396	4048	MsiExec.exe	hHILqDIvDmMm.exe
PID 4048 wrote to memory of 3396	4048	MsiExec.exe	hHILqDIvDmMm.exe
PID 4048 wrote to memory of 3396	4048	MsiExec.exe	hHILqDIvDmMm.exe
PID 4048 wrote to memory of 1872	4048	MsiExec.exe	WhatsApp1.exe
PID 4048 wrote to memory of 1872	4048	MsiExec.exe	WhatsApp1.exe
PID 4048 wrote to memory of 4772	4048	MsiExec.exe	taskkill.exe
PID 4048 wrote to memory of 4772	4048	MsiExec.exe	taskkill.exe
PID 3432 wrote to memory of 4048	3432	DRrFaPIBzOdg.exe	hHILqDIvDmMm.exe
PID 3432 wrote to memory of 4048	3432	DRrFaPIBzOdg.exe	hHILqDIvDmMm.exe
PID 3432 wrote to memory of 4048	3432	DRrFaPIBzOdg.exe	hHILqDIvDmMm.exe
PID 4048 wrote to memory of 1124	4048	hHILqDIvDmMm.exe	hHILqDIvDmMm.exe
PID 4048 wrote to memory of 1124	4048	hHILqDIvDmMm.exe	hHILqDIvDmMm.exe
PID 4048 wrote to memory of 1124	4048	hHILqDIvDmMm.exe	hHILqDIvDmMm.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5092

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4092
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 693C5784581A9F0678120DF6E6FC37D8 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4076
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
      "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:320
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4304
  - - C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
      "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1384
- - C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
    "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 169 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3396
- - C:\Program Files\CPUAimLinux\WhatsApp1.exe
    "C:\Program Files\CPUAimLinux\WhatsApp1.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:1872
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe
    3⤵
    - Kills process with taskkill
    PID:4772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:396

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe
"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:4508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe
"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:2308

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe
"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
  "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 205 -file file3 -mode mode3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
    "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 62 -file file3 -mode mode3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:1124

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57efb0.rbs

Filesize
7KB

MD5
da768e6e5556d9542a53e12de7edd749

SHA1
5cff502a09a87e8245c3dc0cd1a7be1604112e04

SHA256
ce47557288afb55414732efec227e44d40779dc4191fa688476b79621558a081

SHA512
adeaf927e0bc3d9c08d0a647919354c37304aeb19b3be28e03492d29683a876d09a06426999db975387c75fb0fc1fc0399a66dc1b53b014625a4b210af38c96a

Download Submit
C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe

Filesize
3.1MB

MD5
db6688b70f3255877e15541970145e68

SHA1
5f69edadeb9e7dae7f4b034031cb325ce1c7f2bd

SHA256
208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb

SHA512
72f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce

Download Submit
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

Filesize
280B

MD5
a81bce9e37fa5aa1699222b7da16abfa

SHA1
c726a4ad730ff7ab37b1be49c14e4b68aa5be824

SHA256
68b18d45c1738f4e72f71831bc4b3a45dd75118f9ab0546a92b7581818082cb8

SHA512
c86634715459773ebc2fcd32c0c8706c5456308068cae0c35179225c5568d5204165d4c501dcdaf12b17bba8dcf779e6c5490d5675f3d156669b017de5e8fb3c

Download Submit
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

Filesize
443B

MD5
b5d0eb7c7c241cfb4b6889553aaf0e19

SHA1
e065786a790796f1753d5e052478dbdcb9dde297

SHA256
665de438c6b703a4118ac0d6028bdff5ea4b77bdf91b65106dcc3c61ad6d05b2

SHA512
6c8991a3c10a1e1431cf24fe1b12be8d1f6b4785c520be595a3a0e95e56b90f3b0a9ffb1a4aa4570bbde709d4730b806467637a29f09b412380b9b80dd3d46eb

Download Submit
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

Filesize
616B

MD5
0cb339cc040d8a3c890b7de5bae33d24

SHA1
db769b5b0f2aca8a885460546c7cd09b0b2bc150

SHA256
ba987d063a5b402a0b995b6956cf1f5bd63179c051ffc0441a13f4a45eecfdff

SHA512
6712fe78e66185f7c0cd8f81ebee8df5d711a37b0fa5372d459499109149cd9f21ef294eb1cb6ca77ef5ee69138e4141744b317d2d8dac6ca6b454bc6dd00368

Download Submit
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

Filesize
740B

MD5
9cb8da5942bca5c565761a56b960abfa

SHA1
3ed823c2b11bcec9a4bd8947768356c35e328290

SHA256
577c0f47c3a5ee1cd063a591623d7391047ab0bb2f4e513734b7b8cf4c4b151b

SHA512
7387869b6b5a1d668788f04549ff74d037167e65be378a211330e7f566ffa0a1ac1cff2975d2618ca1264cef949b5ab5acad0249d9c2d9d0db5facd719c14d25

Download Submit
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml

Filesize
425B

MD5
822ca0d7e00ebb7b990ddea17a3a634d

SHA1
2a915168df2a2ee8ddfc1f31454c3055d9e1da93

SHA256
d48912dbd6aa6c11fb5e7b4a525018e0981aff798dd9e6fe429c32989101c4bb

SHA512
cfddae00c0b91d5547413e80f801128e838b2888f6cbebed5506f613ff18dfc59b5e34b86bfeb0b3244675e583359395f211392c5532fad5f9c3b39275424d89

Download Submit
C:\Program Files\CPUAimLinux\WhatsApp1.exe

Filesize
1.0MB

MD5
f90ddf18d65bb3153bcdfdc4856ce2a5

SHA1
611376391f17207d60ca8c2ec81354933f8dac45

SHA256
62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce

SHA512
f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316

Download Submit
C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX

Filesize
2.4MB

MD5
1b772652a5b64c119b00ec06c00311db

SHA1
afeb3bfba34eccadce4d2141d6d59707c83e9583

SHA256
c98f9a50e0240455ce52e01d4b4e94453438a5a5614c2d424bb485ce1db8fbd4

SHA512
5cb2761839634a45c4047cbbe31fc30bf140829630d57104fc27fc770a68b2c7d8209181aba17ace9fe85a3f7b705467c14b2ddbc206aca3c3fd542e666f7882

Download Submit
C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Program Files\CPUAimLinux\hHILqDIvDmMm

Filesize
465KB

MD5
adb7908cc0c5a2b6800dcc1474006154

SHA1
96f081444d4329dbd49eec5003096c2286f8c74e

SHA256
9e0c0405ea29b1f3a72a65244c11bb00cacd8ca3a0c212df4f81ac30090a41d0

SHA512
69f97d773949a036cca02dfa40db365353975b70dabe2b38e74034882b2857c5002c43e3dc0427d9b13cce50d5451a9452c0682df19905c3efbf7077877b47f0

Download Submit
C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs

Filesize
2KB

MD5
6c1dc3d5a28bb7d9cd6b3727ea453446

SHA1
1fef050968fb54a54ec19c3b620d2f19706baac8

SHA256
6acdc010db5a967bd19b86ad766d547a72de8ad12f773d10d4e09df1d1c3219a

SHA512
08a16406777e228a54ad71f962f8c50073d3b2d5c3e5822a27f5df0ee9bbf5fe13a08d3b38f2378f0efac12aa6da767d91e2e1f0a324f8888d9fe09edb1709ad

Download Submit
C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL

Filesize
2.4MB

MD5
048cee96f68a4c516b3aa1a8a4781e46

SHA1
5582bb564630c5ead8704d06bcdb427dd9840de5

SHA256
835e566ab875a5dd955882f57ea01cb2dcc5a82755821a6e951d6eb5a4005293

SHA512
2bf13570a5c83b4912ed04759c082a24ba8e53ce0dfae74d80032c075f7a1bc55e47c29014bd71332ff87b5c1f2065259b4b24c285bcddc109263204a0f57c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp1EDD.tmp

Filesize
1KB

MD5
a10f31fa140f2608ff150125f3687920

SHA1
ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b

SHA256
28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6

SHA512
cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ufldgwtd.umm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\e57efaf.msi

Filesize
27.1MB

MD5
756b1b81669fb5b5d745c83ced428cb1

SHA1
c573e1f1d32780c808db53e5fd5e571d617816e6

SHA256
4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d

SHA512
d9fd646383ff4fa82a920068b2141a94bd10424c5465040066d28be78be83ad730915b50bf1dfea9c2ed03b4a6b2287a19078a235a78aa835148a0381f5b00da

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DRrFaPIBzOdg.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
7b38db16c4c94f4588c6a692ae227f23

SHA1
834cc48a4d78f376d474fa90136e5057ec5d0400

SHA256
df37c980452aa1585821b4585ee5ecfcf365aa8fedb8ad2de3cb13e0ec0a295d

SHA512
2aef51f0326c180c92e828c21a68bb51929aa178d75f1a81071bbe5bf4f23ef6ba99340b184645e1a2a9d66b2b8c4b41bdf5dbd07968b0f141cd9ed65c73ba13

Download Submit
\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1c4a6287-a8a3-438f-bd7e-7948d575a568}_OnDiskSnapshotProp

Filesize
6KB

MD5
34672dedc5947e9fb4954eb8aa273004

SHA1
a5052447dd554b44cf39a947dd42343d40429702

SHA256
1d4b02c64d30f8620dbdcfb7203794ea9a4d0f7b0f6db34755c4e2a2d6602923

SHA512
0a0f0744879d1d59ee364ba12cf2c78f9a2745bbf388f9c6c264846ef55ca6ad803a4cf5c45197d1139668d9db18d4be2084ad7321c97c6f319f09051a263fc3

Download Submit
memory/1124-135-0x000000002C4D0000-0x000000002C68C000-memory.dmp

Filesize
1.7MB

Download
memory/1124-134-0x000000002C4D0000-0x000000002C68C000-memory.dmp

Filesize
1.7MB

Download
memory/1124-131-0x000000002C4D0000-0x000000002C68C000-memory.dmp

Filesize
1.7MB

Download
memory/1124-128-0x000000002A7D0000-0x000000002A81D000-memory.dmp

Filesize
308KB

Download
memory/1872-103-0x000001EDC3650000-0x000001EDC3676000-memory.dmp

Filesize
152KB

Download
memory/1872-100-0x000001EDC2DE0000-0x000001EDC2E18000-memory.dmp

Filesize
224KB

Download
memory/1872-101-0x000001EDC2DA0000-0x000001EDC2DAE000-memory.dmp

Filesize
56KB

Download
memory/1872-68-0x000001EDBFF80000-0x000001EDBFF8A000-memory.dmp

Filesize
40KB

Download
memory/1872-96-0x000001EDC0C30000-0x000001EDC0C38000-memory.dmp

Filesize
32KB

Download
memory/1872-52-0x000001EDA5830000-0x000001EDA5932000-memory.dmp

Filesize
1.0MB

Download
memory/1872-92-0x000001EDC0170000-0x000001EDC01AC000-memory.dmp

Filesize
240KB

Download
memory/1872-91-0x000001EDC00E0000-0x000001EDC00F2000-memory.dmp

Filesize
72KB

Download
memory/1872-76-0x000001EDC0870000-0x000001EDC092A000-memory.dmp

Filesize
744KB

Download
memory/3396-66-0x0000000000CD0000-0x0000000000CFF000-memory.dmp

Filesize
188KB

Download
memory/4076-18-0x000002962A390000-0x000002962A3B2000-memory.dmp

Filesize
136KB

Download
memory/4508-75-0x00000000007B0000-0x0000000000886000-memory.dmp

Filesize
856KB

Download