2731712ef1906af20a5eccead8381774dd7b244a00eda7d6251963ae787fd2b3

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RefreshRateService.msi
Size

966KB
MD5

c660910814201ced2a7c0560c008f8f4
SHA1

805b6a7d740b6e9bf12ffa750a33ab7e7bc54778
SHA256

c105e87b1f5d04a4e3818a3747a93a4f4936cd1688b49670a24b4b3e719f46fc
SHA512

bcab8b20a25de65f758574433d5ece69a5a02fdd3df6cb3ddef814f96c7cd132039ae73966d484189796389b939d5a6dcd28fcc754621a3c759328a21c54dda0
SSDEEP

24576:2maHyYiPkLMcMfdTB7yuk3f5BfAJ6svgREp2:2maSYicLXMftBGRE6s+E4

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
3	2520	msiexec.exe
5	2520	msiexec.exe
7	2520	msiexec.exe
9	2676	msiexec.exe
11	2676	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ASUS\RefreshRateService\ODControl.dll	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\Registry.DLL	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\GetMonitorInfo.exe	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\System.Net.Http.dll	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\NotifyArmouryCrate.exe	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\Extensions.DLL	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\System.Runtime.WindowsRuntime.dll	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\TurnOD_OnOff.exe	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\RefreshRateService.exe	msiexec.exe
File created	C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\RefreshRateService.InstallState	MsiExec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f770426.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI81F.tmp	msiexec.exe
File created	C:\Windows\Installer\f770427.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f770429.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770427.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f770426.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI762.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC27.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Executes dropped EXE 1 IoCs

pid	Process
872	RefreshRateService.exe

Loads dropped DLL 11 IoCs

pid	Process
2932	MsiExec.exe
2932	MsiExec.exe
1392	MsiExec.exe
1392	MsiExec.exe
696	MsiExec.exe
696	MsiExec.exe
696	MsiExec.exe
872	RefreshRateService.exe
872	RefreshRateService.exe
872	RefreshRateService.exe
872	RefreshRateService.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2520	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RefreshRateService.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|GetMonitorInfo.exe\GetMonitorInfo,Version="2.1.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 550065003d005d0050005f0078006b005b003d007e00400040002e00490061007d002b0037006c003e0027004d00540030002b0063004d00630038006f0055007b0058005d002a002e00660072004700390000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|System.Net.Http.dll\System.Net.Http,Version="4.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKeyToken="B03F5F7F11D50A3A" = 550065003d005d0050005f0078006b005b003d007e00400040002e00490061007d002b0037006c003e0074005a00580024006f005700740067003f0057004d00400040006a004f0068006700330045006a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|System.Runtime.WindowsRuntime.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|Registry.DLL	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\PackageCode = "5A1D613C8D491A249AECEFB0A41A127C"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|NotifyArmouryCrate.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|Extensions.DLL	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|Extensions.DLL\Extensions,Version="2.1.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 550065003d005d0050005f0078006b005b003d007e00400040002e00490061007d002b0037006c003e007800550076006600670040005a006b0037006b0035006c007600240052005e00790073002600300000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|System.Runtime.WindowsRuntime.dll\System.Runtime.WindowsRuntime,Version="4.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL",PublicKe = 550065003d005d0050005f0078006b005b003d007e00400040002e00490061007d002b0037006c003e0055007d005e0044005000670033007e005b005d00460027007900330059002800680055007d005e0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|System.Net.Http.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|RefreshRateService.exe\RefreshRateService,Version="2.1.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 550065003d005d0050005f0078006b005b003d007e00400040002e00490061007d002b0037006c003e00520077007500600062007a004d0054005a006d002500270066004f0028005e006d0024006900560000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BC48E5E7091B85644ACD6176973C921D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\265A18BA129B58C4BBDD7D829D8AE296\BC48E5E7091B85644ACD6176973C921D	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|NotifyArmouryCrate.exe\NotifyArmouryCrate,Version="2.1.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 550065003d005d0050005f0078006b005b003d007e00400040002e00490061007d002b0037006c003e003d0077002e00420021004a00330042003800590077002d00760042006d006d006b00720028004f0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BC48E5E7091B85644ACD6176973C921D\DefaultFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|GetMonitorInfo.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|RefreshRateService.exe	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|ASUSTeK COMPUTER INC\|RefreshRateService\|Registry.DLL\Registry,Version="2.1.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 550065003d005d0050005f0078006b005b003d007e00400040002e00490061007d002b0037006c003e0037006b00740065006d0047002700740046002c0030006a0041006e0079003000700076006200640000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\SourceList\PackageName = "RefreshRateService.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\265A18BA129B58C4BBDD7D829D8AE296	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\ProductName = "RefreshRateService"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\Version = "33619968"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BC48E5E7091B85644ACD6176973C921D\InstanceType = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	msiexec.exe
2676	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2520	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2520	msiexec.exe
Token: SeRestorePrivilege	2676	msiexec.exe
Token: SeTakeOwnershipPrivilege	2676	msiexec.exe
Token: SeSecurityPrivilege	2676	msiexec.exe
Token: SeCreateTokenPrivilege	2520	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2520	msiexec.exe
Token: SeLockMemoryPrivilege	2520	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2520	msiexec.exe
Token: SeMachineAccountPrivilege	2520	msiexec.exe
Token: SeTcbPrivilege	2520	msiexec.exe
Token: SeSecurityPrivilege	2520	msiexec.exe
Token: SeTakeOwnershipPrivilege	2520	msiexec.exe
Token: SeLoadDriverPrivilege	2520	msiexec.exe
Token: SeSystemProfilePrivilege	2520	msiexec.exe
Token: SeSystemtimePrivilege	2520	msiexec.exe
Token: SeProfSingleProcessPrivilege	2520	msiexec.exe
Token: SeIncBasePriorityPrivilege	2520	msiexec.exe
Token: SeCreatePagefilePrivilege	2520	msiexec.exe
Token: SeCreatePermanentPrivilege	2520	msiexec.exe
Token: SeBackupPrivilege	2520	msiexec.exe
Token: SeRestorePrivilege	2520	msiexec.exe
Token: SeShutdownPrivilege	2520	msiexec.exe
Token: SeDebugPrivilege	2520	msiexec.exe
Token: SeAuditPrivilege	2520	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2520	msiexec.exe
Token: SeChangeNotifyPrivilege	2520	msiexec.exe
Token: SeRemoteShutdownPrivilege	2520	msiexec.exe
Token: SeUndockPrivilege	2520	msiexec.exe
Token: SeSyncAgentPrivilege	2520	msiexec.exe
Token: SeEnableDelegationPrivilege	2520	msiexec.exe
Token: SeManageVolumePrivilege	2520	msiexec.exe
Token: SeImpersonatePrivilege	2520	msiexec.exe
Token: SeCreateGlobalPrivilege	2520	msiexec.exe
Token: SeCreateTokenPrivilege	2520	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2520	msiexec.exe
Token: SeLockMemoryPrivilege	2520	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2520	msiexec.exe
Token: SeMachineAccountPrivilege	2520	msiexec.exe
Token: SeTcbPrivilege	2520	msiexec.exe
Token: SeSecurityPrivilege	2520	msiexec.exe
Token: SeTakeOwnershipPrivilege	2520	msiexec.exe
Token: SeLoadDriverPrivilege	2520	msiexec.exe
Token: SeSystemProfilePrivilege	2520	msiexec.exe
Token: SeSystemtimePrivilege	2520	msiexec.exe
Token: SeProfSingleProcessPrivilege	2520	msiexec.exe
Token: SeIncBasePriorityPrivilege	2520	msiexec.exe
Token: SeCreatePagefilePrivilege	2520	msiexec.exe
Token: SeCreatePermanentPrivilege	2520	msiexec.exe
Token: SeBackupPrivilege	2520	msiexec.exe
Token: SeRestorePrivilege	2520	msiexec.exe
Token: SeShutdownPrivilege	2520	msiexec.exe
Token: SeDebugPrivilege	2520	msiexec.exe
Token: SeAuditPrivilege	2520	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2520	msiexec.exe
Token: SeChangeNotifyPrivilege	2520	msiexec.exe
Token: SeRemoteShutdownPrivilege	2520	msiexec.exe
Token: SeUndockPrivilege	2520	msiexec.exe
Token: SeSyncAgentPrivilege	2520	msiexec.exe
Token: SeEnableDelegationPrivilege	2520	msiexec.exe
Token: SeManageVolumePrivilege	2520	msiexec.exe
Token: SeImpersonatePrivilege	2520	msiexec.exe
Token: SeCreateGlobalPrivilege	2520	msiexec.exe
Token: SeCreateTokenPrivilege	2520	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2520	msiexec.exe
2520	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2932	2676	msiexec.exe	31
PID 2676 wrote to memory of 2932	2676	msiexec.exe	31
PID 2676 wrote to memory of 2932	2676	msiexec.exe	31
PID 2676 wrote to memory of 2932	2676	msiexec.exe	31
PID 2676 wrote to memory of 2932	2676	msiexec.exe	31
PID 2676 wrote to memory of 2932	2676	msiexec.exe	31
PID 2676 wrote to memory of 2932	2676	msiexec.exe	31
PID 2676 wrote to memory of 1392	2676	msiexec.exe	36
PID 2676 wrote to memory of 1392	2676	msiexec.exe	36
PID 2676 wrote to memory of 1392	2676	msiexec.exe	36
PID 2676 wrote to memory of 1392	2676	msiexec.exe	36
PID 2676 wrote to memory of 1392	2676	msiexec.exe	36
PID 2676 wrote to memory of 1392	2676	msiexec.exe	36
PID 2676 wrote to memory of 1392	2676	msiexec.exe	36
PID 2676 wrote to memory of 696	2676	msiexec.exe	37
PID 2676 wrote to memory of 696	2676	msiexec.exe	37
PID 2676 wrote to memory of 696	2676	msiexec.exe	37
PID 2676 wrote to memory of 696	2676	msiexec.exe	37
PID 2676 wrote to memory of 696	2676	msiexec.exe	37
PID 2676 wrote to memory of 696	2676	msiexec.exe	37
PID 2676 wrote to memory of 696	2676	msiexec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\RefreshRateService.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2520

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DB0357D49F96C2896E27861842A081B6 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2932
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 15D0715C0D17A5178E524DDF184F81A1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1392
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EA85F3B27D9963202356FC430ED6D9D9 M Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2036

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002F8" "00000000000003C4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2756

C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\RefreshRateService.exe
"C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\RefreshRateService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f770428.rbs

Filesize
11KB

MD5
0b7ba37d21a8447cfaf36689e7cd9f42

SHA1
b3d748e8ed3dbbf2c88402d9fa16b0a0b0c40f0f

SHA256
243068a7b78b6a91964e8ba5117e42deb927b2988bfc8ee0e979be8bef472b78

SHA512
19c6fea5ecdf3bff7758fb9129e89e466d6f3f3e208d472ebfb95fdaa52a06078205ae0ec47541ac66e0f85b8ed767b5fb0d96a3faaa60da08daf5e9d11dbcc2

Download Submit
C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\Extensions.dll

Filesize
22KB

MD5
fe7479e7d2bebe9da4f89510edd2cb1f

SHA1
60e9f18072ccdd7b2cfcb745a8380dc5d45b109b

SHA256
13436192ae10716c0a02d8febff7af8353d675b70cc6d6afa4647427915af56a

SHA512
ea2b3c6a4ead496f521e0e681bd550083e1c1a643e1198b6c1c02b01b2ffa6ce03bc9ccfc5a5074e3be262ca42afce531515e67e61ffa98eaca4f2c1d2936d89

Download Submit
C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\RefreshRateService.exe

Filesize
39KB

MD5
b2a676117fbed1bcb9125a81ba779109

SHA1
83d1ffd8f45996c1df0b140fad5c4b60856c7c89

SHA256
10fb567c6dcc8c0cafc05cddcb1d65983f3e8025fb22aa6743f356da358f6c88

SHA512
27d0d010a1275c82f19f44abbe9cfba450fd065e673d7194dea6e37e52188ab535bf8722d2732d76f7cc83cb79b658918d1e231a4eaf2241ccd506c9eb62bf5e

Download Submit
C:\Program Files (x86)\ASUSTeK COMPUTER INC\RefreshRateService\Registry.dll

Filesize
27KB

MD5
fa2f215855bd88f58ac67d3c87427748

SHA1
d12c386fc083ca64e37f630adfd4ab32c8541bef

SHA256
0a340876978c1097c1a2750954ceb8be8cf01d1caa3dff02f2e54b9f2f727583

SHA512
63ac827a9550f433ba588a1426dcdd187c9dbc4fb971e22855da874cf6b04e9c703df5511a9069297926b2b89c4b23349a944e2bafbfac057d207748b37342dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
bab3ac8622c04930ddbb5ecc48d226a0

SHA1
d1fb0641a6abdc0735009e2795ef36872137217e

SHA256
95f1c554da12fe478e82b22d03174448a184e78fd7e7909463478bd73fa8453f

SHA512
643f32047550520b3f346ee17304481e69afe18af276d3b42ea1f1beef1623658d841d76ccc6187c0beaf3cb969d0ced8817b4f5353fda965fa84b3d61a545a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60B3F7207DEB992031C120EB71F562CD

Filesize
4KB

MD5
94bf0bf032ce32469dd74f4f1f5320e6

SHA1
86bff704a2f82816f346a6a374250f35743de3b0

SHA256
54f08bfd73dd3477610059c4a1d92723e698def0efa7ad4661584a51d9aab79b

SHA512
ac62c42bfe02a35739dfed5df012bb3ef1f7bdbde1f4d9dce9448812bb6d25891dbacc2591e859f644c95151bdb7179f4f8e355b81a2a38ca7afce4980a79901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037

Filesize
1KB

MD5
46bb305834dfa0f137360a14fb05991b

SHA1
b6d88fb79de3edaf08ce46574a8b2668fe83149f

SHA256
4bcecb91ff7c77d4bb2bafc1fd5d51102fd2e7d9df1979ee93623f6b20b20cae

SHA512
bd88722a9a04210c50104acc40c11fce290e8288e06c80e3e9c20a6ef09a8b2393cab54c21b107a9efc4b3271bdce5c7bb7df05ca0824ad8b31a6b81131f6d49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF8D319B9741B9E1EBE906AACEA5CBBA_2626E0D3003A456BE647B6CAD9616268

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
bba8e418c72fab0b1e2adf76b16e19c7

SHA1
9da3cec921ebe26d82b1400120203fde64a28858

SHA256
3a3807b108c00c63201da6d70af3d6e623bbc5373005af36a1aece132b9c965b

SHA512
6bdeba7e24a141ef3720d833269221e1ae15bd46c6f8f1ac0cb51319fabc73e774bc321b88671d250e4b4bfa15a54ad9266046c01d27d2448a5c41477838759b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60B3F7207DEB992031C120EB71F562CD

Filesize
222B

MD5
99e07412b925314962bca824ae7d635e

SHA1
0584f3f62491cd76b5f43da26fe3e825fd1547a7

SHA256
1e6bb41f6909ad9f102e2ecb52e72f74c02df9c2d33f8bf03fc7e8e74cfd8e29

SHA512
b9a5ee74a14b9fdbf84e53fd59c90f212732032e7e9a5a5edf0c7dd7eb92100087c291f662309932fefdd9413b56bc18de60bfa778d892e0560469ba94ed187b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_D21903E2722B551F252C717985D24037

Filesize
498B

MD5
092fd4354c3637c18aa9d10b3c6a5328

SHA1
7429c74448e9028404c937adc7c351ef23d9af83

SHA256
3795e5921c15bcc3b54b2929a049034056499b8e1d7860f045073c22badd62a1

SHA512
79beeb80908cb68684516425454572cec043fa5526e4cf8d9a335d2ad9f20b4736ad4475a012acaf4c849dab3377eb9cc7e7fe6765c3f10b7b68bbca1b179f12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF8D319B9741B9E1EBE906AACEA5CBBA_2626E0D3003A456BE647B6CAD9616268

Filesize
452B

MD5
f017cee01f922d6366c62fa2dcd9793d

SHA1
2e675f014953e1adfee43f18cc33e4efd282e1f7

SHA256
982271ee21e94671dfc168bc7415a6ab7b57fabe5a57136b911506dbd3558a4c

SHA512
4f1b0a6b3158d0c0f3c1112c1e73a593bbdef0435108c32aa6b10e2d846c31ddca3fe92e202db7f9ab96cf8b0017dd9326f7da9416252f98fffe6fa50149f46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CFG7AE.tmp

Filesize
152B

MD5
df6640211847a5b71f62b8187994ea38

SHA1
07c26fac7b1d538464497e6ca47b6ca8b465b8ba

SHA256
7d5f1726f0d15597fdd0fbcf8c27fd2ce668d80ebc39ca56f569f06957d510fb

SHA512
5530133a0992e2e956e10edccf02672eb410381bcdb7a6f0d46a78a6206141c9e9e63f7462c4ed83ddd9a3bb2b1f59627dca1a0b18ce8c9aea436ea17938f75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab92CF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI97C3.tmp

Filesize
298KB

MD5
9945f10135a4c7214fa5605c21e5de9b

SHA1
3826fb627c67efd574a30448ea7f1e560b949c87

SHA256
9f3b0f3af4bfa061736935bab1d50ed2581358ddc9a9c0db22564aced1a1807c

SHA512
f385e078ceeb54fe86f66f2db056baba9556817bbf9a110bcd9e170462351af0dd4462429412410c7c3b2b76ea808d7bce4ea1f756a18819aa1762edb3745cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar96D8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\MSIC27.tmp

Filesize
114KB

MD5
fe01d395c4b85df8c426fc9620120ba8

SHA1
23348d42947a64efa5209b30e9b8a6264f4a990a

SHA256
4f10c0bd8d22e8215b02f092279abf7bb148cb1497207ec2ebab32662009b2ac

SHA512
d255211adb5fbf5cda875ad138abb064a7deedbed28f4e862df4fea962f84437c92a53dd18ed6d2098d0d9415d4a5ca80e39e9bc91b4382b01714d23f29615ea

Download Submit
C:\Windows\Installer\f770426.msi

Filesize
966KB

MD5
c660910814201ced2a7c0560c008f8f4

SHA1
805b6a7d740b6e9bf12ffa750a33ab7e7bc54778

SHA256
c105e87b1f5d04a4e3818a3747a93a4f4936cd1688b49670a24b4b3e719f46fc

SHA512
bcab8b20a25de65f758574433d5ece69a5a02fdd3df6cb3ddef814f96c7cd132039ae73966d484189796389b939d5a6dcd28fcc754621a3c759328a21c54dda0

Download Submit
memory/696-114-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/872-119-0x00000000012D0000-0x00000000012DE000-memory.dmp

Filesize
56KB

Download
memory/872-123-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/872-127-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download