Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 13:20
Static task
static1
Behavioral task
behavioral1
Sample
luoma2.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
luoma2.msi
Resource
win10v2004-20241007-en
General
-
Target
luoma2.msi
-
Size
2.0MB
-
MD5
44933b8bcf9994f8d5088dbfd75bd781
-
SHA1
4daeed4b62ec79ce1416ad7f62107db4525aeedc
-
SHA256
2f77174a331482149dbb2a31cc57aebac7b7466ddbb309e40003c45bfad2e9da
-
SHA512
e4c7297b7054960652090d5efabf9407a359ee547bea64ba9d6ddef325278c9f930be004ea1eccb11bf3aa10f3a4a61c1abf629f4a07c668864eb1acedec2aec
-
SSDEEP
49152:JxB+M1DwJ9AQNvKbJ917NIe87J3ZbBjqrDvytoqjaxP:J7+EUJeQNvKb/75oZU/vyjad
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1428 powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe MsiExec.exe File opened for modification C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe File opened for modification C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.xml wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe File created C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe File opened for modification C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe File created C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.xml wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe File created C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS msiexec.exe File created C:\Program Files\PrepareUpliftingProducer\valibclang2d.dll msiexec.exe File created C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe msiexec.exe File created C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe File opened for modification C:\Program Files\PrepareUpliftingProducer\2_BiEzaHFZmGAK.exe wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe File opened for modification C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe MsiExec.exe File created C:\Program Files\PrepareUpliftingProducer\igc964.dll msiexec.exe File created C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe File opened for modification C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe File created C:\Program Files\PrepareUpliftingProducer\2_BiEzaHFZmGAK.exe wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe File created C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.vbs BiEzaHFZmGAK.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f769c23.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\f769c20.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f769c21.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIB6E1.tmp msiexec.exe File opened for modification C:\Windows\Installer\f769c21.ipi msiexec.exe File created C:\Windows\Installer\f769c20.msi msiexec.exe -
Executes dropped EXE 3 IoCs
pid Process 2116 wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe 2676 wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe 2804 BiEzaHFZmGAK.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2496 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BiEzaHFZmGAK.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1248 cmd.exe 2672 PING.EXE -
Modifies data under HKEY_USERS 48 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 50156dfd4e3bdb01 powershell.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9DCD9B5D536DF1248A8093D390D4367B\E1FBA331152420640B81E8A749F97E50 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\PackageName = "luoma2.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\ProductName = "PrepareUpliftingProducer" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\PackageCode = "C0AED81ADD9AA43409DE1BF6F7A6C17A" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E1FBA331152420640B81E8A749F97E50 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E1FBA331152420640B81E8A749F97E50\ProductFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9DCD9B5D536DF1248A8093D390D4367B msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Version = "151322630" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\DeploymentFlags = "3" msiexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2672 PING.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
pid Process 2116 wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe 2676 wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe -
Suspicious behavior: EnumeratesProcesses 53 IoCs
pid Process 1988 msiexec.exe 1988 msiexec.exe 1428 powershell.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe 2804 BiEzaHFZmGAK.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2496 msiexec.exe Token: SeIncreaseQuotaPrivilege 2496 msiexec.exe Token: SeRestorePrivilege 1988 msiexec.exe Token: SeTakeOwnershipPrivilege 1988 msiexec.exe Token: SeSecurityPrivilege 1988 msiexec.exe Token: SeCreateTokenPrivilege 2496 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2496 msiexec.exe Token: SeLockMemoryPrivilege 2496 msiexec.exe Token: SeIncreaseQuotaPrivilege 2496 msiexec.exe Token: SeMachineAccountPrivilege 2496 msiexec.exe Token: SeTcbPrivilege 2496 msiexec.exe Token: SeSecurityPrivilege 2496 msiexec.exe Token: SeTakeOwnershipPrivilege 2496 msiexec.exe Token: SeLoadDriverPrivilege 2496 msiexec.exe Token: SeSystemProfilePrivilege 2496 msiexec.exe Token: SeSystemtimePrivilege 2496 msiexec.exe Token: SeProfSingleProcessPrivilege 2496 msiexec.exe Token: SeIncBasePriorityPrivilege 2496 msiexec.exe Token: SeCreatePagefilePrivilege 2496 msiexec.exe Token: SeCreatePermanentPrivilege 2496 msiexec.exe Token: SeBackupPrivilege 2496 msiexec.exe Token: SeRestorePrivilege 2496 msiexec.exe Token: SeShutdownPrivilege 2496 msiexec.exe Token: SeDebugPrivilege 2496 msiexec.exe Token: SeAuditPrivilege 2496 msiexec.exe Token: SeSystemEnvironmentPrivilege 2496 msiexec.exe Token: SeChangeNotifyPrivilege 2496 msiexec.exe Token: SeRemoteShutdownPrivilege 2496 msiexec.exe Token: SeUndockPrivilege 2496 msiexec.exe Token: SeSyncAgentPrivilege 2496 msiexec.exe Token: SeEnableDelegationPrivilege 2496 msiexec.exe Token: SeManageVolumePrivilege 2496 msiexec.exe Token: SeImpersonatePrivilege 2496 msiexec.exe Token: SeCreateGlobalPrivilege 2496 msiexec.exe Token: SeBackupPrivilege 2380 vssvc.exe Token: SeRestorePrivilege 2380 vssvc.exe Token: SeAuditPrivilege 2380 vssvc.exe Token: SeBackupPrivilege 1988 msiexec.exe Token: SeRestorePrivilege 1988 msiexec.exe Token: SeRestorePrivilege 1988 msiexec.exe Token: SeTakeOwnershipPrivilege 1988 msiexec.exe Token: SeBackupPrivilege 2808 vssvc.exe Token: SeRestorePrivilege 2808 vssvc.exe Token: SeAuditPrivilege 2808 vssvc.exe Token: SeBackupPrivilege 1988 msiexec.exe Token: SeRestorePrivilege 1988 msiexec.exe Token: SeRestorePrivilege 2964 DrvInst.exe Token: SeRestorePrivilege 2964 DrvInst.exe Token: SeRestorePrivilege 2964 DrvInst.exe Token: SeRestorePrivilege 2964 DrvInst.exe Token: SeRestorePrivilege 2964 DrvInst.exe Token: SeRestorePrivilege 2964 DrvInst.exe Token: SeRestorePrivilege 2964 DrvInst.exe Token: SeLoadDriverPrivilege 2964 DrvInst.exe Token: SeLoadDriverPrivilege 2964 DrvInst.exe Token: SeLoadDriverPrivilege 2964 DrvInst.exe Token: SeRestorePrivilege 1988 msiexec.exe Token: SeTakeOwnershipPrivilege 1988 msiexec.exe Token: SeRestorePrivilege 1988 msiexec.exe Token: SeTakeOwnershipPrivilege 1988 msiexec.exe Token: SeDebugPrivilege 1428 powershell.exe Token: SeRestorePrivilege 2116 wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe Token: 35 2116 wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe Token: SeSecurityPrivilege 2116 wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2496 msiexec.exe 2496 msiexec.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2380 wrote to memory of 2728 2380 vssvc.exe 33 PID 2380 wrote to memory of 2728 2380 vssvc.exe 33 PID 2380 wrote to memory of 2728 2380 vssvc.exe 33 PID 1988 wrote to memory of 1924 1988 msiexec.exe 36 PID 1988 wrote to memory of 1924 1988 msiexec.exe 36 PID 1988 wrote to memory of 1924 1988 msiexec.exe 36 PID 1988 wrote to memory of 1924 1988 msiexec.exe 36 PID 1988 wrote to memory of 1924 1988 msiexec.exe 36 PID 1924 wrote to memory of 1428 1924 MsiExec.exe 38 PID 1924 wrote to memory of 1428 1924 MsiExec.exe 38 PID 1924 wrote to memory of 1428 1924 MsiExec.exe 38 PID 1924 wrote to memory of 1248 1924 MsiExec.exe 40 PID 1924 wrote to memory of 1248 1924 MsiExec.exe 40 PID 1924 wrote to memory of 1248 1924 MsiExec.exe 40 PID 1248 wrote to memory of 2116 1248 cmd.exe 42 PID 1248 wrote to memory of 2116 1248 cmd.exe 42 PID 1248 wrote to memory of 2116 1248 cmd.exe 42 PID 1248 wrote to memory of 2116 1248 cmd.exe 42 PID 1248 wrote to memory of 2672 1248 cmd.exe 43 PID 1248 wrote to memory of 2672 1248 cmd.exe 43 PID 1248 wrote to memory of 2672 1248 cmd.exe 43 PID 1248 wrote to memory of 2676 1248 cmd.exe 45 PID 1248 wrote to memory of 2676 1248 cmd.exe 45 PID 1248 wrote to memory of 2676 1248 cmd.exe 45 PID 1248 wrote to memory of 2676 1248 cmd.exe 45 PID 1924 wrote to memory of 2804 1924 MsiExec.exe 48 PID 1924 wrote to memory of 2804 1924 MsiExec.exe 48 PID 1924 wrote to memory of 2804 1924 MsiExec.exe 48 PID 1924 wrote to memory of 2804 1924 MsiExec.exe 48 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\luoma2.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2496
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 33DF56A76EE90ED027C1DCB79176D96B M Global\MSI00002⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\PrepareUpliftingProducer'3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1428
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS" -o"C:\Program Files\PrepareUpliftingProducer\" -p"08603ofn={DHx}m7~1j8" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg" -x!1_BiEzaHFZmGAK.exe -o"C:\Program Files\PrepareUpliftingProducer\" -p"71633}[lV%g5Os!px;&}" -y3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe"C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS" -o"C:\Program Files\PrepareUpliftingProducer\" -p"08603ofn={DHx}m7~1j8" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2672
-
-
C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe"C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg" -x!1_BiEzaHFZmGAK.exe -o"C:\Program Files\PrepareUpliftingProducer\" -p"71633}[lV%g5Os!px;&}" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2676
-
-
-
C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe"C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe" -number 254 -file file3 -mode mode33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2804
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2380 -s 5762⤵PID:2728
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D8" "000000000000055C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD56f47f13aff0a463feffe9924e2b9bb22
SHA1c55049f4b23c8785dca076ceac98deb98a6e89bb
SHA2561e676b8262093048790b19945cd1a8226380d3f5067d98a5d365ade1413c6cfd
SHA5120cfc654887f6c583f4bb3368c08fc1fae81b4b0192f3bcee5b38b925290c3bf1579219e5960578c02e0e4487059fae5c14d190b073cc61365da089ef3f83ce27
-
Filesize
2.1MB
MD5cbfd19024613960afbca2592c254797c
SHA1498f21770764974008a04e3c1e013112b07a440b
SHA256e836bac2f7e08d68df29e1fbaba53d51bad7d7b304d3f8721ac9687275aec97a
SHA51298a162f7e6146e9973e4075867289627e2290ebd73745ccea701b7a28e2b112854ab90604d7ff16f207d91160181992e655bb7ea30ac58d9f7696bdad9a7d101
-
Filesize
1.5MB
MD5c2ddc9c1c68f17bcabe6d453bdedd54d
SHA11f9a8a688498fccfba10beb74366de6aca5d8f71
SHA256a4d8817a8152b7f4b4ab0d194e35ab4fb49bf4d567bd23e1ec359af29543c41b
SHA5123d464130d1ef6fcf13a6f7623c4fd507f7053aa8fcff8d7e7ff1f47b7fb85999c3d1119b49fcaa2a96efd587d609150f0f529f2fe36e66bc2c0ad9e89f5ada9a
-
Filesize
1.5MB
MD54bf1d9c71a407d753fbe43603baa740b
SHA17bda556251c6aafb215df4b8dc9d1dc35e805b4a
SHA256afb17b50d2c8f3e2412ad64977860d595fa8b67691714306fd371264065d19d7
SHA51250a35c209a525f5c87ae94da25722ae385a57107d1738ac3f8a55bf1c9df4a9e42d9784c119d4d44d590592b824c09d6d97ec9ce6de424cdb09e0116e5c75d93
-
Filesize
577KB
MD5c31c4b04558396c6fabab64dcf366534
SHA1fa836d92edc577d6a17ded47641ba1938589b09a
SHA2569d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99
-
Filesize
2.0MB
MD544933b8bcf9994f8d5088dbfd75bd781
SHA14daeed4b62ec79ce1416ad7f62107db4525aeedc
SHA2562f77174a331482149dbb2a31cc57aebac7b7466ddbb309e40003c45bfad2e9da
SHA512e4c7297b7054960652090d5efabf9407a359ee547bea64ba9d6ddef325278c9f930be004ea1eccb11bf3aa10f3a4a61c1abf629f4a07c668864eb1acedec2aec