39f3450dc1503693b8b8ecc736a66cb63674b77ea50ee68a52624209f6193081

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

luoma2.msi
Size

2.0MB
MD5

44933b8bcf9994f8d5088dbfd75bd781
SHA1

4daeed4b62ec79ce1416ad7f62107db4525aeedc
SHA256

2f77174a331482149dbb2a31cc57aebac7b7466ddbb309e40003c45bfad2e9da
SHA512

e4c7297b7054960652090d5efabf9407a359ee547bea64ba9d6ddef325278c9f930be004ea1eccb11bf3aa10f3a4a61c1abf629f4a07c668864eb1acedec2aec
SSDEEP

49152:JxB+M1DwJ9AQNvKbJ917NIe87J3ZbBjqrDvytoqjaxP:J7+EUJeQNvKb/75oZU/vyjad

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1740	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\2_BiEzaHFZmGAK.exe	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe	MsiExec.exe
File created	C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS	msiexec.exe
File created	C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\igc964.dll	msiexec.exe
File created	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.xml	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\2_BiEzaHFZmGAK.exe	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.xml	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe	MsiExec.exe
File created	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.vbs	BiEzaHFZmGAK.exe
File created	C:\Program Files\PrepareUpliftingProducer\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76d76b.msi	msiexec.exe
File created	C:\Windows\Installer\f76d76c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID855.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d76c.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76d76b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76d76e.msi	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
1752	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
1708	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
2128	BiEzaHFZmGAK.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3032	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BiEzaHFZmGAK.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1744	cmd.exe
284	PING.EXE

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 40f72d654f3bdb01	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\PackageCode = "C0AED81ADD9AA43409DE1BF6F7A6C17A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\ProductName = "PrepareUpliftingProducer"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Version = "151322630"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9DCD9B5D536DF1248A8093D390D4367B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\PackageName = "luoma2.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E1FBA331152420640B81E8A749F97E50\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E1FBA331152420640B81E8A749F97E50	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9DCD9B5D536DF1248A8093D390D4367B\E1FBA331152420640B81E8A749F97E50	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
284	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

pid	Process
1752	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
1708	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
1728	msiexec.exe
1728	msiexec.exe
1740	powershell.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe
2128	BiEzaHFZmGAK.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3032	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3032	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeSecurityPrivilege	1728	msiexec.exe
Token: SeCreateTokenPrivilege	3032	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3032	msiexec.exe
Token: SeLockMemoryPrivilege	3032	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3032	msiexec.exe
Token: SeMachineAccountPrivilege	3032	msiexec.exe
Token: SeTcbPrivilege	3032	msiexec.exe
Token: SeSecurityPrivilege	3032	msiexec.exe
Token: SeTakeOwnershipPrivilege	3032	msiexec.exe
Token: SeLoadDriverPrivilege	3032	msiexec.exe
Token: SeSystemProfilePrivilege	3032	msiexec.exe
Token: SeSystemtimePrivilege	3032	msiexec.exe
Token: SeProfSingleProcessPrivilege	3032	msiexec.exe
Token: SeIncBasePriorityPrivilege	3032	msiexec.exe
Token: SeCreatePagefilePrivilege	3032	msiexec.exe
Token: SeCreatePermanentPrivilege	3032	msiexec.exe
Token: SeBackupPrivilege	3032	msiexec.exe
Token: SeRestorePrivilege	3032	msiexec.exe
Token: SeShutdownPrivilege	3032	msiexec.exe
Token: SeDebugPrivilege	3032	msiexec.exe
Token: SeAuditPrivilege	3032	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3032	msiexec.exe
Token: SeChangeNotifyPrivilege	3032	msiexec.exe
Token: SeRemoteShutdownPrivilege	3032	msiexec.exe
Token: SeUndockPrivilege	3032	msiexec.exe
Token: SeSyncAgentPrivilege	3032	msiexec.exe
Token: SeEnableDelegationPrivilege	3032	msiexec.exe
Token: SeManageVolumePrivilege	3032	msiexec.exe
Token: SeImpersonatePrivilege	3032	msiexec.exe
Token: SeCreateGlobalPrivilege	3032	msiexec.exe
Token: SeBackupPrivilege	640	vssvc.exe
Token: SeRestorePrivilege	640	vssvc.exe
Token: SeAuditPrivilege	640	vssvc.exe
Token: SeBackupPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	2856	DrvInst.exe
Token: SeRestorePrivilege	2856	DrvInst.exe
Token: SeRestorePrivilege	2856	DrvInst.exe
Token: SeRestorePrivilege	2856	DrvInst.exe
Token: SeRestorePrivilege	2856	DrvInst.exe
Token: SeRestorePrivilege	2856	DrvInst.exe
Token: SeRestorePrivilege	2856	DrvInst.exe
Token: SeLoadDriverPrivilege	2856	DrvInst.exe
Token: SeLoadDriverPrivilege	2856	DrvInst.exe
Token: SeLoadDriverPrivilege	2856	DrvInst.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeRestorePrivilege	1728	msiexec.exe
Token: SeTakeOwnershipPrivilege	1728	msiexec.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeRestorePrivilege	1752	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: 35	1752	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeSecurityPrivilege	1752	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeSecurityPrivilege	1752	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeRestorePrivilege	1708	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: 35	1708	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeSecurityPrivilege	1708	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeSecurityPrivilege	1708	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3032	msiexec.exe
3032	msiexec.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2864	1728	msiexec.exe	35
PID 1728 wrote to memory of 2864	1728	msiexec.exe	35
PID 1728 wrote to memory of 2864	1728	msiexec.exe	35
PID 1728 wrote to memory of 2864	1728	msiexec.exe	35
PID 1728 wrote to memory of 2864	1728	msiexec.exe	35
PID 2864 wrote to memory of 1740	2864	MsiExec.exe	37
PID 2864 wrote to memory of 1740	2864	MsiExec.exe	37
PID 2864 wrote to memory of 1740	2864	MsiExec.exe	37
PID 2864 wrote to memory of 1744	2864	MsiExec.exe	39
PID 2864 wrote to memory of 1744	2864	MsiExec.exe	39
PID 2864 wrote to memory of 1744	2864	MsiExec.exe	39
PID 1744 wrote to memory of 1752	1744	cmd.exe	41
PID 1744 wrote to memory of 1752	1744	cmd.exe	41
PID 1744 wrote to memory of 1752	1744	cmd.exe	41
PID 1744 wrote to memory of 1752	1744	cmd.exe	41
PID 1744 wrote to memory of 284	1744	cmd.exe	42
PID 1744 wrote to memory of 284	1744	cmd.exe	42
PID 1744 wrote to memory of 284	1744	cmd.exe	42
PID 1744 wrote to memory of 1708	1744	cmd.exe	44
PID 1744 wrote to memory of 1708	1744	cmd.exe	44
PID 1744 wrote to memory of 1708	1744	cmd.exe	44
PID 1744 wrote to memory of 1708	1744	cmd.exe	44
PID 2864 wrote to memory of 2128	2864	MsiExec.exe	46
PID 2864 wrote to memory of 2128	2864	MsiExec.exe	46
PID 2864 wrote to memory of 2128	2864	MsiExec.exe	46
PID 2864 wrote to memory of 2128	2864	MsiExec.exe	46

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\luoma2.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3032

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding F3291747034351568929D9C000ADD0E1 M Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\PrepareUpliftingProducer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS" -o"C:\Program Files\PrepareUpliftingProducer\" -p"08603ofn={DHx}m7~1j8" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg" -x!1_BiEzaHFZmGAK.exe -o"C:\Program Files\PrepareUpliftingProducer\" -p"71633}[lV%g5Os!px;&}" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
      "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS" -o"C:\Program Files\PrepareUpliftingProducer\" -p"08603ofn={DHx}m7~1j8" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:1752
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:284
  - - C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
      "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg" -x!1_BiEzaHFZmGAK.exe -o"C:\Program Files\PrepareUpliftingProducer\" -p"71633}[lV%g5Os!px;&}" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious use of AdjustPrivilegeToken
      PID:1708
- - C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe
    "C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe" -number 254 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B8" "00000000000005E0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76d76d.rbs

Filesize
7KB

MD5
13e8a3e3a2fa3a308c6182aef95e6acb

SHA1
fc7747c41494730c0dcd184be59b774ef544da64

SHA256
15a80e62d89c898887720fbb5749a7645dfc3488895ccce3b58175069fd820d9

SHA512
66aaddc58681f5b748999dfabe1cf4d8927992da6663a1cd78424839440ecd4894a42f933480515c98bd5e5db5453d978ba7cea53e280accab08b343f794c677

Download Submit
C:\Program Files\PrepareUpliftingProducer\2_BiEzaHFZmGAK.exe

Filesize
2.1MB

MD5
cbfd19024613960afbca2592c254797c

SHA1
498f21770764974008a04e3c1e013112b07a440b

SHA256
e836bac2f7e08d68df29e1fbaba53d51bad7d7b304d3f8721ac9687275aec97a

SHA512
98a162f7e6146e9973e4075867289627e2290ebd73745ccea701b7a28e2b112854ab90604d7ff16f207d91160181992e655bb7ea30ac58d9f7696bdad9a7d101

Download Submit
C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg

Filesize
1.5MB

MD5
c2ddc9c1c68f17bcabe6d453bdedd54d

SHA1
1f9a8a688498fccfba10beb74366de6aca5d8f71

SHA256
a4d8817a8152b7f4b4ab0d194e35ab4fb49bf4d567bd23e1ec359af29543c41b

SHA512
3d464130d1ef6fcf13a6f7623c4fd507f7053aa8fcff8d7e7ff1f47b7fb85999c3d1119b49fcaa2a96efd587d609150f0f529f2fe36e66bc2c0ad9e89f5ada9a

Download Submit
C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS

Filesize
1.5MB

MD5
4bf1d9c71a407d753fbe43603baa740b

SHA1
7bda556251c6aafb215df4b8dc9d1dc35e805b4a

SHA256
afb17b50d2c8f3e2412ad64977860d595fa8b67691714306fd371264065d19d7

SHA512
50a35c209a525f5c87ae94da25722ae385a57107d1738ac3f8a55bf1c9df4a9e42d9784c119d4d44d590592b824c09d6d97ec9ce6de424cdb09e0116e5c75d93

Download Submit
C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Windows\Installer\f76d76b.msi

Filesize
2.0MB

MD5
44933b8bcf9994f8d5088dbfd75bd781

SHA1
4daeed4b62ec79ce1416ad7f62107db4525aeedc

SHA256
2f77174a331482149dbb2a31cc57aebac7b7466ddbb309e40003c45bfad2e9da

SHA512
e4c7297b7054960652090d5efabf9407a359ee547bea64ba9d6ddef325278c9f930be004ea1eccb11bf3aa10f3a4a61c1abf629f4a07c668864eb1acedec2aec

Download Submit
memory/1740-17-0x000000001B400000-0x000000001B6E2000-memory.dmp

Filesize
2.9MB

Download
memory/1740-18-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/2128-54-0x0000000002100000-0x000000000212F000-memory.dmp

Filesize
188KB

Download
memory/2864-12-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download