c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c.msi
Size

106.0MB
MD5

13efd06a23bfa0e958907db33d947ff9
SHA1

57b60766072b7037ca5c5d31a23dd57e332421b8
SHA256

c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c
SHA512

b2a914c5359a636003d3dc45b8be36a8e059f40893f171a845969ab5a791310f6a86337205f775a0ca0807ddc8a6fcf294a6cf64c990ae58bd2466b1954bb3e0
SSDEEP

3145728:8Cc6i9DJclUWcTsPsz+gpvp0lHEavPwsJ+KkKELYfFY:+rDJciusz+gNpUkGP/J+xEfFY

Score

10^/10

discovery evasion persistence privilege_escalation trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1936-37-0x000000013F120000-0x000000013F130000-memory.dmp	upx

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Sunlogin\Sunlogin\SunloginClient.exe	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_18_0	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_20_1	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_21_0	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_21_2	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_18_1	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_20_0	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\XR.exe	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_18_3	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_21_1	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_18_2	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_18_4	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_20_2	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_20_3	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76cdab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76cdab.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE18.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE96.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF14.tmp	msiexec.exe
File created	C:\Windows\Installer\f76cdae.ipi	msiexec.exe
File created	C:\Windows\Installer\f76cdb0.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76cdae.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID06C.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Executes dropped EXE 2 IoCs

pid	Process
300	XR.exe
896	jdy_client_mini.exe

Loads dropped DLL 10 IoCs

pid	Process
2488	MsiExec.exe
2488	MsiExec.exe
2488	MsiExec.exe
1936	msiexec.exe
1160	Process not Found
1160	Process not Found
1160	Process not Found
1936	msiexec.exe
1160	Process not Found
896	jdy_client_mini.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1968	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdy_client_mini.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2980	ipconfig.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Microsoft Management Console	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	XR.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\RenderSoft TextCalc	XR.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	XR.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mmc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@mmcbase.dll,-14008 = "Folder"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Microsoft Management Console\Recent File List	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Microsoft Management Console\Settings	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\RenderSoft TextCalc\TextCalc	XR.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A9B89E2BAAAAC484599C9858825FEF7D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A9B89E2BAAAAC484599C9858825FEF7D\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\PackageName = "c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\PackageCode = "D709273379E898A4FAF2C5D38D81F708"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14916244394C09842BAF84843796C5AF	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14916244394C09842BAF84843796C5AF\A9B89E2BAAAAC484599C9858825FEF7D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\ProductName = "Sunlogin"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1936	msiexec.exe
1936	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1968	msiexec.exe
Token: SeRestorePrivilege	1936	msiexec.exe
Token: SeTakeOwnershipPrivilege	1936	msiexec.exe
Token: SeSecurityPrivilege	1936	msiexec.exe
Token: SeCreateTokenPrivilege	1968	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1968	msiexec.exe
Token: SeLockMemoryPrivilege	1968	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1968	msiexec.exe
Token: SeMachineAccountPrivilege	1968	msiexec.exe
Token: SeTcbPrivilege	1968	msiexec.exe
Token: SeSecurityPrivilege	1968	msiexec.exe
Token: SeTakeOwnershipPrivilege	1968	msiexec.exe
Token: SeLoadDriverPrivilege	1968	msiexec.exe
Token: SeSystemProfilePrivilege	1968	msiexec.exe
Token: SeSystemtimePrivilege	1968	msiexec.exe
Token: SeProfSingleProcessPrivilege	1968	msiexec.exe
Token: SeIncBasePriorityPrivilege	1968	msiexec.exe
Token: SeCreatePagefilePrivilege	1968	msiexec.exe
Token: SeCreatePermanentPrivilege	1968	msiexec.exe
Token: SeBackupPrivilege	1968	msiexec.exe
Token: SeRestorePrivilege	1968	msiexec.exe
Token: SeShutdownPrivilege	1968	msiexec.exe
Token: SeDebugPrivilege	1968	msiexec.exe
Token: SeAuditPrivilege	1968	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1968	msiexec.exe
Token: SeChangeNotifyPrivilege	1968	msiexec.exe
Token: SeRemoteShutdownPrivilege	1968	msiexec.exe
Token: SeUndockPrivilege	1968	msiexec.exe
Token: SeSyncAgentPrivilege	1968	msiexec.exe
Token: SeEnableDelegationPrivilege	1968	msiexec.exe
Token: SeManageVolumePrivilege	1968	msiexec.exe
Token: SeImpersonatePrivilege	1968	msiexec.exe
Token: SeCreateGlobalPrivilege	1968	msiexec.exe
Token: SeBackupPrivilege	2948	vssvc.exe
Token: SeRestorePrivilege	2948	vssvc.exe
Token: SeAuditPrivilege	2948	vssvc.exe
Token: SeBackupPrivilege	1936	msiexec.exe
Token: SeRestorePrivilege	1936	msiexec.exe
Token: SeRestorePrivilege	1716	DrvInst.exe
Token: SeRestorePrivilege	1716	DrvInst.exe
Token: SeRestorePrivilege	1716	DrvInst.exe
Token: SeRestorePrivilege	1716	DrvInst.exe
Token: SeRestorePrivilege	1716	DrvInst.exe
Token: SeRestorePrivilege	1716	DrvInst.exe
Token: SeRestorePrivilege	1716	DrvInst.exe
Token: SeLoadDriverPrivilege	1716	DrvInst.exe
Token: SeLoadDriverPrivilege	1716	DrvInst.exe
Token: SeLoadDriverPrivilege	1716	DrvInst.exe
Token: SeRestorePrivilege	1936	msiexec.exe
Token: SeTakeOwnershipPrivilege	1936	msiexec.exe
Token: SeRestorePrivilege	1936	msiexec.exe
Token: SeTakeOwnershipPrivilege	1936	msiexec.exe
Token: SeRestorePrivilege	1936	msiexec.exe
Token: SeTakeOwnershipPrivilege	1936	msiexec.exe
Token: SeRestorePrivilege	1936	msiexec.exe
Token: SeTakeOwnershipPrivilege	1936	msiexec.exe
Token: SeRestorePrivilege	1936	msiexec.exe
Token: SeTakeOwnershipPrivilege	1936	msiexec.exe
Token: SeRestorePrivilege	1936	msiexec.exe
Token: SeTakeOwnershipPrivilege	1936	msiexec.exe
Token: SeRestorePrivilege	1936	msiexec.exe
Token: SeTakeOwnershipPrivilege	1936	msiexec.exe
Token: SeRestorePrivilege	1936	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1968	msiexec.exe
1968	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
300	XR.exe
300	XR.exe
2336	mmc.exe
2336	mmc.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2488	1936	msiexec.exe	35
PID 1936 wrote to memory of 2488	1936	msiexec.exe	35
PID 1936 wrote to memory of 2488	1936	msiexec.exe	35
PID 1936 wrote to memory of 2488	1936	msiexec.exe	35
PID 1936 wrote to memory of 2488	1936	msiexec.exe	35
PID 1936 wrote to memory of 2488	1936	msiexec.exe	35
PID 1936 wrote to memory of 2488	1936	msiexec.exe	35
PID 1936 wrote to memory of 300	1936	msiexec.exe	36
PID 1936 wrote to memory of 300	1936	msiexec.exe	36
PID 1936 wrote to memory of 300	1936	msiexec.exe	36
PID 300 wrote to memory of 284	300	XR.exe	38
PID 300 wrote to memory of 284	300	XR.exe	38
PID 300 wrote to memory of 284	300	XR.exe	38
PID 284 wrote to memory of 2980	284	cmd.exe	40
PID 284 wrote to memory of 2980	284	cmd.exe	40
PID 284 wrote to memory of 2980	284	cmd.exe	40
PID 300 wrote to memory of 632	300	XR.exe	41
PID 300 wrote to memory of 632	300	XR.exe	41
PID 300 wrote to memory of 632	300	XR.exe	41
PID 300 wrote to memory of 1288	300	XR.exe	43
PID 300 wrote to memory of 1288	300	XR.exe	43
PID 300 wrote to memory of 1288	300	XR.exe	43
PID 1288 wrote to memory of 328	1288	cmd.exe	45
PID 1288 wrote to memory of 328	1288	cmd.exe	45
PID 1288 wrote to memory of 328	1288	cmd.exe	45
PID 1288 wrote to memory of 928	1288	cmd.exe	46
PID 1288 wrote to memory of 928	1288	cmd.exe	46
PID 1288 wrote to memory of 928	1288	cmd.exe	46
PID 1288 wrote to memory of 1852	1288	cmd.exe	47
PID 1288 wrote to memory of 1852	1288	cmd.exe	47
PID 1288 wrote to memory of 1852	1288	cmd.exe	47
PID 300 wrote to memory of 2036	300	XR.exe	48
PID 300 wrote to memory of 2036	300	XR.exe	48
PID 300 wrote to memory of 2036	300	XR.exe	48
PID 2336 wrote to memory of 896	2336	mmc.exe	51
PID 2336 wrote to memory of 896	2336	mmc.exe	51
PID 2336 wrote to memory of 896	2336	mmc.exe	51
PID 2336 wrote to memory of 896	2336	mmc.exe	51

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1968

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E9D78674C053B69FDFDBADF5D9D0716E
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2488
- C:\Program Files\Sunlogin\Sunlogin\XR.exe
  "C:\Program Files\Sunlogin\Sunlogin\XR.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:284
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2980
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\Ilp7p.xml
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - Modifies data under HKEY_USERS
    PID:632
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\7EUMU.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:328
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:928
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:1852
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\KAdWo\d867R~18\p+C:\Users\Public\Pictures\KAdWo\d867R~18\w C:\Users\Public\Pictures\KAdWo\d867R~18\nw_elf.dll
    3⤵
    PID:2036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E8" "00000000000004A0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Public\Pictures\KAdWo\d867R~18\jdy_client_mini.exe
  "C:\Users\Public\Pictures\KAdWo\d867R~18\jdy_client_mini.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76cdaf.rbs

Filesize
8KB

MD5
749145467efdf90f8e02249981a7bc2b

SHA1
6abfee2dea69804e000d922c0762d3d119de745b

SHA256
826dc2fc45a2017b9adbdd7152c7c4279ebe272f0b909d5a4400e974c7ff1b54

SHA512
ffa95d4f6a96f1a93ed6b989a79194dc7e3e3c05a3eb71f0a1f06c7bec87e310c17797edad49f83357d27efdc2d58a482a510b1f34f7603f790a24959e5ddaf8

Download Submit
C:\Program Files\Sunlogin\Sunlogin\cache_21_0

Filesize
9.0MB

MD5
be5628882d28ba1bdb9850dc4b7e7fa1

SHA1
6d37839c4b8ded05c0e8108696e1b794de59a2a8

SHA256
def949e97a2a2d2e504f7c85a27a6f2fd44d3a898357398f4aaa7eb033dfb287

SHA512
16037fd6ee2bb26e1014e9e69a2ee5d7290ebe5021ed1eedaa5908b73c39cc2ba6f66c553be9a39163b8831e8f519b10009e71fb94ce392c7229541192aa1c39

Download Submit
C:\Users\Admin\AppData\Roaming\7EUMU.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
C:\Users\Public\Pictures\KAdWo\d867R~18\NH.txt

Filesize
179KB

MD5
1bd1c65b610003b945e7b9bd7210db2a

SHA1
66902e2b5d575c0232eab4576b81daac56a6bbc8

SHA256
871814884dd4058d25cc0111fea5bf48da43d7ac6e7b71db166dd3190a116820

SHA512
d487bd2beab4e9c44ebbcffab0215b1c2d93ae3feea8130f8cbcafb4b182222e6054c3c7f79c77a6004a67890f3d5e8cc3a39d959c5b3c40249752483ef00928

Download Submit
C:\Users\Public\Pictures\KAdWo\d867R~18\jdy_client_mini.exe

Filesize
2.6MB

MD5
c206388d7a4c81a52cf637a3e0d2acc8

SHA1
c927b021d7f4691ac84a7a54a8d3358f02c89ee6

SHA256
1dab81c0d0650a673151e90d475722906f6d71421ceaa8f0df9b14d2e36cd9d3

SHA512
247d2277b23360db7d9e7794be80290e1148eb03d5b15ef56710c5dfd62b0374cc05a1529889f00f59813a4e1ed00f35358069a3397fafd65f89205268e4f783

Download Submit
C:\Users\Public\Pictures\KAdWo\d867R~18\nw_elf.dll

Filesize
1.7MB

MD5
c17a7b1c4836089c0c73b03b8ada5941

SHA1
25629c7994565d12969b36f9b3960bafedd7e20a

SHA256
0ef6821b9df8c45c7d817c36bf99cf0057a63bcb5709ffdfd721cc50dcd7afd9

SHA512
0b6510127be3014b0b46ed7f4fb48b75bf63b566ae700767115d0e6d26d8e487d0261b19952dc9c0d9946e25d424388b41c7b2f9634c8ff008d9d837de335597

Download Submit
C:\Users\Public\Pictures\KAdWo\d867R~18\p

Filesize
886KB

MD5
2ed406d06efeeea53ba02a605f1d1674

SHA1
70085132cb0207b1389581489149c42052ba374b

SHA256
7bdd4e0d14aae0653f703b66b8257f6a9c997547d06fb20063cc02929b7cd1b0

SHA512
0213c75c9611102a12ccc26e44fffdc7657606da00a6aa98044394a845dbaa25d1e1f987c5963c7db96f965804db29032cd480d15732cbb33a622ba7dc387762

Download Submit
C:\Users\Public\Pictures\KAdWo\d867R~18\w

Filesize
886KB

MD5
a5b68f44e99929a11b6fead500e8ed61

SHA1
6dcd1d94e214a3db96c286758c0e2690dddaa977

SHA256
fdf58cf91573dfebe3ea25d567b993570ebd5a2f2fd74fd1e22dcd7103ac18b2

SHA512
af8c057851ec682047d550d7190d7450f505b848f87aaf6681400acc9a21253321b06de74d7d932cfc1a7a153bc3d13d791c42b365159ae51184c8ec86f201e9

Download Submit
C:\Windows\Installer\MSICE18.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\Program Files\Sunlogin\Sunlogin\XR.exe

Filesize
18.7MB

MD5
8fb8044052662077cdc327a12000e3e9

SHA1
94a421e07d154fcc6d411d72f7aa9c3f08bd8058

SHA256
ef413c1fdf376dbac6bde73240146ea2676ed47d08150f8b744576f4d3bc4dd2

SHA512
2258250b048b61a9732b0da0ef2fb4b522158718a6ab6dcba4dc9b545e3954aa93926d033111c4e14cf85c30f7fa236c0453d9cd70a06c6d06e1d6dc197373e3

Download Submit
memory/300-53-0x0000000180000000-0x0000000180213000-memory.dmp

Filesize
2.1MB

Download
memory/300-52-0x0000000180000000-0x0000000180213000-memory.dmp

Filesize
2.1MB

Download
memory/300-51-0x0000000180000000-0x0000000180213000-memory.dmp

Filesize
2.1MB

Download
memory/896-70-0x0000000000250000-0x00000000002B9000-memory.dmp

Filesize
420KB

Download
memory/1936-64-0x000000013F120000-0x000000013F130000-memory.dmp

Filesize
64KB

Download
memory/1936-37-0x000000013F120000-0x000000013F130000-memory.dmp

Filesize
64KB

Download