c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c.msi
Size

106.0MB
MD5

13efd06a23bfa0e958907db33d947ff9
SHA1

57b60766072b7037ca5c5d31a23dd57e332421b8
SHA256

c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c
SHA512

b2a914c5359a636003d3dc45b8be36a8e059f40893f171a845969ab5a791310f6a86337205f775a0ca0807ddc8a6fcf294a6cf64c990ae58bd2466b1954bb3e0
SSDEEP

3145728:8Cc6i9DJclUWcTsPsz+gpvp0lHEavPwsJ+KkKELYfFY:+rDJciusz+gNpUkGP/J+xEfFY

Score

10^/10

discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	jdy_client_mini.exe
File opened (read-only)	\??\Z:	jdy_client_mini.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	jdy_client_mini.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	jdy_client_mini.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	jdy_client_mini.exe
File opened (read-only)	\??\U:	jdy_client_mini.exe
File opened (read-only)	\??\W:	jdy_client_mini.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	jdy_client_mini.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	jdy_client_mini.exe
File opened (read-only)	\??\S:	jdy_client_mini.exe
File opened (read-only)	\??\T:	jdy_client_mini.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	jdy_client_mini.exe
File opened (read-only)	\??\O:	jdy_client_mini.exe
File opened (read-only)	\??\R:	jdy_client_mini.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	jdy_client_mini.exe
File opened (read-only)	\??\P:	jdy_client_mini.exe
File opened (read-only)	\??\X:	jdy_client_mini.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	jdy_client_mini.exe
File opened (read-only)	\??\L:	jdy_client_mini.exe
File opened (read-only)	\??\Q:	jdy_client_mini.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	jdy_client_mini.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Sunlogin\Sunlogin\cache_20_0	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_21_2	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_18_1	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_18_3	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_18_0	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\XR.exe	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_18_2	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_20_2	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_20_3	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_21_0	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_21_1	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\SunloginClient.exe	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_18_4	msiexec.exe
File created	C:\Program Files\Sunlogin\Sunlogin\cache_20_1	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIB72C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB980.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b49a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB546.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB6AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB77C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B2E98B9A-AAAA-484C-95C9-898528F5FED7}	msiexec.exe
File created	C:\Windows\Installer\e57b49e.msi	msiexec.exe
File created	C:\Windows\Installer\e57b49a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3316	XR.exe
4956	jdy_client_mini.exe

Loads dropped DLL 5 IoCs

pid	Process
4696	MsiExec.exe
4696	MsiExec.exe
4696	MsiExec.exe
4696	MsiExec.exe
4956	jdy_client_mini.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
664	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdy_client_mini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jdy_client_mini.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	jdy_client_mini.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4476	ipconfig.exe
2016	ipconfig.exe

Modifies data under HKEY_USERS 29 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	XR.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	XR.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\RenderSoft TextCalc	XR.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	jdy_client_mini.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	jdy_client_mini.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	XR.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	XR.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Recent File List	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	jdy_client_mini.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	jdy_client_mini.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\RenderSoft TextCalc\TextCalc	XR.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\RenderSoft TextCalc\TextCalc\Settings	XR.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	jdy_client_mini.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\RenderSoft TextCalc\TextCalc\Recent File List	XR.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console	mmc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Microsoft Management Console\Settings	mmc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	XR.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	XR.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@mmcbase.dll,-14008 = "Folder"	mmc.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\Language = "2052"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14916244394C09842BAF84843796C5AF\A9B89E2BAAAAC484599C9858825FEF7D	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A9B89E2BAAAAC484599C9858825FEF7D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\PackageCode = "D709273379E898A4FAF2C5D38D81F708"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A9B89E2BAAAAC484599C9858825FEF7D\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\ProductName = "Sunlogin"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\14916244394C09842BAF84843796C5AF	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\SourceList\PackageName = "c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A9B89E2BAAAAC484599C9858825FEF7D\AuthorizedLUAApp = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
448	msiexec.exe
448	msiexec.exe
4956	jdy_client_mini.exe
4956	jdy_client_mini.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	664	msiexec.exe
Token: SeSecurityPrivilege	448	msiexec.exe
Token: SeCreateTokenPrivilege	664	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	664	msiexec.exe
Token: SeLockMemoryPrivilege	664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	664	msiexec.exe
Token: SeMachineAccountPrivilege	664	msiexec.exe
Token: SeTcbPrivilege	664	msiexec.exe
Token: SeSecurityPrivilege	664	msiexec.exe
Token: SeTakeOwnershipPrivilege	664	msiexec.exe
Token: SeLoadDriverPrivilege	664	msiexec.exe
Token: SeSystemProfilePrivilege	664	msiexec.exe
Token: SeSystemtimePrivilege	664	msiexec.exe
Token: SeProfSingleProcessPrivilege	664	msiexec.exe
Token: SeIncBasePriorityPrivilege	664	msiexec.exe
Token: SeCreatePagefilePrivilege	664	msiexec.exe
Token: SeCreatePermanentPrivilege	664	msiexec.exe
Token: SeBackupPrivilege	664	msiexec.exe
Token: SeRestorePrivilege	664	msiexec.exe
Token: SeShutdownPrivilege	664	msiexec.exe
Token: SeDebugPrivilege	664	msiexec.exe
Token: SeAuditPrivilege	664	msiexec.exe
Token: SeSystemEnvironmentPrivilege	664	msiexec.exe
Token: SeChangeNotifyPrivilege	664	msiexec.exe
Token: SeRemoteShutdownPrivilege	664	msiexec.exe
Token: SeUndockPrivilege	664	msiexec.exe
Token: SeSyncAgentPrivilege	664	msiexec.exe
Token: SeEnableDelegationPrivilege	664	msiexec.exe
Token: SeManageVolumePrivilege	664	msiexec.exe
Token: SeImpersonatePrivilege	664	msiexec.exe
Token: SeCreateGlobalPrivilege	664	msiexec.exe
Token: SeBackupPrivilege	3260	vssvc.exe
Token: SeRestorePrivilege	3260	vssvc.exe
Token: SeAuditPrivilege	3260	vssvc.exe
Token: SeBackupPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe
Token: SeTakeOwnershipPrivilege	448	msiexec.exe
Token: SeRestorePrivilege	448	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
664	msiexec.exe
664	msiexec.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3316	XR.exe
3316	XR.exe
3864	mmc.exe
3864	mmc.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2032	448	msiexec.exe	98
PID 448 wrote to memory of 2032	448	msiexec.exe	98
PID 448 wrote to memory of 4696	448	msiexec.exe	100
PID 448 wrote to memory of 4696	448	msiexec.exe	100
PID 448 wrote to memory of 4696	448	msiexec.exe	100
PID 448 wrote to memory of 3316	448	msiexec.exe	101
PID 448 wrote to memory of 3316	448	msiexec.exe	101
PID 3316 wrote to memory of 1056	3316	XR.exe	103
PID 3316 wrote to memory of 1056	3316	XR.exe	103
PID 1056 wrote to memory of 4476	1056	cmd.exe	105
PID 1056 wrote to memory of 4476	1056	cmd.exe	105
PID 3316 wrote to memory of 4588	3316	XR.exe	107
PID 3316 wrote to memory of 4588	3316	XR.exe	107
PID 3316 wrote to memory of 2768	3316	XR.exe	109
PID 3316 wrote to memory of 2768	3316	XR.exe	109
PID 2768 wrote to memory of 3636	2768	cmd.exe	111
PID 2768 wrote to memory of 3636	2768	cmd.exe	111
PID 2768 wrote to memory of 2604	2768	cmd.exe	112
PID 2768 wrote to memory of 2604	2768	cmd.exe	112
PID 2768 wrote to memory of 1584	2768	cmd.exe	113
PID 2768 wrote to memory of 1584	2768	cmd.exe	113
PID 3316 wrote to memory of 4540	3316	XR.exe	114
PID 3316 wrote to memory of 4540	3316	XR.exe	114
PID 3864 wrote to memory of 4956	3864	mmc.exe	119
PID 3864 wrote to memory of 4956	3864	mmc.exe	119
PID 3864 wrote to memory of 4956	3864	mmc.exe	119
PID 4956 wrote to memory of 2488	4956	jdy_client_mini.exe	121
PID 4956 wrote to memory of 2488	4956	jdy_client_mini.exe	121
PID 4956 wrote to memory of 2488	4956	jdy_client_mini.exe	121
PID 2488 wrote to memory of 2016	2488	cmd.exe	123
PID 2488 wrote to memory of 2016	2488	cmd.exe	123
PID 2488 wrote to memory of 2016	2488	cmd.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c440d1721cb83183eb397171531888556f544659e1640bf974ed55548016ed3c.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:664

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5961E849891D2CC6454F88C363DA422D
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4696
- C:\Program Files\Sunlogin\Sunlogin\XR.exe
  "C:\Program Files\Sunlogin\Sunlogin\XR.exe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4476
- - C:\Windows\System32\netsh.exe
    "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\xS59e.xml
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4588
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\1xhDT.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:3636
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:2604
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
      4⤵
      UAC bypass
      PID:1584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\zz4Y9\H9uFl~18\p+C:\Users\Public\Pictures\zz4Y9\H9uFl~18\w C:\Users\Public\Pictures\zz4Y9\H9uFl~18\nw_elf.dll
    3⤵
    PID:4540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Users\Public\Pictures\zz4Y9\H9uFl~18\jdy_client_mini.exe
  "C:\Users\Public\Pictures\zz4Y9\H9uFl~18\jdy_client_mini.exe"
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b49d.rbs

Filesize
9KB

MD5
3aee594cb811154ca11a8d3898cf6ff2

SHA1
911423e38248121a4ed7f310d6317800fdab6081

SHA256
ea8409e50f80e1e5f54f4baecadba11a4284b6da3aa2c1353a3514736886d154

SHA512
016ff7a40ddcf0d455c503d013312aa99d2bf8c0c463b579d1e76c86b99113e0cbec0d06c4ceedee746e6cf89da0f574edef7101c89225a674b94ca468b0a6c1

Download Submit
C:\Program Files\Sunlogin\Sunlogin\XR.exe

Filesize
18.7MB

MD5
8fb8044052662077cdc327a12000e3e9

SHA1
94a421e07d154fcc6d411d72f7aa9c3f08bd8058

SHA256
ef413c1fdf376dbac6bde73240146ea2676ed47d08150f8b744576f4d3bc4dd2

SHA512
2258250b048b61a9732b0da0ef2fb4b522158718a6ab6dcba4dc9b545e3954aa93926d033111c4e14cf85c30f7fa236c0453d9cd70a06c6d06e1d6dc197373e3

Download Submit
C:\Program Files\Sunlogin\Sunlogin\cache_21_0

Filesize
9.0MB

MD5
be5628882d28ba1bdb9850dc4b7e7fa1

SHA1
6d37839c4b8ded05c0e8108696e1b794de59a2a8

SHA256
def949e97a2a2d2e504f7c85a27a6f2fd44d3a898357398f4aaa7eb033dfb287

SHA512
16037fd6ee2bb26e1014e9e69a2ee5d7290ebe5021ed1eedaa5908b73c39cc2ba6f66c553be9a39163b8831e8f519b10009e71fb94ce392c7229541192aa1c39

Download Submit
C:\Users\Admin\AppData\Roaming\1xhDT.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
C:\Users\Public\Pictures\zz4Y9\H9uFl~18\NH.txt

Filesize
179KB

MD5
1bd1c65b610003b945e7b9bd7210db2a

SHA1
66902e2b5d575c0232eab4576b81daac56a6bbc8

SHA256
871814884dd4058d25cc0111fea5bf48da43d7ac6e7b71db166dd3190a116820

SHA512
d487bd2beab4e9c44ebbcffab0215b1c2d93ae3feea8130f8cbcafb4b182222e6054c3c7f79c77a6004a67890f3d5e8cc3a39d959c5b3c40249752483ef00928

Download Submit
C:\Users\Public\Pictures\zz4Y9\H9uFl~18\jdy_client_mini.exe

Filesize
2.6MB

MD5
c206388d7a4c81a52cf637a3e0d2acc8

SHA1
c927b021d7f4691ac84a7a54a8d3358f02c89ee6

SHA256
1dab81c0d0650a673151e90d475722906f6d71421ceaa8f0df9b14d2e36cd9d3

SHA512
247d2277b23360db7d9e7794be80290e1148eb03d5b15ef56710c5dfd62b0374cc05a1529889f00f59813a4e1ed00f35358069a3397fafd65f89205268e4f783

Download Submit
C:\Users\Public\Pictures\zz4Y9\H9uFl~18\nw_elf.dll

Filesize
1.7MB

MD5
c17a7b1c4836089c0c73b03b8ada5941

SHA1
25629c7994565d12969b36f9b3960bafedd7e20a

SHA256
0ef6821b9df8c45c7d817c36bf99cf0057a63bcb5709ffdfd721cc50dcd7afd9

SHA512
0b6510127be3014b0b46ed7f4fb48b75bf63b566ae700767115d0e6d26d8e487d0261b19952dc9c0d9946e25d424388b41c7b2f9634c8ff008d9d837de335597

Download Submit
C:\Users\Public\Pictures\zz4Y9\H9uFl~18\p

Filesize
886KB

MD5
2ed406d06efeeea53ba02a605f1d1674

SHA1
70085132cb0207b1389581489149c42052ba374b

SHA256
7bdd4e0d14aae0653f703b66b8257f6a9c997547d06fb20063cc02929b7cd1b0

SHA512
0213c75c9611102a12ccc26e44fffdc7657606da00a6aa98044394a845dbaa25d1e1f987c5963c7db96f965804db29032cd480d15732cbb33a622ba7dc387762

Download Submit
C:\Users\Public\Pictures\zz4Y9\H9uFl~18\w

Filesize
886KB

MD5
a5b68f44e99929a11b6fead500e8ed61

SHA1
6dcd1d94e214a3db96c286758c0e2690dddaa977

SHA256
fdf58cf91573dfebe3ea25d567b993570ebd5a2f2fd74fd1e22dcd7103ac18b2

SHA512
af8c057851ec682047d550d7190d7450f505b848f87aaf6681400acc9a21253321b06de74d7d932cfc1a7a153bc3d13d791c42b365159ae51184c8ec86f201e9

Download Submit
C:\Windows\Installer\MSIB546.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
3598412b7d5d27db21145b3e6fe18f45

SHA1
4effbcf08a832462b5ef07f8512edd6709fb0490

SHA256
b5d05107824c74e17d582c63f6fc525655cc3cea46274d29b5ef99168ac5f403

SHA512
30f6a88713f51f4fab97538f34407aca96a0770f1a9ec261c5ab6a27cb713499dfca2b866e426411e171197a21605ec78267990ff853bc4e24ae896de3df274d

Download Submit
\??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{823f6af8-208b-4ad3-a981-4459f3b81f6b}_OnDiskSnapshotProp

Filesize
6KB

MD5
b99a891e2981fe410882e27c1a8aff50

SHA1
9bf36ae8b25a6778ba6712e4e32a4ad469780be6

SHA256
29d3f67f4ef96641d569c1fb9ccd6a0bec8984c80b15ae013634e664a0106f6c

SHA512
626e6875ba666bc4872c926538ce6f1f78bbb8a069285b6e6cb15f492c2916da3396b3ac8037fd3e0d9a69c5c37ff1d85b1c68810228a1e724c7a0ab31b7bc1d

Download Submit
memory/3316-52-0x0000000180000000-0x0000000180213000-memory.dmp

Filesize
2.1MB

Download
memory/3316-51-0x0000000180000000-0x0000000180213000-memory.dmp

Filesize
2.1MB

Download
memory/3316-50-0x0000000180000000-0x0000000180213000-memory.dmp

Filesize
2.1MB

Download
memory/4956-70-0x0000000002620000-0x0000000002689000-memory.dmp

Filesize
420KB

Download
memory/4956-72-0x0000000002620000-0x0000000002689000-memory.dmp

Filesize
420KB

Download
memory/4956-71-0x0000000002620000-0x0000000002689000-memory.dmp

Filesize
420KB

Download
memory/4956-83-0x0000000002620000-0x0000000002689000-memory.dmp

Filesize
420KB

Download
memory/4956-84-0x0000000002620000-0x0000000002689000-memory.dmp

Filesize
420KB

Download
memory/4956-85-0x0000000002620000-0x0000000002689000-memory.dmp

Filesize
420KB

Download
memory/4956-86-0x0000000002620000-0x0000000002689000-memory.dmp

Filesize
420KB

Download
memory/4956-87-0x0000000002620000-0x0000000002689000-memory.dmp

Filesize
420KB

Download