Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:37
Static task
static1
Behavioral task
behavioral1
Sample
c524dc37787eccb306a74bd058abd012b1b7edb25194a783ec2a49730cb50289.msi
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral2
Sample
c524dc37787eccb306a74bd058abd012b1b7edb25194a783ec2a49730cb50289.msi
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
c524dc37787eccb306a74bd058abd012b1b7edb25194a783ec2a49730cb50289.msi
-
Size
51.3MB
-
MD5
7efb253def4f5980c8e7a4c95a96ce09
-
SHA1
e5f62d1b33eddca20e1b8cde7bf85205c411f058
-
SHA256
c524dc37787eccb306a74bd058abd012b1b7edb25194a783ec2a49730cb50289
-
SHA512
5a3c05754d5d94a1549f7eb4a08a237e39b976c4994db0bb8e10687757d954d7a3cda5ea1ea432c85e5e9b643378b8a6ae15ec2e6ce17a292d8f4cbe70955f4d
-
SSDEEP
1572864:33j57EzJvxJXNywl4agZ9KsNhucJaV/Z/7h:33jWtv3dbl3bcJarzh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral1/memory/1436-108-0x0000000010000000-0x0000000010DFE000-memory.dmp family_blackmoon -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nxNUrRUR.lnk msiexec.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GpZSDZUD.lnk msiexec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: TgwFTQMc.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: TgwFTQMc.exe File opened (read-only) \??\Q: TgwFTQMc.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: TgwFTQMc.exe File opened (read-only) \??\V: TgwFTQMc.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: TgwFTQMc.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: TgwFTQMc.exe File opened (read-only) \??\U: TgwFTQMc.exe File opened (read-only) \??\Z: TgwFTQMc.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: TgwFTQMc.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: TgwFTQMc.exe File opened (read-only) \??\S: TgwFTQMc.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: TgwFTQMc.exe File opened (read-only) \??\N: TgwFTQMc.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: TgwFTQMc.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: TgwFTQMc.exe File opened (read-only) \??\X: TgwFTQMc.exe File opened (read-only) \??\L: TgwFTQMc.exe File opened (read-only) \??\O: TgwFTQMc.exe File opened (read-only) \??\G: TgwFTQMc.exe File opened (read-only) \??\K: TgwFTQMc.exe File opened (read-only) \??\T: TgwFTQMc.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 wegame.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1436 TgwFTQMc.exe 1568 TgwFTQMc.exe 1436 TgwFTQMc.exe 1568 TgwFTQMc.exe -
Drops file in Program Files directory 18 IoCs
description ioc Process File created C:\Program Files (x86)\mxewmGJk\msvcp100.dll msiexec.exe File created C:\Program Files (x86)\BJgxmmSq\Lua51.dll msiexec.exe File created C:\Program Files (x86)\BJgxmmSq\beacon_sdk.dll msiexec.exe File opened for modification C:\Program Files (x86)\mxewmGJk\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Program Files (x86)\mxewmGJk\libcurl.dll TgwFTQMc.exe File created C:\Program Files (x86)\mxewmGJk\log.txt TgwFTQMc.exe File created C:\Program Files (x86)\mxewmGJk\GxySSwAr.exe msiexec.exe File created C:\Program Files (x86)\mxewmGJk\msvcr100.dll msiexec.exe File created C:\Program Files (x86)\mxewmGJk\TgwFTQMc.exe msiexec.exe File created C:\Program Files (x86)\BJgxmmSq\adapt_for_imports.dll msiexec.exe File created C:\Program Files (x86)\BJgxmmSq\common.dll msiexec.exe File created C:\Program Files (x86)\BJgxmmSq\vcruntime140.dll msiexec.exe File opened for modification C:\Program Files (x86)\BJgxmmSq\log\wegame.mem.log wegame.exe File created C:\Program Files (x86)\mxewmGJk\1 msiexec.exe File created C:\Program Files (x86)\BJgxmmSq\wegame.exe msiexec.exe File created C:\Program Files (x86)\BJgxmmSq\msvcp140.dll msiexec.exe File created C:\Program Files (x86)\mxewmGJk\libcurl.dll msiexec.exe File created C:\Program Files (x86)\BJgxmmSq\log\wegame.20241122-033739-367.log wegame.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\f76c1f8.msi msiexec.exe File created C:\Windows\Installer\f76c1fb.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIC2F1.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76c1fb.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f76c1f8.msi msiexec.exe -
Executes dropped EXE 5 IoCs
pid Process 544 wegame.exe 2016 wegame.exe 1568 TgwFTQMc.exe 1436 TgwFTQMc.exe 2964 GxySSwAr.exe -
Loads dropped DLL 21 IoCs
pid Process 2016 wegame.exe 544 wegame.exe 544 wegame.exe 2016 wegame.exe 2016 wegame.exe 544 wegame.exe 2016 wegame.exe 2016 wegame.exe 544 wegame.exe 544 wegame.exe 2016 wegame.exe 544 wegame.exe 1568 TgwFTQMc.exe 1436 TgwFTQMc.exe 1568 TgwFTQMc.exe 1436 TgwFTQMc.exe 2964 GxySSwAr.exe 1568 TgwFTQMc.exe 1436 TgwFTQMc.exe 2964 GxySSwAr.exe 2964 GxySSwAr.exe -
pid Process 1276 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2344 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wegame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GxySSwAr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TgwFTQMc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wegame.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wegame.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wegame.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wegame.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wegame.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wegame.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2588 msiexec.exe 2588 msiexec.exe 2016 wegame.exe 1436 TgwFTQMc.exe 1568 TgwFTQMc.exe 1568 TgwFTQMc.exe 1276 powershell.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe 1436 TgwFTQMc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1436 TgwFTQMc.exe 2964 GxySSwAr.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeShutdownPrivilege 2344 msiexec.exe Token: SeIncreaseQuotaPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2588 msiexec.exe Token: SeTakeOwnershipPrivilege 2588 msiexec.exe Token: SeSecurityPrivilege 2588 msiexec.exe Token: SeCreateTokenPrivilege 2344 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2344 msiexec.exe Token: SeLockMemoryPrivilege 2344 msiexec.exe Token: SeIncreaseQuotaPrivilege 2344 msiexec.exe Token: SeMachineAccountPrivilege 2344 msiexec.exe Token: SeTcbPrivilege 2344 msiexec.exe Token: SeSecurityPrivilege 2344 msiexec.exe Token: SeTakeOwnershipPrivilege 2344 msiexec.exe Token: SeLoadDriverPrivilege 2344 msiexec.exe Token: SeSystemProfilePrivilege 2344 msiexec.exe Token: SeSystemtimePrivilege 2344 msiexec.exe Token: SeProfSingleProcessPrivilege 2344 msiexec.exe Token: SeIncBasePriorityPrivilege 2344 msiexec.exe Token: SeCreatePagefilePrivilege 2344 msiexec.exe Token: SeCreatePermanentPrivilege 2344 msiexec.exe Token: SeBackupPrivilege 2344 msiexec.exe Token: SeRestorePrivilege 2344 msiexec.exe Token: SeShutdownPrivilege 2344 msiexec.exe Token: SeDebugPrivilege 2344 msiexec.exe Token: SeAuditPrivilege 2344 msiexec.exe Token: SeSystemEnvironmentPrivilege 2344 msiexec.exe Token: SeChangeNotifyPrivilege 2344 msiexec.exe Token: SeRemoteShutdownPrivilege 2344 msiexec.exe Token: SeUndockPrivilege 2344 msiexec.exe Token: SeSyncAgentPrivilege 2344 msiexec.exe Token: SeEnableDelegationPrivilege 2344 msiexec.exe Token: SeManageVolumePrivilege 2344 msiexec.exe Token: SeImpersonatePrivilege 2344 msiexec.exe Token: SeCreateGlobalPrivilege 2344 msiexec.exe Token: SeBackupPrivilege 2368 vssvc.exe Token: SeRestorePrivilege 2368 vssvc.exe Token: SeAuditPrivilege 2368 vssvc.exe Token: SeBackupPrivilege 2588 msiexec.exe Token: SeRestorePrivilege 2588 msiexec.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2820 DrvInst.exe Token: SeLoadDriverPrivilege 2820 DrvInst.exe Token: SeLoadDriverPrivilege 2820 DrvInst.exe Token: SeLoadDriverPrivilege 2820 DrvInst.exe Token: SeRestorePrivilege 2588 msiexec.exe Token: SeTakeOwnershipPrivilege 2588 msiexec.exe Token: SeRestorePrivilege 2588 msiexec.exe Token: SeTakeOwnershipPrivilege 2588 msiexec.exe Token: SeRestorePrivilege 2588 msiexec.exe Token: SeTakeOwnershipPrivilege 2588 msiexec.exe Token: SeRestorePrivilege 2588 msiexec.exe Token: SeTakeOwnershipPrivilege 2588 msiexec.exe Token: SeRestorePrivilege 2588 msiexec.exe Token: SeTakeOwnershipPrivilege 2588 msiexec.exe Token: SeDebugPrivilege 1276 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2344 msiexec.exe 2344 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1436 TgwFTQMc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2588 wrote to memory of 2016 2588 msiexec.exe 34 PID 2588 wrote to memory of 2016 2588 msiexec.exe 34 PID 2588 wrote to memory of 2016 2588 msiexec.exe 34 PID 2588 wrote to memory of 2016 2588 msiexec.exe 34 PID 2588 wrote to memory of 544 2588 msiexec.exe 35 PID 2588 wrote to memory of 544 2588 msiexec.exe 35 PID 2588 wrote to memory of 544 2588 msiexec.exe 35 PID 2588 wrote to memory of 544 2588 msiexec.exe 35 PID 2588 wrote to memory of 1436 2588 msiexec.exe 38 PID 2588 wrote to memory of 1436 2588 msiexec.exe 38 PID 2588 wrote to memory of 1436 2588 msiexec.exe 38 PID 2588 wrote to memory of 1436 2588 msiexec.exe 38 PID 2588 wrote to memory of 1568 2588 msiexec.exe 37 PID 2588 wrote to memory of 1568 2588 msiexec.exe 37 PID 2588 wrote to memory of 1568 2588 msiexec.exe 37 PID 2588 wrote to memory of 1568 2588 msiexec.exe 37 PID 2588 wrote to memory of 2964 2588 msiexec.exe 39 PID 2588 wrote to memory of 2964 2588 msiexec.exe 39 PID 2588 wrote to memory of 2964 2588 msiexec.exe 39 PID 2588 wrote to memory of 2964 2588 msiexec.exe 39 PID 2588 wrote to memory of 2964 2588 msiexec.exe 39 PID 2588 wrote to memory of 2964 2588 msiexec.exe 39 PID 2588 wrote to memory of 2964 2588 msiexec.exe 39 PID 2964 wrote to memory of 1276 2964 GxySSwAr.exe 40 PID 2964 wrote to memory of 1276 2964 GxySSwAr.exe 40 PID 2964 wrote to memory of 1276 2964 GxySSwAr.exe 40 PID 2964 wrote to memory of 1276 2964 GxySSwAr.exe 40 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c524dc37787eccb306a74bd058abd012b1b7edb25194a783ec2a49730cb50289.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2344
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Program Files (x86)\BJgxmmSq\wegame.exe"C:\Program Files (x86)\BJgxmmSq\wegame.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2016
-
-
C:\Program Files (x86)\BJgxmmSq\wegame.exe"C:\Program Files (x86)\BJgxmmSq\wegame.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:544
-
-
C:\Program Files (x86)\mxewmGJk\TgwFTQMc.exe"C:\Program Files (x86)\mxewmGJk\TgwFTQMc.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1568
-
-
C:\Program Files (x86)\mxewmGJk\TgwFTQMc.exe"C:\Program Files (x86)\mxewmGJk\TgwFTQMc.exe"2⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1436
-
-
C:\Program Files (x86)\mxewmGJk\GxySSwAr.exe"C:\Program Files (x86)\mxewmGJk\GxySSwAr.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"3⤵
- Drops file in Program Files directory
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000047C" "00000000000004C8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2820
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Installer Packages
1Pre-OS Boot
1Bootkit
1Defense Evasion
Pre-OS Boot
1Bootkit
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5038c17fd0a676eaef81cd0d90782c98f
SHA10d4cf114eaefbe36796d203682850f65cb1b5bfc
SHA2560a9771d8c3ba5cbe536684b57570fe7355b391e2791c50f0f13bab2aee9c0bca
SHA512ff6679e55260abd74cdb7bdcec4b2743bd22c6c234655ee843c99cf9c4d5279906ce700eec07023de4d24f674315ba7e2a73d4205ec110dcd32f5e5252d9bcfc
-
Filesize
3.7MB
MD5856d1285704805940b8379e81b18f3eb
SHA1aae6852e7f86a8163ca5a63178a7cceb1c50ff67
SHA2562e21f70adcbe5fe3d51eb9236fc23e071e675c802bfeec2ca5c0a41eef35e9a2
SHA51250b61c980c176f2f32bd4e353187d5db9f3d3d7d01486105da95d7e7bf153386d2808dc94909b4998e05accebe6cc388ecad8246d236a89529f9a1274b34885c
-
Filesize
1.4MB
MD5063af51c19f29bcdfd26c1bebdc9ace6
SHA1810817459e322ba44815df62702b9c8fe04b26fb
SHA256c6ef12669e1d0a3d0f54ad7cd516d5cf2ddf81edc350c3aafaa51c8ea9226a73
SHA5125ffff7f49b68004eb8f02522724b45d9c6cfa5cb45ff1c5f3cd93f1c65f0cadc322cc09a777b933c64650a7666c6204b67f9b1adf266ba2d1ce537c17f4a99a9
-
Filesize
13.9MB
MD5cdcf5affbeec34a7fc6823e9b2ef1907
SHA1a59c15b6b8e200802922ffffe710443eef0c82e8
SHA2561ba2d3db99e9f2da7359dd45c0a6c82cd0709bc922931e3e4b26566c5a880dad
SHA512b3d9e576d953167ed3011a2ddbab9dd60241b843e2a15f6fa0030dece17b267c032f02096d4f8c9dc8eec798060b151e226fbebb518af32d49a05fe286b99e9b
-
Filesize
14.7MB
MD5db7b54bd084d93ca25f33b9ebd68e45e
SHA1f2fc12ece7fb3e1d9dc4a02f28d306a6468c7f5c
SHA2560b3bbc7e664df0c6f35a4e9fa56af831c2be7fd168f585c287fa8c21439605a2
SHA51274cc7bbba5dba412d40a21c0bb3c4ae39c937f78a861d03c8282aa740c412e7067301cc15da6d2561855b23cdee8b8b9752ae6fe159405e8cec2a3a181dad03f
-
Filesize
129KB
MD533c56f904fe77363fd5e553f7498854e
SHA1e0cbe72715bda80c21a9cce8c6b3b76779ed71f3
SHA2563ee9676a50e1d314a942de5c1fc614f4e00a3143397316a5892daee41f0bac4d
SHA5128559df54856fc28b382b624a12201fb404a82c2cab7fbe095f8d3883a32177303bf633a14210de1f493fe015b97de5c10d7a10ae0b8561713a925020f840e812
-
Filesize
546KB
MD50527df9bdaaea7250291efcb5b33b709
SHA11b6b3511c30aa66a0a0258578a4b695db2fbde36
SHA2567fa367a644670ed94a01bc0927996d93b82ea2658bb7d84c99c648f12b6a61f1
SHA512d8f49f954112e744b161246759aa0a6b106125a9b936e98c3f57c4535b1e7866adffe3e1699412ef8d549a84121f9492f67bb504b91fffd384bbc2e89611631b
-
Filesize
404KB
MD5d9f36ff27dc0d08fd384a99bb801a24a
SHA1886287b85e2b57e05e61ee582dd1595f7e620765
SHA25696aea19b11327ae4200396e84f06a4746a926f43b688c22e60b370ded1cf6d58
SHA512032f0f0e6200383dd9a4a7628e1ef5b67ea6fcfd3a872cd2fa0b952ccc3286b10550526c01e0294068e7d3995714efdf798607a51cf4681b8295b8d8493963dd
-
Filesize
1.5MB
MD5c83dd90d61bae5cf1d4b0620649726d6
SHA1cdb21af237425523d230a1738c4111776b3e8318
SHA256b5df19432f50ad434ca860173c9eb0dc6fdfaca48f75a3b416d038c213d089da
SHA512480cb660931eece9fee17fcb60b5c467ceb033d7d2f9fc0cf37b82dbc7443918935ba5a24aaeb8a284c95820eccab382e67342e6f0038c4d36b36f51d04dc412
-
Filesize
438KB
MD51fb93933fd087215a3c7b0800e6bb703
SHA1a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb
SHA2562db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01
SHA51279cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e
-
Filesize
78KB
MD51b171f9a428c44acf85f89989007c328
SHA16f25a874d6cbf8158cb7c491dcedaa81ceaebbae
SHA2569d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c
SHA51299a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1
-
Filesize
18.6MB
MD55acf6baf28a3b00119a4a5d487bf1796
SHA15b9017f63a52347cc07fecccf531b40ab539bfcf
SHA256fb6c0daa4a741a341692bbdabef54337ac6fa00b4278d8f939f3472209e7e2ff
SHA512111a86110af5f13305525802b3c87c9631bbf30f160880a76de517016c32d6e08f355b93d032930c7d051dcc2ed8643a6e431821a5f358eb8cc90fc014db971a
-
Filesize
412KB
MD5ed40615aa67499e2d2da8389ba9b331a
SHA109780d2c9d75878f7a9bb94599f3dc9386cf3789
SHA256cd28daeda3c8731030e2077e6eccbb609e2098919b05ff310bef8dce1dce2d8d
SHA51247d94c5f4829a0f901b57084c22b24adefb4aec2f7b8df9ea838e485dbc607aa837ed6d3c7186159499c44a3ff488fb04f770c624649a406854d82cd3baf72ee
-
Filesize
756KB
MD5ef3e115c225588a680acf365158b2f4a
SHA1ecda6d3b4642d2451817833b39248778e9c2cbb0
SHA25625d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8
SHA512d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a
-
Filesize
12KB
MD5192639861e3dc2dc5c08bb8f8c7260d5
SHA158d30e460609e22fa0098bc27d928b689ef9af78
SHA25623d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA5126e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc
-
Filesize
9KB
MD5b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA115ab5219c0e77fd9652bc62ff390b8e6846c8e3e
SHA25689a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
SHA5126467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8
-
Filesize
7KB
MD511092c1d3fbb449a60695c44f9f3d183
SHA1b89d614755f2e943df4d510d87a7fc1a3bcf5a33
SHA2562cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77
SHA512c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a