10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi
Size

40.6MB
MD5

4e0c73259e83e8d5f36be55d4a937307
SHA1

539d747d30c16f50ddf6b72da1426709edce5732
SHA256

10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9
SHA512

eaca63ff0faafdd6014864517a9fb92e82d970c99084d6cbf5b493b0b0ca6372541493f4c11b426c09b160369fb4da07d928d74a20078ab3e0743b54e5be99b5
SSDEEP

786432:BxAq3kvG6v0/moop9AaRDEzVARzgsBBSs7ndpTp1Z4qaNrk+0/iClRu:cqUvL8/mfACxgUBSkdvAPy6CPu

Score

10^/10

discovery evasion execution persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsGtQhLH = "\"C:\\Program Files (x86)\\Common Files\\DsGtQhLH.lnk\""	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exepYkYZuRh.exe

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	pYkYZuRh.exe
File opened (read-only)	\??\P:	pYkYZuRh.exe
File opened (read-only)	\??\R:	pYkYZuRh.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	pYkYZuRh.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	pYkYZuRh.exe
File opened (read-only)	\??\M:	pYkYZuRh.exe
File opened (read-only)	\??\Q:	pYkYZuRh.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	pYkYZuRh.exe
File opened (read-only)	\??\W:	pYkYZuRh.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	pYkYZuRh.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	pYkYZuRh.exe
File opened (read-only)	\??\S:	pYkYZuRh.exe
File opened (read-only)	\??\U:	pYkYZuRh.exe
File opened (read-only)	\??\Z:	pYkYZuRh.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	pYkYZuRh.exe
File opened (read-only)	\??\N:	pYkYZuRh.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	pYkYZuRh.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	pYkYZuRh.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	pYkYZuRh.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	pYkYZuRh.exe
File opened (read-only)	\??\Y:	pYkYZuRh.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

pYkYZuRh.exe

pid	Process
948	pYkYZuRh.exe
948	pYkYZuRh.exe

Drops file in Program Files directory 13 IoCs

Processes:

msiexec.exeMsiExec.exepowershell.exe

description	ioc	Process
File created	C:\Program Files (x86)\msvcr100.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\DsGtQhLH.lnk	msiexec.exe
File created	C:\Program Files (x86)\Common Files\~sGtQhLH.tmp	msiexec.exe
File created	C:\Program Files (x86)\Common Files\DsGtQhLH.lnk~RFf76c5af.TMP	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\DsGtQhLH.lnk	MsiExec.exe
File created	C:\Program Files (x86)\DsGtQhLH.exe	msiexec.exe
File created	C:\Program Files (x86)\pYkYZuRh.exe	msiexec.exe
File created	C:\Program Files (x86)\msvcp100.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\~sGtQhLH.tmp	msiexec.exe
File opened for modification	C:\Program Files (x86)\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\1	msiexec.exe
File created	C:\Program Files (x86)\libcurl.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Common Files\DsGtQhLH.lnk	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC5B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c20a.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76c207.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c207.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC350.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76c20a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC311.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC40C.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

Processes:

pYkYZuRh.exeDsGtQhLH.exe

pid	Process
948	pYkYZuRh.exe
1380	DsGtQhLH.exe

Loads dropped DLL 10 IoCs

Processes:

MsiExec.exepYkYZuRh.exeDsGtQhLH.exe

pid	Process
376	MsiExec.exe
376	MsiExec.exe
376	MsiExec.exe
376	MsiExec.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
1380	DsGtQhLH.exe
1380	DsGtQhLH.exe
1380	DsGtQhLH.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
1688	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

Processes:

msiexec.exe

pid	Process
1656	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pYkYZuRh.exeMsiExec.exeDsGtQhLH.exepowershell.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pYkYZuRh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DsGtQhLH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

DrvInst.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

msiexec.exepowershell.exepYkYZuRh.exe

pid	Process
352	msiexec.exe
352	msiexec.exe
1688	powershell.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe
948	pYkYZuRh.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

pYkYZuRh.exeDsGtQhLH.exe

pid	Process
948	pYkYZuRh.exe
1380	DsGtQhLH.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exe

description	pid	Process
Token: SeShutdownPrivilege	1656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1656	msiexec.exe
Token: SeRestorePrivilege	352	msiexec.exe
Token: SeTakeOwnershipPrivilege	352	msiexec.exe
Token: SeSecurityPrivilege	352	msiexec.exe
Token: SeCreateTokenPrivilege	1656	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1656	msiexec.exe
Token: SeLockMemoryPrivilege	1656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1656	msiexec.exe
Token: SeMachineAccountPrivilege	1656	msiexec.exe
Token: SeTcbPrivilege	1656	msiexec.exe
Token: SeSecurityPrivilege	1656	msiexec.exe
Token: SeTakeOwnershipPrivilege	1656	msiexec.exe
Token: SeLoadDriverPrivilege	1656	msiexec.exe
Token: SeSystemProfilePrivilege	1656	msiexec.exe
Token: SeSystemtimePrivilege	1656	msiexec.exe
Token: SeProfSingleProcessPrivilege	1656	msiexec.exe
Token: SeIncBasePriorityPrivilege	1656	msiexec.exe
Token: SeCreatePagefilePrivilege	1656	msiexec.exe
Token: SeCreatePermanentPrivilege	1656	msiexec.exe
Token: SeBackupPrivilege	1656	msiexec.exe
Token: SeRestorePrivilege	1656	msiexec.exe
Token: SeShutdownPrivilege	1656	msiexec.exe
Token: SeDebugPrivilege	1656	msiexec.exe
Token: SeAuditPrivilege	1656	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1656	msiexec.exe
Token: SeChangeNotifyPrivilege	1656	msiexec.exe
Token: SeRemoteShutdownPrivilege	1656	msiexec.exe
Token: SeUndockPrivilege	1656	msiexec.exe
Token: SeSyncAgentPrivilege	1656	msiexec.exe
Token: SeEnableDelegationPrivilege	1656	msiexec.exe
Token: SeManageVolumePrivilege	1656	msiexec.exe
Token: SeImpersonatePrivilege	1656	msiexec.exe
Token: SeCreateGlobalPrivilege	1656	msiexec.exe
Token: SeBackupPrivilege	2840	vssvc.exe
Token: SeRestorePrivilege	2840	vssvc.exe
Token: SeAuditPrivilege	2840	vssvc.exe
Token: SeBackupPrivilege	352	msiexec.exe
Token: SeRestorePrivilege	352	msiexec.exe
Token: SeRestorePrivilege	2788	DrvInst.exe
Token: SeRestorePrivilege	2788	DrvInst.exe
Token: SeRestorePrivilege	2788	DrvInst.exe
Token: SeRestorePrivilege	2788	DrvInst.exe
Token: SeRestorePrivilege	2788	DrvInst.exe
Token: SeRestorePrivilege	2788	DrvInst.exe
Token: SeRestorePrivilege	2788	DrvInst.exe
Token: SeLoadDriverPrivilege	2788	DrvInst.exe
Token: SeLoadDriverPrivilege	2788	DrvInst.exe
Token: SeLoadDriverPrivilege	2788	DrvInst.exe
Token: SeRestorePrivilege	352	msiexec.exe
Token: SeTakeOwnershipPrivilege	352	msiexec.exe
Token: SeRestorePrivilege	352	msiexec.exe
Token: SeTakeOwnershipPrivilege	352	msiexec.exe
Token: SeRestorePrivilege	352	msiexec.exe
Token: SeTakeOwnershipPrivilege	352	msiexec.exe
Token: SeRestorePrivilege	352	msiexec.exe
Token: SeTakeOwnershipPrivilege	352	msiexec.exe
Token: SeRestorePrivilege	352	msiexec.exe
Token: SeTakeOwnershipPrivilege	352	msiexec.exe
Token: SeRestorePrivilege	352	msiexec.exe
Token: SeTakeOwnershipPrivilege	352	msiexec.exe
Token: SeRestorePrivilege	352	msiexec.exe
Token: SeTakeOwnershipPrivilege	352	msiexec.exe
Token: SeRestorePrivilege	352	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
1656	msiexec.exe
1656	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

pYkYZuRh.exe

pid	Process
948	pYkYZuRh.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

msiexec.exeDsGtQhLH.exe

description	pid	Process	procid_target
PID 352 wrote to memory of 376	352	msiexec.exe	32
PID 352 wrote to memory of 376	352	msiexec.exe	32
PID 352 wrote to memory of 376	352	msiexec.exe	32
PID 352 wrote to memory of 376	352	msiexec.exe	32
PID 352 wrote to memory of 376	352	msiexec.exe	32
PID 352 wrote to memory of 376	352	msiexec.exe	32
PID 352 wrote to memory of 376	352	msiexec.exe	32
PID 352 wrote to memory of 948	352	msiexec.exe	33
PID 352 wrote to memory of 948	352	msiexec.exe	33
PID 352 wrote to memory of 948	352	msiexec.exe	33
PID 352 wrote to memory of 948	352	msiexec.exe	33
PID 352 wrote to memory of 1380	352	msiexec.exe	34
PID 352 wrote to memory of 1380	352	msiexec.exe	34
PID 352 wrote to memory of 1380	352	msiexec.exe	34
PID 352 wrote to memory of 1380	352	msiexec.exe	34
PID 1380 wrote to memory of 1688	1380	DsGtQhLH.exe	35
PID 1380 wrote to memory of 1688	1380	DsGtQhLH.exe	35
PID 1380 wrote to memory of 1688	1380	DsGtQhLH.exe	35
PID 1380 wrote to memory of 1688	1380	DsGtQhLH.exe	35

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1656

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- UAC bypass
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ADC0E11233BA1C03050EC97EF3245FF5
  2⤵
  - Drops file in Program Files directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:376
- C:\Program Files (x86)\pYkYZuRh.exe
  "C:\Program Files (x86)\pYkYZuRh.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:948
- C:\Program Files (x86)\DsGtQhLH.exe
  "C:\Program Files (x86)\DsGtQhLH.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
    3⤵
    - Drops file in Program Files directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005C4" "000000000000058C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76c20b.rbs

Filesize
5KB

MD5
95ca2b83ea80aaeebf2b0eb75d18efe6

SHA1
0c5126acdbc6779569ac9b780b3101aedb4ec74c

SHA256
37412ef2aca313651669729ee7d5464485fce375bf60ae1f0df2e63c53e0836a

SHA512
07de1c9000e6cc1f4404f661ff025cbbe6bf54c3afc5a7c77780e4711342bd7e0a40b94e8a2ec6105882d996075fd814a7bb22ffa1b672715adbf72b7b7df072

Download Submit
C:\Program Files (x86)\1

Filesize
6.0MB

MD5
a589ea47d27781243203497042014ee3

SHA1
02af54d118fdb181247e76a79a3acfbb074bf6ea

SHA256
d25b465e1a59b452605512566d4417cb44a72d07b989f8cb276849bf4f66ac52

SHA512
baed6eda05efb91f65812e117730bd3d6587166667dc3b7e2f1f3c802a713829b5b6c9c0287fe37267e4a4a5f941776aa49adcbe45ffa1da99e9b73c99b0a09e

Download Submit
C:\Program Files (x86)\Common Files\DsGtQhLH.lnk

Filesize
878B

MD5
84b95fe3471aba37c3b0bb03b32b1051

SHA1
0bee4035ad743276b7fcc85c00d3717383095bdd

SHA256
aed0d4dde2f93b0282a53e91a8e42d2c5d9645e9f5c71aa062d41b900e9f888c

SHA512
dda2a6a9d453981cef5b49d39b827c70341dcb7611871a95937fcfe2ff04f5bd0c658e9f114919c7b866641ce2335236cea4e8e2b5e7d606e3e2d42e70bc5cef

Download Submit
C:\Program Files (x86)\DsGtQhLH.exe

Filesize
14.5MB

MD5
9c44be4ceac0c983a812fd8459511fd0

SHA1
bd5aaad4acd523cd2855e8b50a8380365d81e041

SHA256
b6750a3631413d71d7ea10292a11e5d0560afb6ccd4ad4baa75d7dc80842f153

SHA512
372ddeb1045d49e8f98f17bccffb0e3edc2179e541f8a4493300517327e514c7bf64557250e0f84f7366310a3d7a58a8d5480596f9be075b3f5d9411a49b4d09

Download Submit
C:\Program Files (x86)\MSVCR100.dll

Filesize
756KB

MD5
ef3e115c225588a680acf365158b2f4a

SHA1
ecda6d3b4642d2451817833b39248778e9c2cbb0

SHA256
25d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8

SHA512
d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a

Download Submit
C:\Program Files (x86)\libcurl.dll

Filesize
19.4MB

MD5
9ff980feb6fccdb08ab3fe6fc5e428f1

SHA1
3c60d0fa914291da59a3cc883becd0ea26c1f26a

SHA256
d0cdc6b3747195a88b6918926f488215396970aa342e14d6ea819919d274a381

SHA512
989d76d721963f46386350c08b4e7a50a52e16d9fc92bc13c7f1fa20997a9aa35a8f144564af9f483b0e3f2fd32d436adfa84cb8638e9c408a79960b6da38618

Download Submit
C:\Windows\Installer\MSIC350.tmp

Filesize
408KB

MD5
0901970c2066aed8a97d75aaf1fd3146

SHA1
f0c700a4bfcebad9843e01a88bab71b5f38996d8

SHA256
41f827e6addfc71d68cd4758336edf602349fb1230256ec135121f95c670d773

SHA512
00e12fd2d752a01dfa75550ffaf3a2f337171cec93cd013083c37137a455e93bebd72e7d8487ec3e1de5fe22994f058829a6597765612278c20d601192cbe733

Download Submit
\Program Files (x86)\msvcp100.dll

Filesize
412KB

MD5
ed40615aa67499e2d2da8389ba9b331a

SHA1
09780d2c9d75878f7a9bb94599f3dc9386cf3789

SHA256
cd28daeda3c8731030e2077e6eccbb609e2098919b05ff310bef8dce1dce2d8d

SHA512
47d94c5f4829a0f901b57084c22b24adefb4aec2f7b8df9ea838e485dbc607aa837ed6d3c7186159499c44a3ff488fb04f770c624649a406854d82cd3baf72ee

Download Submit
\Program Files (x86)\pYkYZuRh.exe

Filesize
129KB

MD5
7ea6be30e745e9556c017439c5e83273

SHA1
4e36ae4f8bb1c6a438f8cc6952ec840415b5d9f2

SHA256
5a3e4e68ffa8e8796ec0ff3d01473ceafa070dc533a1c268d073ee7abd6c8021

SHA512
0a17f4e6e60932282cb28823a77c5ebef7a8c8ee472f00c9ef9eebb0481886647faa698f2c2e193db095c6467f6e41307aff96030fadd3072ba700c1e1e45724

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC8FB.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC8FB.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC8FB.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
memory/948-83-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/948-96-0x0000000003750000-0x0000000004077000-memory.dmp

Filesize
9.2MB

Download
memory/948-81-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/948-85-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/948-89-0x0000000003750000-0x0000000004077000-memory.dmp

Filesize
9.2MB

Download
memory/948-76-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/948-86-0x0000000010000000-0x0000000011E5A000-memory.dmp

Filesize
30.4MB

Download
memory/948-78-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/948-99-0x0000000003750000-0x0000000004077000-memory.dmp

Filesize
9.2MB

Download
memory/948-80-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/948-112-0x0000000003750000-0x0000000004077000-memory.dmp

Filesize
9.2MB

Download
memory/948-111-0x0000000003750000-0x0000000004077000-memory.dmp

Filesize
9.2MB

Download
memory/948-113-0x0000000003750000-0x0000000004077000-memory.dmp

Filesize
9.2MB

Download
memory/948-114-0x0000000000E60000-0x0000000000E98000-memory.dmp

Filesize
224KB

Download
memory/948-115-0x0000000000E60000-0x0000000000E98000-memory.dmp

Filesize
224KB

Download
memory/948-119-0x0000000000E60000-0x0000000000E98000-memory.dmp

Filesize
224KB

Download
memory/948-118-0x0000000000E60000-0x0000000000E98000-memory.dmp

Filesize
224KB

Download
memory/948-120-0x0000000003750000-0x0000000004077000-memory.dmp

Filesize
9.2MB

Download
memory/948-121-0x0000000003750000-0x0000000004077000-memory.dmp

Filesize
9.2MB

Download