54fca74da7efd3ad0e56edf58b8e0407fb5772bce15869a8a9d57db7426fca81

Analysis

max time kernel
139s
max time network
20s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54fca74da7efd3ad0e56edf58b8e0407fb5772bce15869a8a9d57db7426fca81.msi
Size

19.6MB
MD5

ff821162f4a52975c227837b4310bcfc
SHA1

9c809183f9e16a752a10c53745037fe9e76984c0
SHA256

54fca74da7efd3ad0e56edf58b8e0407fb5772bce15869a8a9d57db7426fca81
SHA512

9a36a0a5e1a679858a32e7030ab429b7252fa0da0318f6732f873b76b80f5cfa59476e1ec5cd9d2a096794a3bf81a179658c0ad21904b38bfabab0444762a656
SSDEEP

393216:7SlQBSnINh5eoFeRqEE4QUJpKLV/tWytmaI69SCNmLKfFYfrAW6rg:WdI/5lFeRJFjJWV/7tmapNJfkC

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1416	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File created	C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File created	C:\Program Files\PersonalizationInterpretBuild\VideoConverter.exe	msiexec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\WhatsApp1.exe	msiexec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe	MsiExec.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.xml	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.vbs	zKzEtPocmTOd.exe
File created	C:\Program Files\PersonalizationInterpretBuild\cTehvxsnNwchkLFRUmGbIaeJKOzhvJ	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\cTehvxsnNwchkLFRUmGbIaeJKOzhvJ	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File created	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.xml	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File created	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe	MsiExec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe	msiexec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\DLTVCKTfgMURslRjMJmTCJEERkiaWM	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f77d981.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f77d97e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA68.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f77d97e.msi	msiexec.exe
File created	C:\Windows\Installer\f77d97f.ipi	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
2148	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
2084	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
1096	zKzEtPocmTOd.exe
1616	WhatsApp1.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1760	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zKzEtPocmTOd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2216	taskkill.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c098cad45f3edb01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\SourceList\PackageName = "54fca74da7efd3ad0e56edf58b8e0407fb5772bce15869a8a9d57db7426fca81.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\PackageCode = "BA0CC31A6753E2B4DA4D38E775725F06"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\56350C874AACB6B43A4E890D35C67983\3DD8A6197D3A7FD45A41A5DF9DBFCB65	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3DD8A6197D3A7FD45A41A5DF9DBFCB65	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\ProductName = "PersonalizationInterpretBuild"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3DD8A6197D3A7FD45A41A5DF9DBFCB65\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\Version = "117571592"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\56350C874AACB6B43A4E890D35C67983	msiexec.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
2880	msiexec.exe
2880	msiexec.exe
1416	powershell.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe
1096	zKzEtPocmTOd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1760	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeSecurityPrivilege	2880	msiexec.exe
Token: SeCreateTokenPrivilege	1760	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1760	msiexec.exe
Token: SeLockMemoryPrivilege	1760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1760	msiexec.exe
Token: SeMachineAccountPrivilege	1760	msiexec.exe
Token: SeTcbPrivilege	1760	msiexec.exe
Token: SeSecurityPrivilege	1760	msiexec.exe
Token: SeTakeOwnershipPrivilege	1760	msiexec.exe
Token: SeLoadDriverPrivilege	1760	msiexec.exe
Token: SeSystemProfilePrivilege	1760	msiexec.exe
Token: SeSystemtimePrivilege	1760	msiexec.exe
Token: SeProfSingleProcessPrivilege	1760	msiexec.exe
Token: SeIncBasePriorityPrivilege	1760	msiexec.exe
Token: SeCreatePagefilePrivilege	1760	msiexec.exe
Token: SeCreatePermanentPrivilege	1760	msiexec.exe
Token: SeBackupPrivilege	1760	msiexec.exe
Token: SeRestorePrivilege	1760	msiexec.exe
Token: SeShutdownPrivilege	1760	msiexec.exe
Token: SeDebugPrivilege	1760	msiexec.exe
Token: SeAuditPrivilege	1760	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1760	msiexec.exe
Token: SeChangeNotifyPrivilege	1760	msiexec.exe
Token: SeRemoteShutdownPrivilege	1760	msiexec.exe
Token: SeUndockPrivilege	1760	msiexec.exe
Token: SeSyncAgentPrivilege	1760	msiexec.exe
Token: SeEnableDelegationPrivilege	1760	msiexec.exe
Token: SeManageVolumePrivilege	1760	msiexec.exe
Token: SeImpersonatePrivilege	1760	msiexec.exe
Token: SeCreateGlobalPrivilege	1760	msiexec.exe
Token: SeBackupPrivilege	2840	vssvc.exe
Token: SeRestorePrivilege	2840	vssvc.exe
Token: SeAuditPrivilege	2840	vssvc.exe
Token: SeBackupPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2868	DrvInst.exe
Token: SeRestorePrivilege	2868	DrvInst.exe
Token: SeRestorePrivilege	2868	DrvInst.exe
Token: SeRestorePrivilege	2868	DrvInst.exe
Token: SeRestorePrivilege	2868	DrvInst.exe
Token: SeRestorePrivilege	2868	DrvInst.exe
Token: SeRestorePrivilege	2868	DrvInst.exe
Token: SeLoadDriverPrivilege	2868	DrvInst.exe
Token: SeLoadDriverPrivilege	2868	DrvInst.exe
Token: SeLoadDriverPrivilege	2868	DrvInst.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeRestorePrivilege	2148	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: 35	2148	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: SeSecurityPrivilege	2148	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: SeSecurityPrivilege	2148	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: SeRestorePrivilege	2084	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: 35	2084	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: SeSecurityPrivilege	2084	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: SeSecurityPrivilege	2084	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1760	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2360	2880	msiexec.exe	34
PID 2880 wrote to memory of 2360	2880	msiexec.exe	34
PID 2880 wrote to memory of 2360	2880	msiexec.exe	34
PID 2880 wrote to memory of 2360	2880	msiexec.exe	34
PID 2880 wrote to memory of 2360	2880	msiexec.exe	34
PID 2360 wrote to memory of 1416	2360	MsiExec.exe	36
PID 2360 wrote to memory of 1416	2360	MsiExec.exe	36
PID 2360 wrote to memory of 1416	2360	MsiExec.exe	36
PID 2360 wrote to memory of 1616	2360	MsiExec.exe	43
PID 2360 wrote to memory of 1616	2360	MsiExec.exe	43
PID 2360 wrote to memory of 1616	2360	MsiExec.exe	43
PID 2360 wrote to memory of 2216	2360	MsiExec.exe	44
PID 2360 wrote to memory of 2216	2360	MsiExec.exe	44
PID 2360 wrote to memory of 2216	2360	MsiExec.exe	44
PID 1616 wrote to memory of 272	1616	WhatsApp1.exe	46
PID 1616 wrote to memory of 272	1616	WhatsApp1.exe	46
PID 1616 wrote to memory of 272	1616	WhatsApp1.exe	46

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\54fca74da7efd3ad0e56edf58b8e0407fb5772bce15869a8a9d57db7426fca81.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1760

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 5C29D012AD8ECE27D7818934549FABB6 M Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\PersonalizationInterpretBuild','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Program Files\PersonalizationInterpretBuild\WhatsApp1.exe
    "C:\Program Files\PersonalizationInterpretBuild\WhatsApp1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1616 -s 632
      4⤵
      PID:272
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe
    3⤵
    - Kills process with taskkill
    PID:2216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "00000000000003DC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Program Files\PersonalizationInterpretBuild\aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
"C:\Program Files\PersonalizationInterpretBuild\aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe" x "C:\Program Files\PersonalizationInterpretBuild\DLTVCKTfgMURslRjMJmTCJEERkiaWM" -o"C:\Program Files\PersonalizationInterpretBuild\" -p"17314<A}a(~9p3>d:L}0" -y
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Program Files\PersonalizationInterpretBuild\aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
"C:\Program Files\PersonalizationInterpretBuild\aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe" x "C:\Program Files\PersonalizationInterpretBuild\cTehvxsnNwchkLFRUmGbIaeJKOzhvJ" -x!"1_zKzEtPocmTOd.exe" -x!"sss" -x!"1_CNPdcWBDNfcfUyDsWrbvmBQhkPnnVe.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\PersonalizationInterpretBuild\" -p"70768UY!eWKrRq2&262_" -y
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe
"C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe" -nbg 132
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1096

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe

Filesize
3.9MB

MD5
10b0c2d503e18dbf51c067d54dd1267e

SHA1
2a0b1317961900c0b8666ae09152c31415f63b3a

SHA256
5bc819ea66774c21cdf699529a998b81779f5c6ebb9b82a3aafd2690d10165c2

SHA512
0d60717b7ef2194cee4fcc5e1f2f4f8e0d5a0d42a8cb6d5369b0c609ec12f598efb06611e77f97e92199f92f4303b161868dccf0a0cb307a670d503de6f729b2

Download Submit
C:\Program Files\PersonalizationInterpretBuild\DLTVCKTfgMURslRjMJmTCJEERkiaWM

Filesize
2.0MB

MD5
67d5bae557527ce6b1c7997657e2b980

SHA1
f08be2a47caf7cd87ab5ffd95d6f20a1f8329820

SHA256
05c17714bc0a0529cdcd3957a0df638f50f7eb1cbde86d954e3020d8df90e201

SHA512
5d629946561408bdf75761003307463b453ee3276bb40138d769311890e36dc7fe256e3fafb048f2ee7f0e6de95bccb47ad6faa64b4867c4f5ea1313da80b045

Download Submit
C:\Program Files\PersonalizationInterpretBuild\WhatsApp1.exe

Filesize
1.0MB

MD5
f90ddf18d65bb3153bcdfdc4856ce2a5

SHA1
611376391f17207d60ca8c2ec81354933f8dac45

SHA256
62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce

SHA512
f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316

Download Submit
C:\Program Files\PersonalizationInterpretBuild\aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe

Filesize
577KB

MD5
0fe04f5747f21419bc96e130b2068238

SHA1
558279fe10e5dc98419c3d7e138a569e7ca59011

SHA256
06654d17334fa342f62d42bd805c8bc6da8105612d9ff45c45b8f092a7c46e17

SHA512
a76fe81d96b1c4af92f4cee5ec567cee1393960bccf290963541e50df0b5286154878de577f7e383b5c0a75a4e134b71243e4e6154ab10ddda0d7a3a4c1a939b

Download Submit
C:\Program Files\PersonalizationInterpretBuild\cTehvxsnNwchkLFRUmGbIaeJKOzhvJ

Filesize
2.0MB

MD5
271644676d6ea23625b591f63e46cb88

SHA1
3df4cf1cb757f2567b38dab0af08c4bee1e5df8a

SHA256
4c8ba9e619f7eaa617bd110eb77e9b39b21dbf93d1941cd24c29274f1d41c5a3

SHA512
c9c1fe43370bfd1cf1d1477f35c9b89d998184bfde75137b52c3de6ec689e4f139367f10c93ca29b3cab0959a4a4dad7794ee5b8482a7018429f22375262b1dd

Download Submit
memory/1096-42-0x0000000002030000-0x000000000205F000-memory.dmp

Filesize
188KB

Download
memory/1416-17-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1416-18-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/1616-44-0x0000000000980000-0x0000000000A82000-memory.dmp

Filesize
1.0MB

Download
memory/2360-12-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download