35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91

Analysis

max time kernel
142s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91.msi
Size

37.5MB
MD5

0abc6b6ea4e322a248f31125ddb8911b
SHA1

26f0a5b6631e7ae1e324f8ce24eb967379f07416
SHA256

35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91
SHA512

364314fa2a63d53537a60a322fee9879650e653085719c5c81149037fafb12dd3bbc0e019e4a22cd3400db1c9e9bfcf637749f7efbcfed8368771dbfcd42ebe9
SSDEEP

786432:TddVYfoDIf7i1q8WjTRThlXgxopO+9giU2yoLVhm+Zjh:TddVYf00pDfO+9DU2vLVVVh

Score

8^/10

bootkit discovery execution persistence privilege_escalation upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2448	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	WPS1.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019259-38.dat	upx
behavioral1/memory/1756-39-0x0000000000830000-0x0000000000DD3000-memory.dmp	upx
behavioral1/memory/1756-58-0x0000000000830000-0x0000000000DD3000-memory.dmp	upx
behavioral1/memory/1756-65-0x0000000000830000-0x0000000000DD3000-memory.dmp	upx
behavioral1/memory/1756-73-0x0000000000830000-0x0000000000DD3000-memory.dmp	upx

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.xml	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe	MsiExec.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe	MsiExec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe	msiexec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\WPS1.exe	msiexec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\QaZWmfqGejWhUKQpUuRLOUYNCalvYw	msiexec.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.xml	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\asktao_mini_1.77_360rg.exe	msiexec.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\oxYQFsIZTdfqniDYjuvGTUMaSlhGEc	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.vbs	zKzEtPocmTOd.exe
File created	C:\Program Files\PersonalizationInterpretBuild\oxYQFsIZTdfqniDYjuvGTUMaSlhGEc	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f774c6b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D84.tmp	msiexec.exe
File created	C:\Windows\Installer\f774c6e.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f774c6b.msi	msiexec.exe
File created	C:\Windows\Installer\f774c6c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f774c6c.ipi	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
2856	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
2120	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
1900	zKzEtPocmTOd.exe
1756	WPS1.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2948	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zKzEtPocmTOd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPS1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1964	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHD = "c53a06a0bb0e0bb623e73e5bffb50f6b"	WPS1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\plugins\kdcsdk\lastUpdateDeviceInfoDate = "2024/11/24"	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\kwpsonlinesetup\infoGUID = "{FF48BC40-E167-45BD-8847-F9F3EAF88F67}"	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 20fd327b5f3edb01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	WPS1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\kingsoft\kwpsonlinesetup	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\plugins\kdcsdk	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\plugins	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\plugins\kdcsdk	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	WPS1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Kingsoft\Office\6.0\Common\InfoHDt = "24"	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	WPS1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\PackageName = "35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7BEC2384078CD20428700EB4C853D4DA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\20D98A37C2C80BF4888618064CC24A64\7BEC2384078CD20428700EB4C853D4DA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7BEC2384078CD20428700EB4C853D4DA\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\Version = "101187584"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\20D98A37C2C80BF4888618064CC24A64	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\ProductName = "PersonalizationInterpretBuild"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\PackageCode = "0E44915F58A6BFA40AE77CF19B2A2304"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList	msiexec.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
2712	msiexec.exe
2712	msiexec.exe
2448	powershell.exe
1756	WPS1.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe
1900	zKzEtPocmTOd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2948	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2948	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeSecurityPrivilege	2712	msiexec.exe
Token: SeCreateTokenPrivilege	2948	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2948	msiexec.exe
Token: SeLockMemoryPrivilege	2948	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2948	msiexec.exe
Token: SeMachineAccountPrivilege	2948	msiexec.exe
Token: SeTcbPrivilege	2948	msiexec.exe
Token: SeSecurityPrivilege	2948	msiexec.exe
Token: SeTakeOwnershipPrivilege	2948	msiexec.exe
Token: SeLoadDriverPrivilege	2948	msiexec.exe
Token: SeSystemProfilePrivilege	2948	msiexec.exe
Token: SeSystemtimePrivilege	2948	msiexec.exe
Token: SeProfSingleProcessPrivilege	2948	msiexec.exe
Token: SeIncBasePriorityPrivilege	2948	msiexec.exe
Token: SeCreatePagefilePrivilege	2948	msiexec.exe
Token: SeCreatePermanentPrivilege	2948	msiexec.exe
Token: SeBackupPrivilege	2948	msiexec.exe
Token: SeRestorePrivilege	2948	msiexec.exe
Token: SeShutdownPrivilege	2948	msiexec.exe
Token: SeDebugPrivilege	2948	msiexec.exe
Token: SeAuditPrivilege	2948	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2948	msiexec.exe
Token: SeChangeNotifyPrivilege	2948	msiexec.exe
Token: SeRemoteShutdownPrivilege	2948	msiexec.exe
Token: SeUndockPrivilege	2948	msiexec.exe
Token: SeSyncAgentPrivilege	2948	msiexec.exe
Token: SeEnableDelegationPrivilege	2948	msiexec.exe
Token: SeManageVolumePrivilege	2948	msiexec.exe
Token: SeImpersonatePrivilege	2948	msiexec.exe
Token: SeCreateGlobalPrivilege	2948	msiexec.exe
Token: SeBackupPrivilege	2716	vssvc.exe
Token: SeRestorePrivilege	2716	vssvc.exe
Token: SeAuditPrivilege	2716	vssvc.exe
Token: SeBackupPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2624	DrvInst.exe
Token: SeRestorePrivilege	2624	DrvInst.exe
Token: SeRestorePrivilege	2624	DrvInst.exe
Token: SeRestorePrivilege	2624	DrvInst.exe
Token: SeRestorePrivilege	2624	DrvInst.exe
Token: SeRestorePrivilege	2624	DrvInst.exe
Token: SeRestorePrivilege	2624	DrvInst.exe
Token: SeLoadDriverPrivilege	2624	DrvInst.exe
Token: SeLoadDriverPrivilege	2624	DrvInst.exe
Token: SeLoadDriverPrivilege	2624	DrvInst.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeRestorePrivilege	2856	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: 35	2856	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeSecurityPrivilege	2856	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeSecurityPrivilege	2856	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeRestorePrivilege	2120	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: 35	2120	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeSecurityPrivilege	2120	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeSecurityPrivilege	2120	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2948	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2012	2712	msiexec.exe	34
PID 2712 wrote to memory of 2012	2712	msiexec.exe	34
PID 2712 wrote to memory of 2012	2712	msiexec.exe	34
PID 2712 wrote to memory of 2012	2712	msiexec.exe	34
PID 2712 wrote to memory of 2012	2712	msiexec.exe	34
PID 2012 wrote to memory of 2448	2012	MsiExec.exe	36
PID 2012 wrote to memory of 2448	2012	MsiExec.exe	36
PID 2012 wrote to memory of 2448	2012	MsiExec.exe	36
PID 2012 wrote to memory of 1756	2012	MsiExec.exe	43
PID 2012 wrote to memory of 1756	2012	MsiExec.exe	43
PID 2012 wrote to memory of 1756	2012	MsiExec.exe	43
PID 2012 wrote to memory of 1756	2012	MsiExec.exe	43
PID 2012 wrote to memory of 1756	2012	MsiExec.exe	43
PID 2012 wrote to memory of 1756	2012	MsiExec.exe	43
PID 2012 wrote to memory of 1756	2012	MsiExec.exe	43
PID 2012 wrote to memory of 1964	2012	MsiExec.exe	44
PID 2012 wrote to memory of 1964	2012	MsiExec.exe	44
PID 2012 wrote to memory of 1964	2012	MsiExec.exe	44

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2948

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 91D0C4D499CE03A84D38F45329B6DE43 M Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\PersonalizationInterpretBuild','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Program Files\PersonalizationInterpretBuild\WPS1.exe
    "C:\Program Files\PersonalizationInterpretBuild\WPS1.exe"
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1756
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe
    3⤵
    - Kills process with taskkill
    PID:1964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E0" "0000000000000570"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
"C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe" x "C:\Program Files\PersonalizationInterpretBuild\QaZWmfqGejWhUKQpUuRLOUYNCalvYw" -o"C:\Program Files\PersonalizationInterpretBuild\" -p"10622B;o}[SV|Z[m54bB" -y
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
"C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe" x "C:\Program Files\PersonalizationInterpretBuild\oxYQFsIZTdfqniDYjuvGTUMaSlhGEc" -x!"1_zKzEtPocmTOd.exe" -x!"sss" -x!"1_evudGJAAUuEQzpsWgsAOjfYIWkhhmp.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\PersonalizationInterpretBuild\" -p"88601f*mYxbaI3~k+)!U" -y
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe
"C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe" -nbg 123
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1900

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f774c6d.rbs

Filesize
7KB

MD5
89f43d21c8a66f0f128f4e6d6fbf0fb6

SHA1
2a43c86b44d36b1592b25d73c8ee77550fa4978a

SHA256
dd50b10d768d2aa8bc73221b0814675264e3ee901d49bd0e6c6b30600a860f4c

SHA512
baf3486a382cc2b15e3160e246c641b8804e9ca2418df8ddc88442df653b0a6e219329dd9fc900b3b80ec95cc78571cf76f3bf748cb9640d351a6a1ed2737c03

Download Submit
C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe

Filesize
3.9MB

MD5
10b0c2d503e18dbf51c067d54dd1267e

SHA1
2a0b1317961900c0b8666ae09152c31415f63b3a

SHA256
5bc819ea66774c21cdf699529a998b81779f5c6ebb9b82a3aafd2690d10165c2

SHA512
0d60717b7ef2194cee4fcc5e1f2f4f8e0d5a0d42a8cb6d5369b0c609ec12f598efb06611e77f97e92199f92f4303b161868dccf0a0cb307a670d503de6f729b2

Download Submit
C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe

Filesize
577KB

MD5
0fe04f5747f21419bc96e130b2068238

SHA1
558279fe10e5dc98419c3d7e138a569e7ca59011

SHA256
06654d17334fa342f62d42bd805c8bc6da8105612d9ff45c45b8f092a7c46e17

SHA512
a76fe81d96b1c4af92f4cee5ec567cee1393960bccf290963541e50df0b5286154878de577f7e383b5c0a75a4e134b71243e4e6154ab10ddda0d7a3a4c1a939b

Download Submit
C:\Program Files\PersonalizationInterpretBuild\QaZWmfqGejWhUKQpUuRLOUYNCalvYw

Filesize
2.0MB

MD5
d0b84606fb3c8992e9809c59c67d9b55

SHA1
d6e1d515849c7a0cb7a720b8fa3c04e0eb258634

SHA256
123e17069df2e1609449e4866213fb55d5e1e190f5519a5ab57aa58e1acd57be

SHA512
938f9c6be0bd2eade1784fd0772a742d71ec6f1b0b55df3e6844cab3823dfe79d25953b4dffc02ff2136f047c7a8bae43f709c0ba42ad04748902d9840d9e02e

Download Submit
C:\Program Files\PersonalizationInterpretBuild\WPS1.exe

Filesize
2.9MB

MD5
b52ba2b99108c496389ae5bb81fa6537

SHA1
9073d8c4a1968be24357862015519f2afecd833a

SHA256
c6ac7d9add40b913112b265d4f366d9ef80bbd711049db085fc750fcad4e14d8

SHA512
6637506ee80d359e729e0011b97e8d827e14356393193247f502b7fcfbbca249dc045b8acfe4b31ce462468f421dc5d9a4e31183bedb66c45a9aa43c01f81397

Download Submit
C:\Program Files\PersonalizationInterpretBuild\oxYQFsIZTdfqniDYjuvGTUMaSlhGEc

Filesize
2.0MB

MD5
0bde9a66ca45b4dc1d3a2d7a7b600393

SHA1
3f263970fcdc2f5a0f6db058defb0dc9dbaeaad4

SHA256
a588a4b29e7d7d3ca051e9045abc8ad99bb136abdf1a0fb711c03645a16e56fc

SHA512
ae5e0388cc1c28ebb21e1a53573777d357a40c653365e19c73dedcd878c04321baf3977f85ae665560da651ef08ba1ed28a12b6020a48aa960b5eca5f7b492bf

Download Submit
memory/1756-39-0x0000000000830000-0x0000000000DD3000-memory.dmp

Filesize
5.6MB

Download
memory/1756-58-0x0000000000830000-0x0000000000DD3000-memory.dmp

Filesize
5.6MB

Download
memory/1756-65-0x0000000000830000-0x0000000000DD3000-memory.dmp

Filesize
5.6MB

Download
memory/1756-73-0x0000000000830000-0x0000000000DD3000-memory.dmp

Filesize
5.6MB

Download
memory/1900-50-0x000000002B2E0000-0x000000002B30F000-memory.dmp

Filesize
188KB

Download
memory/2012-12-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/2448-18-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/2448-17-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download