Analysis
-
max time kernel
148s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28-11-2024 06:42
Static task
static1
Behavioral task
behavioral1
Sample
54c5645bb279b088510d7da2cfbf7d9cd762b07985151433a9a92e4f5f5bf37d.msi
Resource
win7-20241010-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
54c5645bb279b088510d7da2cfbf7d9cd762b07985151433a9a92e4f5f5bf37d.msi
Resource
win10v2004-20241007-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
54c5645bb279b088510d7da2cfbf7d9cd762b07985151433a9a92e4f5f5bf37d.msi
-
Size
46.2MB
-
MD5
2487e36f76cc09ec67842ca4a2529408
-
SHA1
4b2ce72751d5263d8632857bc8cd305ae53179b0
-
SHA256
54c5645bb279b088510d7da2cfbf7d9cd762b07985151433a9a92e4f5f5bf37d
-
SHA512
899a5a707e243e3571c003d43455bb6d876e658899493b935600375efc50ce1908eb64a45bc3762df398b5bded473f207e0484a91b4f8916f08b4ead9ef64edf
-
SSDEEP
786432:z7zPJlZQwSNnfIS3sLxnbna9eVpfQjFaYDYQVGB5c74FTnW0bNg6ojGRUSIITKty:Tr3SOxDa9eVU7DYKGBW74Q0fz2aMy
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2888 powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\Saved Games tsetup.tmp File opened for modification C:\Windows\SysWOW64\config\systemprofile\Saved Games\desktop.ini tsetup.tmp File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 Telegram.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 Telegram.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 Telegram.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 Telegram.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File opened for modification C:\Program Files\NetworkDirectVuetify\kTQQNujsYZyY qXarwvaJOuckZgu.exe File created C:\Program Files\NetworkDirectVuetify\2_kTQQNujsYZyY.exe qXarwvaJOuckZgu.exe File opened for modification C:\Program Files\NetworkDirectVuetify\2_kTQQNujsYZyY.exe qXarwvaJOuckZgu.exe File created C:\Program Files\NetworkDirectVuetify\kTQQNujsYZyY.exe MsiExec.exe File opened for modification C:\Program Files\NetworkDirectVuetify kTQQNujsYZyY.exe File created C:\Program Files\NetworkDirectVuetify\tsetup.exe msiexec.exe File created C:\Program Files\NetworkDirectVuetify\MmyEbCsTTmYtkzo qXarwvaJOuckZgu.exe File opened for modification C:\Program Files\NetworkDirectVuetify\kTQQNujsYZyY.exe MsiExec.exe File created C:\Program Files\NetworkDirectVuetify\wegame.exe MsiExec.exe File created C:\Program Files\NetworkDirectVuetify\valibclang2d.dll msiexec.exe File created C:\Program Files\NetworkDirectVuetify\kMOpfcRzxaYH.exe qXarwvaJOuckZgu.exe File opened for modification C:\Program Files\NetworkDirectVuetify\kMOpfcRzxaYH.exe qXarwvaJOuckZgu.exe File created C:\Program Files\NetworkDirectVuetify\kTQQNujsYZyY qXarwvaJOuckZgu.exe File created C:\Program Files\NetworkDirectVuetify\UZucQvhtuIqsMFE msiexec.exe File opened for modification C:\Program Files\NetworkDirectVuetify\MmyEbCsTTmYtkzo qXarwvaJOuckZgu.exe File created C:\Program Files\NetworkDirectVuetify\qXarwvaJOuckZgu.exe msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f779cdb.msi msiexec.exe File created C:\Windows\Installer\f779cde.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.app.log kTQQNujsYZyY.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f779cdb.msi msiexec.exe File created C:\Windows\Installer\f779cdc.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIA055.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe -
Executes dropped EXE 6 IoCs
pid Process 2100 qXarwvaJOuckZgu.exe 2372 qXarwvaJOuckZgu.exe 1288 kTQQNujsYZyY.exe 680 tsetup.exe 2536 tsetup.tmp 1616 Telegram.exe -
Loads dropped DLL 7 IoCs
pid Process 680 tsetup.exe 2536 tsetup.tmp 1188 Process not Found 1188 Process not Found 1188 Process not Found 1188 Process not Found 1616 Telegram.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2496 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsetup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qXarwvaJOuckZgu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language qXarwvaJOuckZgu.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tsetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kTQQNujsYZyY.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Telegram.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Telegram.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Telegram.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily Telegram.exe -
Kills process with taskkill 1 IoCs
pid Process 2524 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs kTQQNujsYZyY.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\InstallDate = "20241128" tsetup.tmp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\VersionMajor = "5" tsetup.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates Telegram.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tdesktop.tg\shell Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\tg\DefaultIcon Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs kTQQNujsYZyY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs kTQQNujsYZyY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows tsetup.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: Language = "english" tsetup.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust Telegram.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities\UrlAssociations\tg = "tdesktop.tg" Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates kTQQNujsYZyY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs kTQQNujsYZyY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My kTQQNujsYZyY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 tsetup.tmp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\EstimatedSize = "163980" tsetup.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates kTQQNujsYZyY.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\Inno Setup: App Path = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop" tsetup.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayName = "Telegram Desktop" tsetup.tmp Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\NoRepair = "1" tsetup.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft tsetup.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\DisplayIcon = "C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe" tsetup.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall\{53F49750-6209-4FBF-9CA8-7A333C87D1ED}_is1\QuietUninstallString = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\unins000.exe\" /SILENT" tsetup.tmp Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\tg\ = "URL:Telegram Link" Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs kTQQNujsYZyY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs kTQQNujsYZyY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates kTQQNujsYZyY.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = ca3afd1aa92b12370630f610650b812bd43961d1c522ec750b866ccbbd07d5f2 tsetup.tmp Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs kTQQNujsYZyY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed kTQQNujsYZyY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople kTQQNujsYZyY.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\TelegramDesktop\Capabilities\ApplicationDescription = "Telegram Desktop" Telegram.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust kTQQNujsYZyY.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates Telegram.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 kTQQNujsYZyY.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde kTQQNujsYZyY.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1616 Telegram.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2872 msiexec.exe 2872 msiexec.exe 2888 powershell.exe 1288 kTQQNujsYZyY.exe 2536 tsetup.tmp 2536 tsetup.tmp -
Suspicious use of AdjustPrivilegeToken 59 IoCs
description pid Process Token: SeShutdownPrivilege 2496 msiexec.exe Token: SeIncreaseQuotaPrivilege 2496 msiexec.exe Token: SeRestorePrivilege 2872 msiexec.exe Token: SeTakeOwnershipPrivilege 2872 msiexec.exe Token: SeSecurityPrivilege 2872 msiexec.exe Token: SeCreateTokenPrivilege 2496 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2496 msiexec.exe Token: SeLockMemoryPrivilege 2496 msiexec.exe Token: SeIncreaseQuotaPrivilege 2496 msiexec.exe Token: SeMachineAccountPrivilege 2496 msiexec.exe Token: SeTcbPrivilege 2496 msiexec.exe Token: SeSecurityPrivilege 2496 msiexec.exe Token: SeTakeOwnershipPrivilege 2496 msiexec.exe Token: SeLoadDriverPrivilege 2496 msiexec.exe Token: SeSystemProfilePrivilege 2496 msiexec.exe Token: SeSystemtimePrivilege 2496 msiexec.exe Token: SeProfSingleProcessPrivilege 2496 msiexec.exe Token: SeIncBasePriorityPrivilege 2496 msiexec.exe Token: SeCreatePagefilePrivilege 2496 msiexec.exe Token: SeCreatePermanentPrivilege 2496 msiexec.exe Token: SeBackupPrivilege 2496 msiexec.exe Token: SeRestorePrivilege 2496 msiexec.exe Token: SeShutdownPrivilege 2496 msiexec.exe Token: SeDebugPrivilege 2496 msiexec.exe Token: SeAuditPrivilege 2496 msiexec.exe Token: SeSystemEnvironmentPrivilege 2496 msiexec.exe Token: SeChangeNotifyPrivilege 2496 msiexec.exe Token: SeRemoteShutdownPrivilege 2496 msiexec.exe Token: SeUndockPrivilege 2496 msiexec.exe Token: SeSyncAgentPrivilege 2496 msiexec.exe Token: SeEnableDelegationPrivilege 2496 msiexec.exe Token: SeManageVolumePrivilege 2496 msiexec.exe Token: SeImpersonatePrivilege 2496 msiexec.exe Token: SeCreateGlobalPrivilege 2496 msiexec.exe Token: SeBackupPrivilege 3068 vssvc.exe Token: SeRestorePrivilege 3068 vssvc.exe Token: SeAuditPrivilege 3068 vssvc.exe Token: SeBackupPrivilege 2872 msiexec.exe Token: SeRestorePrivilege 2872 msiexec.exe Token: SeRestorePrivilege 1036 DrvInst.exe Token: SeRestorePrivilege 1036 DrvInst.exe Token: SeRestorePrivilege 1036 DrvInst.exe Token: SeRestorePrivilege 1036 DrvInst.exe Token: SeRestorePrivilege 1036 DrvInst.exe Token: SeRestorePrivilege 1036 DrvInst.exe Token: SeRestorePrivilege 1036 DrvInst.exe Token: SeLoadDriverPrivilege 1036 DrvInst.exe Token: SeLoadDriverPrivilege 1036 DrvInst.exe Token: SeLoadDriverPrivilege 1036 DrvInst.exe Token: SeRestorePrivilege 2872 msiexec.exe Token: SeTakeOwnershipPrivilege 2872 msiexec.exe Token: SeRestorePrivilege 2872 msiexec.exe Token: SeTakeOwnershipPrivilege 2872 msiexec.exe Token: SeRestorePrivilege 2872 msiexec.exe Token: SeTakeOwnershipPrivilege 2872 msiexec.exe Token: SeDebugPrivilege 2888 powershell.exe Token: SeRestorePrivilege 2872 msiexec.exe Token: SeTakeOwnershipPrivilege 2872 msiexec.exe Token: SeDebugPrivilege 2524 taskkill.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2496 msiexec.exe 2536 tsetup.tmp 1616 Telegram.exe 1616 Telegram.exe 1616 Telegram.exe 1616 Telegram.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1616 Telegram.exe 1616 Telegram.exe 1616 Telegram.exe 1616 Telegram.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2872 wrote to memory of 1476 2872 msiexec.exe 34 PID 2872 wrote to memory of 1476 2872 msiexec.exe 34 PID 2872 wrote to memory of 1476 2872 msiexec.exe 34 PID 2872 wrote to memory of 1476 2872 msiexec.exe 34 PID 2872 wrote to memory of 1476 2872 msiexec.exe 34 PID 1476 wrote to memory of 2888 1476 MsiExec.exe 36 PID 1476 wrote to memory of 2888 1476 MsiExec.exe 36 PID 1476 wrote to memory of 2888 1476 MsiExec.exe 36 PID 1476 wrote to memory of 2100 1476 MsiExec.exe 38 PID 1476 wrote to memory of 2100 1476 MsiExec.exe 38 PID 1476 wrote to memory of 2100 1476 MsiExec.exe 38 PID 1476 wrote to memory of 2100 1476 MsiExec.exe 38 PID 1476 wrote to memory of 2372 1476 MsiExec.exe 40 PID 1476 wrote to memory of 2372 1476 MsiExec.exe 40 PID 1476 wrote to memory of 2372 1476 MsiExec.exe 40 PID 1476 wrote to memory of 2372 1476 MsiExec.exe 40 PID 1476 wrote to memory of 1288 1476 MsiExec.exe 42 PID 1476 wrote to memory of 1288 1476 MsiExec.exe 42 PID 1476 wrote to memory of 1288 1476 MsiExec.exe 42 PID 1476 wrote to memory of 1288 1476 MsiExec.exe 42 PID 1476 wrote to memory of 680 1476 MsiExec.exe 43 PID 1476 wrote to memory of 680 1476 MsiExec.exe 43 PID 1476 wrote to memory of 680 1476 MsiExec.exe 43 PID 1476 wrote to memory of 680 1476 MsiExec.exe 43 PID 1476 wrote to memory of 680 1476 MsiExec.exe 43 PID 1476 wrote to memory of 680 1476 MsiExec.exe 43 PID 1476 wrote to memory of 680 1476 MsiExec.exe 43 PID 1476 wrote to memory of 2524 1476 MsiExec.exe 45 PID 1476 wrote to memory of 2524 1476 MsiExec.exe 45 PID 1476 wrote to memory of 2524 1476 MsiExec.exe 45 PID 680 wrote to memory of 2536 680 tsetup.exe 47 PID 680 wrote to memory of 2536 680 tsetup.exe 47 PID 680 wrote to memory of 2536 680 tsetup.exe 47 PID 680 wrote to memory of 2536 680 tsetup.exe 47 PID 680 wrote to memory of 2536 680 tsetup.exe 47 PID 680 wrote to memory of 2536 680 tsetup.exe 47 PID 680 wrote to memory of 2536 680 tsetup.exe 47 PID 2536 wrote to memory of 1616 2536 tsetup.tmp 49 PID 2536 wrote to memory of 1616 2536 tsetup.tmp 49 PID 2536 wrote to memory of 1616 2536 tsetup.tmp 49 PID 2536 wrote to memory of 1616 2536 tsetup.tmp 49 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\54c5645bb279b088510d7da2cfbf7d9cd762b07985151433a9a92e4f5f5bf37d.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2496
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding DC275EDC18CFF04424F3FCF66286CE4E M Global\MSI00002⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\NetworkDirectVuetify','C:\Program Files','C:\Program Files'3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Program Files\NetworkDirectVuetify\qXarwvaJOuckZgu.exe"C:\Program Files\NetworkDirectVuetify\qXarwvaJOuckZgu.exe" x "C:\Program Files\NetworkDirectVuetify\UZucQvhtuIqsMFE." "C:\Program Files\NetworkDirectVuetify\" -p"34204U3$J+" -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2100
-
-
C:\Program Files\NetworkDirectVuetify\qXarwvaJOuckZgu.exe"C:\Program Files\NetworkDirectVuetify\qXarwvaJOuckZgu.exe" x "C:\Program Files\NetworkDirectVuetify\MmyEbCsTTmYtkzo." -x"1_kTQQNujsYZyY.exe" -x"sss" -x"1_ICreQbOyZSZhTvR.exe" -x"1_" -x"1_" -x"sa" "C:\Program Files\NetworkDirectVuetify\" -p"35784V_QPi" -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372
-
-
C:\Program Files\NetworkDirectVuetify\kTQQNujsYZyY.exe"C:\Program Files\NetworkDirectVuetify\kTQQNujsYZyY.exe" -nbg 2683⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1288
-
-
C:\Program Files\NetworkDirectVuetify\tsetup.exe"C:\Program Files\NetworkDirectVuetify\tsetup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Users\Admin\AppData\Local\Temp\is-5IGDI.tmp\tsetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-5IGDI.tmp\tsetup.tmp" /SL5="$A017E,44246395,814592,C:\Program Files\NetworkDirectVuetify\tsetup.exe"4⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"5⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1616
-
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000578" "00000000000003DC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1036
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.2MB
MD5ebf139534eeae3ce3af174148033b1af
SHA1ed99757cdf9703fc7d966634f58bde38d2ac60ee
SHA25698c1a416e33e3ac554645b742ca83ef046016e5fe2abacf7fd44a8511fca7585
SHA51222ee8c2f09e15793bb1841732df19c1885592ca8a1653d5171228c0ad8bea48836a78c0279c3d428bda86133f75321d6603b7db067adb4e950e5fb9806301b78
-
Filesize
3.1MB
MD59c86b7e50a47e1b9d56cae41364f129e
SHA1989ece30f5a16b608b0dbc3e24ea8c6701f72ead
SHA256a900eacd2dfedc17187a596c4e8544bc8e068d6291d2986d3d41ab00fe763e13
SHA51273f49ef3cbd2abc7c5d6dc26f56275b2ac75941e4d0f0378620492322e5846ecfcb0e17c6f1495dea901a968050ed6b22ffa2842e45b67f0fb4d51be69b2a063
-
Filesize
3.1MB
MD5f4ba04158afd7ec631016e2a6b1f5bbe
SHA11695078b8313da1ec2317d7f2206aaa87152a35d
SHA256d749a1d77c9bcf3c34e63f0351644fc62009c5abe5746b9e8d7e05ba3554eb1d
SHA512dc16b88fcbef730f91a808e54ba2ce3bb1b4cb63a775e8066e640165180185db8fa2188be53d8b4b93923b2e4dc97c924a1d192c3adaffdf688261cd2872da01
-
Filesize
751KB
MD547deb5b92f2734d37df538f8738fd658
SHA1633abf89e926e3762b33ff05a9d11fc206f08631
SHA2566e4152ab6a60788a725bc98df2f5832cfbaf4adfa983f4a17107db89d3be490f
SHA512e2bb727d97bde6e7f5c17d4ac37df6703cdc9aad3b4ee5c1a54fb773e22a4262ef44ba0b4d3dc39454f0f73ad7e7b72cf1883633570b3226281a93c0f32e5761
-
Filesize
43.1MB
MD58a53cf72375f6899082463c36422d411
SHA1161d9d3b21bf0d9a9790b92013ec76c6d839af06
SHA2561b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65
SHA512daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
3.0MB
MD5d90927477dbf0725af0a10e151c184c4
SHA14cd69b23ee9c1efe9bd539f0fef841a09a4a773e
SHA25643182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029
SHA512bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98
-
Filesize
4.7MB
MD5a7349236212b0e5cec2978f2cfa49a1a
SHA15abb08949162fd1985b89ffad40aaf5fc769017e
SHA256a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082
SHA512c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02
-
Filesize
174B
MD5dfb9f6037a6bc86b5aa6f224854a0cd2
SHA1499f866cccbb413ffd5b18f380d00c0529797f22
SHA25658047327df3fbbec7e816bd18057b9d0317f682c384eabb7e9a9d3e634502260
SHA512ea0dd50925937d1aecaa0a43b7d9d508e3bf1bba1fc4cc8645e3244aedae77fa50499655e6dfd72cad5d2c14d1fee47c35ccbf2df19c11a7466664989cbafa6d