gozi | 5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca

Analysis

max time kernel
94s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe
Size

7.6MB
MD5

17d82b7cc1b6e667a90dc36c7a28e35a
SHA1

ee0b8dae09347e1bb8bb96a8dee0ab8b07f8ae51
SHA256

5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca
SHA512

e9e8d8f2052dbb20a659026e3d5e58e07722b4dc8901d5cee1e1aa8dc4fbd2fe960c193604cdbee5334f18a023ed2ea89ce0f71e116851214b94e4fad0c4f8bf
SSDEEP

196608:DG0DNww2S9qRkGpdHbwbDVBQqepp53Na0S6qAV8WE4:hQRbAQTpZNa0vx

Score

10^/10

gozi banker discovery isfb trojan

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Executes dropped EXE 1 IoCs

pid	Process
3640	ShopeePlus.exe

Loads dropped DLL 9 IoCs

pid	Process
1752	MsiExec.exe
3640	ShopeePlus.exe
3640	ShopeePlus.exe
3640	ShopeePlus.exe
3640	ShopeePlus.exe
3640	ShopeePlus.exe
3640	ShopeePlus.exe
3640	ShopeePlus.exe
3640	ShopeePlus.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\UpdateShopeePlus.exe	msiexec.exe
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\Facebook.dll	msiexec.exe
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\MetroFramework.Fonts.dll	msiexec.exe
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\MetroFramework.dll	msiexec.exe
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\Microsoft.mshtml.dll	msiexec.exe
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\ShopeePlus.exe	msiexec.exe
File created	C:\Program Files (x86)\Plus24h.com\ShopeePlus\System.Data.SQLite.dll	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57e908.msi	msiexec.exe
File created	C:\Windows\Installer\e57e90a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA80.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\ShopeePlus.exe_3BC26883C8FA4C709CB7D62A11E4ED35.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\UpdateShopeePlus.e_F2C8FAA61CBD4B98A75B4534E957C58F.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e908.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9511F148-EF10-433B-B475-FE8A23B2F3BE}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\UpdateShopeePlus.e_40B956DED35A407291C966AB61A97D2E.exe	msiexec.exe
File created	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\UpdateShopeePlus.e_F2C8FAA61CBD4B98A75B4534E957C58F.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\ShopeePlus.exe1_28695D4FAF354CA1BAED07B5252E839A.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE9E3.tmp	msiexec.exe
File created	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\ShopeePlus.exe_3BC26883C8FA4C709CB7D62A11E4ED35.exe	msiexec.exe
File created	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\UpdateShopeePlus.e_40B956DED35A407291C966AB61A97D2E.exe	msiexec.exe
File created	C:\Windows\Installer\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\ShopeePlus.exe1_28695D4FAF354CA1BAED07B5252E839A.exe	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ShopeePlus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ShopeePlus.exe = "11001"	ShopeePlus.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|Facebook.dll\Facebook,Version="6.0.10.0",PublicKeyToken="58CB4F2111D1E6DE",Culture="neutral",FileVersion="7.0.6.0",ProcessorArchitecture="MSIL" = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e004f0033004d0029005a003400550053003f0040002d0078004e006d006d00740068005f006b00610000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|Newtonsoft.Json.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|ShopeePlus.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|System.Data.SQLite.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|System.Data.SQLite.dll\System.Data.SQLite,Version="1.0.103.0",PublicKeyToken="DB937BC2D44FF139",Culture="neutral",FileVersion="1.0.103.0",ProcessorArchite = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e0051005300430052002b004400750077004d0039006d0071007600610072002c00520061005e005e0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList\PackageName = "ShopeePlus_V1.0.0.17.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|MetroFramework.dll\MetroFramework,Version="1.2.0.3",PublicKeyToken="5F91A84759BF584A",Culture="neutral",FileVersion="1.2.0.3",ProcessorArchitecture="MSIL" = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e0055004d007d006c0030003400270038006c0039007b007b00720021002d0053007b0038003200610000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|Newtonsoft.Json.dll\Newtonsoft.Json,Version="6.0.0.0",PublicKeyToken="30AD4FE6B2A6AEED",Culture="neutral",FileVersion="6.0.8.18111",ProcessorArchitecture= = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e00560072006a003d00790040007100390029003f00360027005f004f006000510063002d005d00690000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|UpdateShopeePlus.exe\UpdateShopeePlus,Version="1.0.0.0",Culture="neutral",FileVersion="1.0.0.0",ProcessorArchitecture="MSIL" = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e005d003d005e007d00570041007200540062003800310034006c002e005b005e006d00770057004f0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\ProductName = "ShopeePlus"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|MetroFramework.Fonts.dll\MetroFramework.Fonts,Version="1.2.0.3",PublicKeyToken="5F91A84759BF584A",Culture="neutral",FileVersion="1.2.0.3",ProcessorArchite = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e0072004a0032004b003400540076002400630038003300650029004000600042003200580044003d0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|Microsoft.mshtml.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|ShopeePlus.exe\ShopeePlus,Version="2.0.0.0",PublicKeyToken="F70E2388E996517E",Culture="neutral",FileVersion="2.0.0.0",ProcessorArchitecture="X86" = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e00510043004d002500670054002c006e00420040005e006b00340079003100690044004c002100490000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C64BDA3BA1923484D95C9123168CE01C\841F115901FEB3344B57EFA8322B3FEB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|MetroFramework.Fonts.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|MetroFramework.dll	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\PackageCode = "4F77418D90944AA4E9A2C703B62C7FAE"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\Clients = 3a0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|Microsoft.mshtml.dll\Microsoft.mshtml,Version="7.0.3300.0",PublicKeyToken="B03F5F7F11D50A3A",Culture="neutral",FileVersion="7.0.3300.1" = 5f0056004c00760057005100680069005b0039002c006a003100620054005b005f005a00470066003e002a004a007a0047007a0070002d005a00670040004d0032007a00340052005900440030002c00750000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\841F115901FEB3344B57EFA8322B3FEB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\841F115901FEB3344B57EFA8322B3FEB\AlwaysInstall	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C64BDA3BA1923484D95C9123168CE01C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|UpdateShopeePlus.exe	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\ProductIcon = "C:\\Windows\\Installer\\{9511F148-EF10-433B-B475-FE8A23B2F3BE}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList\Net\1 = "C:\\CachedFiles\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|Plus24h.com\|ShopeePlus\|Facebook.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\841F115901FEB3344B57EFA8322B3FEB\SourceList\LastUsedSource = "n;1;C:\\CachedFiles\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1088	msiexec.exe
1088	msiexec.exe
3640	ShopeePlus.exe
3640	ShopeePlus.exe
3640	ShopeePlus.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4760	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4760	MSIEXEC.EXE
Token: SeSecurityPrivilege	1088	msiexec.exe
Token: SeCreateTokenPrivilege	4760	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4760	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4760	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4760	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4760	MSIEXEC.EXE
Token: SeTcbPrivilege	4760	MSIEXEC.EXE
Token: SeSecurityPrivilege	4760	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4760	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4760	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4760	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4760	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4760	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4760	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4760	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4760	MSIEXEC.EXE
Token: SeBackupPrivilege	4760	MSIEXEC.EXE
Token: SeRestorePrivilege	4760	MSIEXEC.EXE
Token: SeShutdownPrivilege	4760	MSIEXEC.EXE
Token: SeDebugPrivilege	4760	MSIEXEC.EXE
Token: SeAuditPrivilege	4760	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4760	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4760	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4760	MSIEXEC.EXE
Token: SeUndockPrivilege	4760	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4760	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4760	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4760	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4760	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4760	MSIEXEC.EXE
Token: SeBackupPrivilege	4540	vssvc.exe
Token: SeRestorePrivilege	4540	vssvc.exe
Token: SeAuditPrivilege	4540	vssvc.exe
Token: SeBackupPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeBackupPrivilege	4724	srtasks.exe
Token: SeRestorePrivilege	4724	srtasks.exe
Token: SeSecurityPrivilege	4724	srtasks.exe
Token: SeTakeOwnershipPrivilege	4724	srtasks.exe
Token: SeBackupPrivilege	4724	srtasks.exe
Token: SeRestorePrivilege	4724	srtasks.exe
Token: SeSecurityPrivilege	4724	srtasks.exe
Token: SeTakeOwnershipPrivilege	4724	srtasks.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4760	MSIEXEC.EXE
4760	MSIEXEC.EXE
3640	ShopeePlus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3640	ShopeePlus.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3640	ShopeePlus.exe
3640	ShopeePlus.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 4760	2380	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe	84
PID 2380 wrote to memory of 4760	2380	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe	84
PID 2380 wrote to memory of 4760	2380	5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe	84
PID 1088 wrote to memory of 4724	1088	msiexec.exe	106
PID 1088 wrote to memory of 4724	1088	msiexec.exe	106
PID 1088 wrote to memory of 1752	1088	msiexec.exe	108
PID 1088 wrote to memory of 1752	1088	msiexec.exe	108
PID 1088 wrote to memory of 1752	1088	msiexec.exe	108
PID 4760 wrote to memory of 3640	4760	MSIEXEC.EXE	112
PID 4760 wrote to memory of 3640	4760	MSIEXEC.EXE	112
PID 4760 wrote to memory of 3640	4760	MSIEXEC.EXE	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe
"C:\Users\Admin\AppData\Local\Temp\5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\CachedFiles\ShopeePlus_V1.0.0.17.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="5da088d32a60044d7cf7167b033bf6f5eb58ec0d544b1290db4075704ef164ca.exe"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Program Files (x86)\Plus24h.com\ShopeePlus\ShopeePlus.exe
    "C:\Program Files (x86)\Plus24h.com\ShopeePlus\ShopeePlus.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3640

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B6866B7CBC8F9A786734DC534BFDB76C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\CachedFiles\ShopeePlus_V1.0.0.17.msi

Filesize
7.6MB

MD5
39e92a384d507088147a1205fd9ba30d

SHA1
8e4aec83d722114fc126b96274bd54cc368619df

SHA256
9d0846ddff9c0235c902fed190a302cdcfc60037ae09a35014e4cb351f6edd2d

SHA512
b30f12e6405c4916b51694a4bba6eb6fdd0c14cb75e97dd5a6687475ceb9c8fdb2d11164f71e9e9320ad31f0128fc609c834058e541ebf2fe6572cd539e59f26

Download Submit
C:\Config.Msi\e57e909.rbs

Filesize
15KB

MD5
f38cfbf124d5e8a0057fcd3a2b3918cb

SHA1
20f8d0ff7a3e0689aa4f02dcb37b320e1b1cd4ac

SHA256
147ec0b5a42820729244e2bfbf2e7f61e371f714bdb5c253e2dadf157d74223c

SHA512
61a7659520b55a655133391a177c97f9ed62ebc8ffca939638de6b40d8a3d560848f5807a412f44fa26ad352d66b78326ad7def97877a46778bed72819835252

Download Submit
C:\Program Files (x86)\Plus24h.com\ShopeePlus\Facebook.dll

Filesize
105KB

MD5
6b8b763ebf51086effa31e4f5515c6c0

SHA1
33d0debde0063f4d6561970ecc7ee698cca0aa66

SHA256
1b30b9614fef624721b6e1b717560353334e3c8138532a83b4a91152ea06fcba

SHA512
e6af1d6c0e9cfde9ff42ee992a486d14137fddea4b21b8823962af154ca5fc901cacc182d8a7792db94f121ab792ba40efa2767cb221db62169bc2328b045771

Download Submit
C:\Program Files (x86)\Plus24h.com\ShopeePlus\MetroFramework.Fonts.dll

Filesize
656KB

MD5
612080028164b12939751dcccbb68d4a

SHA1
db066593c63d2eff41a5af1b49a3e098b60e0013

SHA256
e96030fddaf7e78401567ee82480ad75ee48d3556199a3f85c0ec669edac2ef4

SHA512
1879c960e27e32941c0c992b84803e7a1f8d243bfc88d17d3d32baca772290b9ea60a6ea90d53170be3bf7f0a58fe71ec901dc66aa560b4bf68b1da56c09fe18

Download Submit
C:\Program Files (x86)\Plus24h.com\ShopeePlus\MetroFramework.dll

Filesize
256KB

MD5
ba06c42b12ac1ca8ff8f5e9ababf6b42

SHA1
6c9626736814dd05621a20aeae389010af84550a

SHA256
be03bbbaba8aa53c21ce6c651e114d0ff25e5ff90ebedcc09ab15265e7791a54

SHA512
36e0b89cdb58bdbaaaad29f4cfc36af5be16736c6a04c4b678d244631947add2a7a10daaeae78f67128f8c7edc687e5274a2a7edabc53eb55b014c84d02eb5eb

Download Submit
C:\Program Files (x86)\Plus24h.com\ShopeePlus\Newtonsoft.Json.dll

Filesize
492KB

MD5
5e02ddaf3b02e43e532fc6a52b04d14b

SHA1
67f0bd5cfa3824860626b6b3fff37dc89e305cec

SHA256
78bedd9fce877a71a8d8ff9a813662d8248361e46705c4ef7afc61d440ff2eeb

SHA512
38720cacbb169dfc448deef86af973eafefa19eaeb48c55c58091c9d6a8b12a1f90148c287faaaa01326ec47143969ad1b54ee2b81018e1de0b83350dc418d1c

Download Submit
C:\Program Files (x86)\Plus24h.com\ShopeePlus\ShopeePlus.exe

Filesize
4.2MB

MD5
b53f7a8186bbe7f5272d262078cfaa5f

SHA1
fac6d555dbba6dd3a175fa56dba5b9d9c5831a39

SHA256
fd90b68e1a7718a240e638052e13fd9c83ba71c63edfc9eb05a5dcacb1e2b2f7

SHA512
2fb3228f8ff7c6087f156401dba19d65ee676b326c94ed3815e5256fffa2a9cee42629d2fb90624fd59a620a37e5d54f356810fbdde125a7dcf88311ca7c35fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is7E7A..dll

Filesize
2.5MB

MD5
776275f6e820cef1544c4b4d108a2fd2

SHA1
df9772159cc04e842636628c0a8e1029ce771cc8

SHA256
580467f266bd2e7c69a6ee288bcad2a1c843b4a0571a0df68ad2c15a4cfed691

SHA512
869d2caa001f965cf399ad9a2bdf4b9103fd6d9a697bec263efd2f02a78dcb9a328a4e295f025c549c72bbc258e790f7c139eeb49f0d6911ea25d31601b42f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2A3771F8-E349-471E-B0E9-5CB456108615}\0x0409.ini

Filesize
21KB

MD5
8586214463bd73e1c2716113e5bd3e13

SHA1
f02e3a76fd177964a846d4aa0a23f738178db2be

SHA256
089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54

SHA512
309200f38d0e29c9aaa99bb6d95f4347f8a8c320eb65742e7c539246ad9b759608bd5151d1c5d1d05888979daa38f2b6c3bf492588b212b583b8adbe81fa161b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2A3771F8-E349-471E-B0E9-5CB456108615}\_ISMSIDEL.INI

Filesize
852B

MD5
51034eb4e1b6efe849ee78f3a123cc22

SHA1
f9ade109333219cb255c7074af35532f1ea60c33

SHA256
8ecf68a202f3d4f7083cb59ad15277e9e1a036d51b9cef55e5a3e4cf880968e0

SHA512
a7b7af20eef76d86d15dcc0916795f97da96b0076f683478fafb40038d54e35a0363b819281721608e667ab8727056607913b2dc88d4190e60e8a52a57799c04

Download Submit
C:\Users\Admin\AppData\Local\Temp\{2A3771F8-E349-471E-B0E9-5CB456108615}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7E38.tmp

Filesize
6KB

MD5
51034d1ae230e5590943f5dc3762c197

SHA1
deb79a5a6c7202a38cca594e210af32686ff886d

SHA256
312210155b3909acabb69e8276251fa3b158b982751e01a3a2f010aba5999698

SHA512
6729812f6fcc6f4114d6be07bd64ce997ad7ee52086a600f9d23884503a730f0abfa5979a2cce34ee9424f3c220b6cc8499d741741ba5aec280cfbc0dcda7352

Download Submit
C:\Windows\Installer\MSIE9E3.tmp

Filesize
105KB

MD5
29e4cb02681bf0780985a429b48903ca

SHA1
474acf63ad259fa06164916259a40ffe8909f622

SHA256
3dd81287d4318c25ed9f0afa740c3ca59b746d9a587735e1e33107c14e1b40e0

SHA512
5c491bf4357bb1cee86ff0eb9662f6046c32b7e8b8fb406f12e4f866885a25994c34e8f46315f98f116be27a6a7a06c21ca52b030aacb1c1216910ac339500a1

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
d230b0854d9e0d103c1add090cfb221f

SHA1
9e30a69a1b3f6e36e00a5c5b424f5e7987a022e6

SHA256
8a67013c4e053bfdaec07c0b3a02942b29f99fb5f26392637b8538ca3a41a1ca

SHA512
69bd6605486e418e8f5e44e3f3b86b4ba38bfcd6328769417522026559cbb594add6861dbc5a5febe82d0d392d0d05564bc6199c67753a537f64d0fd082dd201

Download Submit
\??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d79ff2ee-6f1c-4b04-a2fd-442ae81c6fd2}_OnDiskSnapshotProp

Filesize
6KB

MD5
251e4cea68d8b9a2d3ee87414e0a703a

SHA1
df2176f8bcfdf51a86e0f92d798c8d37dfd48660

SHA256
3c5d5943a6216dc4db74b84dc7165705e32dc4e3c746400e805d486e02ec09aa

SHA512
905f41f95effbe13ae79866393fa0c990903b060f43962622cd874474f93663bd7bfcbde13c28b26d3c605ca8e19dfb0a1b444026bf70271499fb74416ae8321

Download Submit
memory/3640-149-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/3640-155-0x0000000005A40000-0x0000000005AC2000-memory.dmp

Filesize
520KB

Download
memory/3640-159-0x0000000005E20000-0x0000000005E66000-memory.dmp

Filesize
280KB

Download
memory/3640-151-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/3640-150-0x00000000057A0000-0x00000000057D4000-memory.dmp

Filesize
208KB

Download
memory/3640-148-0x0000000005E80000-0x0000000006424000-memory.dmp

Filesize
5.6MB

Download
memory/3640-215-0x00000000067E0000-0x0000000006800000-memory.dmp

Filesize
128KB

Download
memory/3640-216-0x0000000006A70000-0x0000000006A7A000-memory.dmp

Filesize
40KB

Download
memory/3640-147-0x0000000000AA0000-0x0000000000EE4000-memory.dmp

Filesize
4.3MB

Download
memory/3640-220-0x0000000007AE0000-0x0000000007B8A000-memory.dmp

Filesize
680KB

Download
memory/3640-221-0x0000000007E30000-0x0000000008056000-memory.dmp

Filesize
2.1MB

Download
memory/3640-227-0x000000000C370000-0x000000000CB16000-memory.dmp

Filesize
7.6MB

Download
memory/3640-229-0x000000000BF50000-0x000000000BF72000-memory.dmp

Filesize
136KB

Download