010367d9fc0fdd9de68af62a4e56a5e311a7c8c9d76b706cae59ea8a38f7d9f2

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

010367d9fc0fdd9de68af62a4e56a5e311a7c8c9d76b706cae59ea8a38f7d9f2.msi
Size

96.3MB
MD5

cc9cd8ad9a22acb8305eb14d0a8bfcd1
SHA1

a097850d43b2a7c094069ac758c8cdc6565af8e5
SHA256

010367d9fc0fdd9de68af62a4e56a5e311a7c8c9d76b706cae59ea8a38f7d9f2
SHA512

9a529b79c727474f45f55093972885503103a8ca7437600562adf4c5f0112e7113ff892726d1e67edce4655a910d5e49337543dac4db7d381aa725a544aa7f8d
SSDEEP

3145728:N+LEmAi0QDF3gzILlHgytL79ORBow2zanEL+X:NonQchHNP9EgBL

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1728	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	nzUbVPvBzDwZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	nzUbVPvBzDwZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	nzUbVPvBzDwZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	nzUbVPvBzDwZ.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\LogDisplayAPI\2_nzUbVPvBzDwZ.exe	AgVKOCOPgZUKZaE.exe
File created	C:\Program Files\LogDisplayAPI\hZqXonCbANHi.exe	AgVKOCOPgZUKZaE.exe
File opened for modification	C:\Program Files\LogDisplayAPI\hZqXonCbANHi.exe	AgVKOCOPgZUKZaE.exe
File opened for modification	C:\Program Files\LogDisplayAPI\nzUbVPvBzDwZ.exe	MsiExec.exe
File created	C:\Program Files\LogDisplayAPI\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\LogDisplayAPI\nzUbVPvBzDwZ	AgVKOCOPgZUKZaE.exe
File created	C:\Program Files\LogDisplayAPI\nzUbVPvBzDwZ.exe	MsiExec.exe
File opened for modification	C:\Program Files\LogDisplayAPI	nzUbVPvBzDwZ.exe
File created	C:\Program Files\LogDisplayAPI\qiJlRUmNGLOJIQR	AgVKOCOPgZUKZaE.exe
File created	C:\Program Files\LogDisplayAPI\TsuNgNucABNGLKF	msiexec.exe
File opened for modification	C:\Program Files\LogDisplayAPI\nzUbVPvBzDwZ	AgVKOCOPgZUKZaE.exe
File opened for modification	C:\Program Files\LogDisplayAPI\2_nzUbVPvBzDwZ.exe	AgVKOCOPgZUKZaE.exe
File created	C:\Program Files\LogDisplayAPI\QTalk.exe	MsiExec.exe
File created	C:\Program Files\LogDisplayAPI\AgVKOCOPgZUKZaE.exe	msiexec.exe
File opened for modification	C:\Program Files\LogDisplayAPI\qiJlRUmNGLOJIQR	AgVKOCOPgZUKZaE.exe
File created	C:\Program Files\LogDisplayAPI\win32quickq.exe	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e1b9.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE31E.tmp	msiexec.exe
File created	C:\Windows\Installer\f76e1bb.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	nzUbVPvBzDwZ.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76e1b8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e1b8.msi	msiexec.exe
File created	C:\Windows\Installer\f76e1b9.ipi	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
484	AgVKOCOPgZUKZaE.exe
2568	AgVKOCOPgZUKZaE.exe
2840	nzUbVPvBzDwZ.exe
3012	win32quickq.exe

Loads dropped DLL 3 IoCs

pid	Process
3012	win32quickq.exe
3012	win32quickq.exe
3012	win32quickq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2420	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgVKOCOPgZUKZaE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgVKOCOPgZUKZaE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32quickq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nzUbVPvBzDwZ.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-582 = "North Asia East Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-422 = "Russian Standard Time"	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-492 = "India Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	nzUbVPvBzDwZ.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E86A5BB48E78ACB408C91444BA7448B2	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\Version = "327683"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7F58F935A46F260449731C3FAED296CA\E86A5BB48E78ACB408C91444BA7448B2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\PackageCode = "31BC73B34277DF241A4DBAB1F9FC4E10"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7F58F935A46F260449731C3FAED296CA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E86A5BB48E78ACB408C91444BA7448B2\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\ProductName = "LogDisplayAPI"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\SourceList\PackageName = "010367d9fc0fdd9de68af62a4e56a5e311a7c8c9d76b706cae59ea8a38f7d9f2.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\AdvertiseFlags = "388"	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	nzUbVPvBzDwZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	nzUbVPvBzDwZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	nzUbVPvBzDwZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e309000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	nzUbVPvBzDwZ.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1652	msiexec.exe
1652	msiexec.exe
1728	powershell.exe
2840	nzUbVPvBzDwZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3012	win32quickq.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2420	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeSecurityPrivilege	1652	msiexec.exe
Token: SeCreateTokenPrivilege	2420	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2420	msiexec.exe
Token: SeLockMemoryPrivilege	2420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2420	msiexec.exe
Token: SeMachineAccountPrivilege	2420	msiexec.exe
Token: SeTcbPrivilege	2420	msiexec.exe
Token: SeSecurityPrivilege	2420	msiexec.exe
Token: SeTakeOwnershipPrivilege	2420	msiexec.exe
Token: SeLoadDriverPrivilege	2420	msiexec.exe
Token: SeSystemProfilePrivilege	2420	msiexec.exe
Token: SeSystemtimePrivilege	2420	msiexec.exe
Token: SeProfSingleProcessPrivilege	2420	msiexec.exe
Token: SeIncBasePriorityPrivilege	2420	msiexec.exe
Token: SeCreatePagefilePrivilege	2420	msiexec.exe
Token: SeCreatePermanentPrivilege	2420	msiexec.exe
Token: SeBackupPrivilege	2420	msiexec.exe
Token: SeRestorePrivilege	2420	msiexec.exe
Token: SeShutdownPrivilege	2420	msiexec.exe
Token: SeDebugPrivilege	2420	msiexec.exe
Token: SeAuditPrivilege	2420	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2420	msiexec.exe
Token: SeChangeNotifyPrivilege	2420	msiexec.exe
Token: SeRemoteShutdownPrivilege	2420	msiexec.exe
Token: SeUndockPrivilege	2420	msiexec.exe
Token: SeSyncAgentPrivilege	2420	msiexec.exe
Token: SeEnableDelegationPrivilege	2420	msiexec.exe
Token: SeManageVolumePrivilege	2420	msiexec.exe
Token: SeImpersonatePrivilege	2420	msiexec.exe
Token: SeCreateGlobalPrivilege	2420	msiexec.exe
Token: SeBackupPrivilege	2112	vssvc.exe
Token: SeRestorePrivilege	2112	vssvc.exe
Token: SeAuditPrivilege	2112	vssvc.exe
Token: SeBackupPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	2592	DrvInst.exe
Token: SeLoadDriverPrivilege	2592	DrvInst.exe
Token: SeLoadDriverPrivilege	2592	DrvInst.exe
Token: SeLoadDriverPrivilege	2592	DrvInst.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2420	msiexec.exe
2420	msiexec.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2500	1652	msiexec.exe	34
PID 1652 wrote to memory of 2500	1652	msiexec.exe	34
PID 1652 wrote to memory of 2500	1652	msiexec.exe	34
PID 1652 wrote to memory of 2500	1652	msiexec.exe	34
PID 1652 wrote to memory of 2500	1652	msiexec.exe	34
PID 2500 wrote to memory of 1728	2500	MsiExec.exe	36
PID 2500 wrote to memory of 1728	2500	MsiExec.exe	36
PID 2500 wrote to memory of 1728	2500	MsiExec.exe	36
PID 2500 wrote to memory of 484	2500	MsiExec.exe	38
PID 2500 wrote to memory of 484	2500	MsiExec.exe	38
PID 2500 wrote to memory of 484	2500	MsiExec.exe	38
PID 2500 wrote to memory of 484	2500	MsiExec.exe	38
PID 2500 wrote to memory of 2568	2500	MsiExec.exe	40
PID 2500 wrote to memory of 2568	2500	MsiExec.exe	40
PID 2500 wrote to memory of 2568	2500	MsiExec.exe	40
PID 2500 wrote to memory of 2568	2500	MsiExec.exe	40
PID 2500 wrote to memory of 2840	2500	MsiExec.exe	42
PID 2500 wrote to memory of 2840	2500	MsiExec.exe	42
PID 2500 wrote to memory of 2840	2500	MsiExec.exe	42
PID 2500 wrote to memory of 2840	2500	MsiExec.exe	42
PID 2500 wrote to memory of 3012	2500	MsiExec.exe	43
PID 2500 wrote to memory of 3012	2500	MsiExec.exe	43
PID 2500 wrote to memory of 3012	2500	MsiExec.exe	43
PID 2500 wrote to memory of 3012	2500	MsiExec.exe	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\010367d9fc0fdd9de68af62a4e56a5e311a7c8c9d76b706cae59ea8a38f7d9f2.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2420

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding ADC0A4FC15E15EB138A7F16371174E0F M Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\LogDisplayAPI','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- - C:\Program Files\LogDisplayAPI\AgVKOCOPgZUKZaE.exe
    "C:\Program Files\LogDisplayAPI\AgVKOCOPgZUKZaE.exe" x "C:\Program Files\LogDisplayAPI\TsuNgNucABNGLKF." "C:\Program Files\LogDisplayAPI\" -p"82172xEZ9}JD}HyN3N}." -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:484
- - C:\Program Files\LogDisplayAPI\AgVKOCOPgZUKZaE.exe
    "C:\Program Files\LogDisplayAPI\AgVKOCOPgZUKZaE.exe" x "C:\Program Files\LogDisplayAPI\qiJlRUmNGLOJIQR." -x"1_nzUbVPvBzDwZ.exe" -x"sss" -x"1_ZEtMZROjFEXUunp.exe" -x"1_" -x"1_" -x"sa" "C:\Program Files\LogDisplayAPI\" -p"540768fgP}GcRPOdgPox" -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2568
- - C:\Program Files\LogDisplayAPI\nzUbVPvBzDwZ.exe
    "C:\Program Files\LogDisplayAPI\nzUbVPvBzDwZ.exe" -nbg 274
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2840
- - C:\Program Files\LogDisplayAPI\win32quickq.exe
    "C:\Program Files\LogDisplayAPI\win32quickq.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:3012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A8" "00000000000005C8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76e1ba.rbs

Filesize
7KB

MD5
24038d1b8f4395cefbb55c3a6ea96a2a

SHA1
8afc2a0652f3f50f386f77fa6d86dbaf507bb8da

SHA256
6ca9b9397e5abded3f18de4640c24de42ac0616b240631a4bab2a680a0880955

SHA512
d3b33ca2b8440aeae3e6daab430935fd3b66adc03db439dd98dffda45746bd18e66f7cff032920b24a9c4f25a9a4ba9e5aa3a2fb4b22d08a17bcd9341c49f193

Download Submit
C:\Program Files\LogDisplayAPI\2_nzUbVPvBzDwZ.exe

Filesize
5.4MB

MD5
3edc4a0a0e0cecf47293ee1afdd4f026

SHA1
463a23a83411274b844f3a0a2432736e08ec83cd

SHA256
a61c490dc3731726b04044e473e3d72874815dd98243486c1703796631f66865

SHA512
6fa20e4806bb0b15d989df16abbd7084c2609cc1408791f2a154ef59d840122a8f01e1c6d05f1258f6621c6dc3812d76a27493ec86cdf29e9bd2496458cb59f0

Download Submit
C:\Program Files\LogDisplayAPI\AgVKOCOPgZUKZaE.exe

Filesize
752KB

MD5
9b08fd1d59cb47aa7bf456e6d388f6c2

SHA1
31923271d11a2f8d2aaf758e00fc2029a3614335

SHA256
0a88d153334d6865273920593d947bb3b6f9af945f7d479865b1e9f3354042b5

SHA512
0a35c61dda6b0d8d307a87a024bf7390690de83aee938f2b53e56768f466dd872237dc638fbab5a427c44221331236f1350b38292cb763fd5a65967317063457

Download Submit
C:\Program Files\LogDisplayAPI\TsuNgNucABNGLKF

Filesize
2.5MB

MD5
f244487106eb4e1ba09ff94195324f59

SHA1
77610e900c07e850cf5b17eac50a4ea54934b748

SHA256
381f110fae77625187f631e8314f0fca826c3cb4e1b6a8e8c96ab0d4e9c6b689

SHA512
3efac761e1221b55f73ff71ebad3d40591c9aeef3790934171e7d69db7b7b260f827f8d0c81469d7dfe12d9c40a8d1ebae06bc95384a71ec83257640fe663c4a

Download Submit
C:\Program Files\LogDisplayAPI\qiJlRUmNGLOJIQR

Filesize
2.4MB

MD5
4a15a9b8be8cb41729a6dc744e4eed59

SHA1
b5db15960baac1297674808b8fd2b6f260f7a8aa

SHA256
1ac597850a81d21740528aea1740a9b32c23816a53717d61118cd93e6860a9ba

SHA512
3d754ea574be11a206cce86e9d1ed47eadc86582a3c3aecae445fbcf27bd7bb82d18ed5676aa52ba3f2156e74593f28f69d92d47e0322d863f3949a0957ec9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjF9EA.tmp\ioSpecial.ini

Filesize
679B

MD5
2adae36efa4e81bb52e654ef7a24d248

SHA1
69d30c4649c329898a0ea7d2399c5476b541a7e3

SHA256
67d41bdb7daa601abba05daa5078cb230b2288deda24b236b7f6b9e244a53a62

SHA512
3a711c80673dfde316b4d7f48f77d2723736e309891dd95668aef41910280193bdac1c8f30c9e9c7b383c52d4bc6eedca384ead541852bc5de2a5e74f9bed155

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjF9EA.tmp\ioSpecial.ini

Filesize
718B

MD5
ccea7f77bd39488ccb183c033c73cf86

SHA1
87e807a69074a728e97839ef8b81215c00a2172f

SHA256
3be9db4c8dfd30e3aeccf8004abe3e496304ec63d7ffc814ce9627c461ab616e

SHA512
7607f40f96a31b653a18a55b5f16f74f889632615ad6e5499b5cc239b70a8b8eec30e12e515dd7b3be7836949698443eeffbabc53c92ca1258ff35ef2182531f

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF9EA.tmp\InstallOptions.dll

Filesize
14KB

MD5
8d5a5529462a9ba1ac068ee0502578c7

SHA1
875e651e302ce0bfc8893f341cf19171fee25ea5

SHA256
e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

SHA512
101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF9EA.tmp\LangDLL.dll

Filesize
5KB

MD5
77ff758c10c66937de6d86c388aa431c

SHA1
14bd5628eaf8a12b55cd38f9560c839cb21ce77a

SHA256
6a033e367714ec0d13fca0589c165bdbf4d1dac459fa7ec7415815223fa3c008

SHA512
319837951be276a179ead69efcd24bd7566061abc7997ea782af50bd4b0d69e5ec1a6e4cdeb2825bafedf87edf03380396b7bcf58682b6a3a824c8dc4b966bda

Download Submit
\Users\Admin\AppData\Local\Temp\nsjF9EA.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
memory/1728-18-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/1728-17-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2500-12-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2840-153-0x000000002B6B0000-0x000000002B6DA000-memory.dmp

Filesize
168KB

Download