blackmoon | 32cf48d0ef7ac450c80fcc9fb9ec28af88370298c36547d2a94ff882b12500ae

Analysis

max time kernel
141s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
15/03/2025, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chromestup.msi
Size

13.4MB
MD5

a476065df4bcac42aad4f3eeab3545b4
SHA1

4b60df157d79c4863a8065e149ec6e447d1a3342
SHA256

32cf48d0ef7ac450c80fcc9fb9ec28af88370298c36547d2a94ff882b12500ae
SHA512

0d5a5e298b145d61f17b6c3376011706535e3441f6b9c2346e67db4ce762fcbbb3da072d98f7bebc5f31885000cc0661951632508784ed7feeb61ff6c0597e95
SSDEEP

393216:pBfMDbMkh0n28RmwRRenYtpBRW9AxGq5azUUEC5:vMNSSnsjRaKDGEC5

Score

10^/10

blackmoon fatalrat banker discovery infostealer persistence privilege_escalation rat stealer trojan vmprotect

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral1/memory/1664-127-0x0000000000400000-0x0000000000B99000-memory.dmp	family_blackmoon

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
stealer trojan fatalrat
Fatalrat family
fatalrat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/296-156-0x0000000010000000-0x000000001002D000-memory.dmp	fatalrat

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000a000000016d43-56.dat	vmprotect
behavioral1/memory/2220-65-0x000000013FFE0000-0x000000014058C000-memory.dmp	vmprotect
behavioral1/files/0x0005000000018739-105.dat	vmprotect
behavioral1/memory/744-117-0x000000013FA60000-0x000000014000C000-memory.dmp	vmprotect
behavioral1/memory/1664-127-0x0000000000400000-0x0000000000B99000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSID702.tmp	msiexec.exe
File created	C:\Windows\Installer\f76d472.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID84A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d472.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76d46f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID4AD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID5E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID674.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f76d46f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID569.tmp	msiexec.exe

Executes dropped EXE 11 IoCs

pid	Process
2960	aa.exe
2220	scrok.exe
2248	TjNkNpAilaYvt.exe
1520	TjNkNpAilaYvt.exe
1600	TjNkNpAilaYvt.exe
308	TjNkNpAilaYvt.exe
744	scrok.exe
1664	setup.exe
2212	svchost.exe
1852	svchost.exe
296	svchost.exe

Loads dropped DLL 27 IoCs

pid	Process
2800	MsiExec.exe
2800	MsiExec.exe
2800	MsiExec.exe
2800	MsiExec.exe
2800	MsiExec.exe
1632	cmd.exe
1632	cmd.exe
1632	cmd.exe
1632	cmd.exe
1664	setup.exe
1664	setup.exe
1664	setup.exe
1664	setup.exe
1664	setup.exe
1664	setup.exe
1664	setup.exe
2212	svchost.exe
2212	svchost.exe
2212	svchost.exe
1852	svchost.exe
1852	svchost.exe
1852	svchost.exe
1664	setup.exe
1664	setup.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
684	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
1924	timeout.exe
960	timeout.exe

Modifies data under HKEY_USERS 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\Group = "Fatal"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Services\InstallTime = "2025-03-15 07:10"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2484	msiexec.exe
2484	msiexec.exe
2220	scrok.exe
2220	scrok.exe
308	TjNkNpAilaYvt.exe
744	scrok.exe
744	scrok.exe
1664	setup.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	684	msiexec.exe
Token: SeIncreaseQuotaPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeSecurityPrivilege	2484	msiexec.exe
Token: SeCreateTokenPrivilege	684	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	684	msiexec.exe
Token: SeLockMemoryPrivilege	684	msiexec.exe
Token: SeIncreaseQuotaPrivilege	684	msiexec.exe
Token: SeMachineAccountPrivilege	684	msiexec.exe
Token: SeTcbPrivilege	684	msiexec.exe
Token: SeSecurityPrivilege	684	msiexec.exe
Token: SeTakeOwnershipPrivilege	684	msiexec.exe
Token: SeLoadDriverPrivilege	684	msiexec.exe
Token: SeSystemProfilePrivilege	684	msiexec.exe
Token: SeSystemtimePrivilege	684	msiexec.exe
Token: SeProfSingleProcessPrivilege	684	msiexec.exe
Token: SeIncBasePriorityPrivilege	684	msiexec.exe
Token: SeCreatePagefilePrivilege	684	msiexec.exe
Token: SeCreatePermanentPrivilege	684	msiexec.exe
Token: SeBackupPrivilege	684	msiexec.exe
Token: SeRestorePrivilege	684	msiexec.exe
Token: SeShutdownPrivilege	684	msiexec.exe
Token: SeDebugPrivilege	684	msiexec.exe
Token: SeAuditPrivilege	684	msiexec.exe
Token: SeSystemEnvironmentPrivilege	684	msiexec.exe
Token: SeChangeNotifyPrivilege	684	msiexec.exe
Token: SeRemoteShutdownPrivilege	684	msiexec.exe
Token: SeUndockPrivilege	684	msiexec.exe
Token: SeSyncAgentPrivilege	684	msiexec.exe
Token: SeEnableDelegationPrivilege	684	msiexec.exe
Token: SeManageVolumePrivilege	684	msiexec.exe
Token: SeImpersonatePrivilege	684	msiexec.exe
Token: SeCreateGlobalPrivilege	684	msiexec.exe
Token: SeBackupPrivilege	3068	vssvc.exe
Token: SeRestorePrivilege	3068	vssvc.exe
Token: SeAuditPrivilege	3068	vssvc.exe
Token: SeBackupPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2888	DrvInst.exe
Token: SeRestorePrivilege	2888	DrvInst.exe
Token: SeRestorePrivilege	2888	DrvInst.exe
Token: SeRestorePrivilege	2888	DrvInst.exe
Token: SeRestorePrivilege	2888	DrvInst.exe
Token: SeRestorePrivilege	2888	DrvInst.exe
Token: SeRestorePrivilege	2888	DrvInst.exe
Token: SeLoadDriverPrivilege	2888	DrvInst.exe
Token: SeLoadDriverPrivilege	2888	DrvInst.exe
Token: SeLoadDriverPrivilege	2888	DrvInst.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe
Token: SeTakeOwnershipPrivilege	2484	msiexec.exe
Token: SeRestorePrivilege	2484	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
684	msiexec.exe
684	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1664	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2800	2484	msiexec.exe	35
PID 2484 wrote to memory of 2800	2484	msiexec.exe	35
PID 2484 wrote to memory of 2800	2484	msiexec.exe	35
PID 2484 wrote to memory of 2800	2484	msiexec.exe	35
PID 2484 wrote to memory of 2800	2484	msiexec.exe	35
PID 2484 wrote to memory of 2800	2484	msiexec.exe	35
PID 2484 wrote to memory of 2800	2484	msiexec.exe	35
PID 2800 wrote to memory of 1632	2800	MsiExec.exe	36
PID 2800 wrote to memory of 1632	2800	MsiExec.exe	36
PID 2800 wrote to memory of 1632	2800	MsiExec.exe	36
PID 2800 wrote to memory of 1632	2800	MsiExec.exe	36
PID 1632 wrote to memory of 1924	1632	cmd.exe	38
PID 1632 wrote to memory of 1924	1632	cmd.exe	38
PID 1632 wrote to memory of 1924	1632	cmd.exe	38
PID 1632 wrote to memory of 1924	1632	cmd.exe	38
PID 1632 wrote to memory of 2960	1632	cmd.exe	39
PID 1632 wrote to memory of 2960	1632	cmd.exe	39
PID 1632 wrote to memory of 2960	1632	cmd.exe	39
PID 1632 wrote to memory of 2960	1632	cmd.exe	39
PID 1632 wrote to memory of 2220	1632	cmd.exe	40
PID 1632 wrote to memory of 2220	1632	cmd.exe	40
PID 1632 wrote to memory of 2220	1632	cmd.exe	40
PID 1632 wrote to memory of 2220	1632	cmd.exe	40
PID 2220 wrote to memory of 596	2220	scrok.exe	9
PID 1632 wrote to memory of 2248	1632	cmd.exe	41
PID 1632 wrote to memory of 2248	1632	cmd.exe	41
PID 1632 wrote to memory of 2248	1632	cmd.exe	41
PID 1632 wrote to memory of 2248	1632	cmd.exe	41
PID 1632 wrote to memory of 1520	1632	cmd.exe	42
PID 1632 wrote to memory of 1520	1632	cmd.exe	42
PID 1632 wrote to memory of 1520	1632	cmd.exe	42
PID 1632 wrote to memory of 1520	1632	cmd.exe	42
PID 1632 wrote to memory of 960	1632	cmd.exe	43
PID 1632 wrote to memory of 960	1632	cmd.exe	43
PID 1632 wrote to memory of 960	1632	cmd.exe	43
PID 1632 wrote to memory of 960	1632	cmd.exe	43
PID 1632 wrote to memory of 1600	1632	cmd.exe	44
PID 1632 wrote to memory of 1600	1632	cmd.exe	44
PID 1632 wrote to memory of 1600	1632	cmd.exe	44
PID 1632 wrote to memory of 1600	1632	cmd.exe	44
PID 1632 wrote to memory of 744	1632	cmd.exe	46
PID 1632 wrote to memory of 744	1632	cmd.exe	46
PID 1632 wrote to memory of 744	1632	cmd.exe	46
PID 1632 wrote to memory of 744	1632	cmd.exe	46
PID 308 wrote to memory of 1664	308	TjNkNpAilaYvt.exe	47
PID 308 wrote to memory of 1664	308	TjNkNpAilaYvt.exe	47
PID 308 wrote to memory of 1664	308	TjNkNpAilaYvt.exe	47
PID 308 wrote to memory of 1664	308	TjNkNpAilaYvt.exe	47
PID 308 wrote to memory of 1664	308	TjNkNpAilaYvt.exe	47
PID 308 wrote to memory of 1664	308	TjNkNpAilaYvt.exe	47
PID 308 wrote to memory of 1664	308	TjNkNpAilaYvt.exe	47
PID 744 wrote to memory of 596	744	scrok.exe	9
PID 1664 wrote to memory of 2212	1664	setup.exe	48
PID 1664 wrote to memory of 2212	1664	setup.exe	48
PID 1664 wrote to memory of 2212	1664	setup.exe	48
PID 1664 wrote to memory of 2212	1664	setup.exe	48
PID 1664 wrote to memory of 2212	1664	setup.exe	48
PID 1664 wrote to memory of 2212	1664	setup.exe	48
PID 1664 wrote to memory of 2212	1664	setup.exe	48
PID 1664 wrote to memory of 1852	1664	setup.exe	49
PID 1664 wrote to memory of 1852	1664	setup.exe	49
PID 1664 wrote to memory of 1852	1664	setup.exe	49
PID 1664 wrote to memory of 1852	1664	setup.exe	49
PID 1664 wrote to memory of 1852	1664	setup.exe	49

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:596
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D8" "00000000000004D0"
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2888

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Chromestup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:684

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DB3C8529B75FBB5EE9B171C147B681A7
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe" /c timeout /nobreak /t 7 & C:\ProgramData\setup\aa.exe x C:\ProgramData\setup\ddd. -key 000000 -f -to C:\ProgramData & C:\ProgramData\Packas\scrok.exe & C:\ProgramData\Smart\TjNkNpAilaYvt.exe install & C:\ProgramData\Smart\TjNkNpAilaYvt.exe install & timeout /nobreak /t 2 & C:\ProgramData\Smart\TjNkNpAilaYvt.exe start & C:\ProgramData\Packas\scrok.exe & del C:\ProgramData\Packas\scrok.exe & C:\ProgramData\setup\setup.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /nobreak /t 7
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1924
  - - C:\ProgramData\setup\aa.exe
      C:\ProgramData\setup\aa.exe x C:\ProgramData\setup\ddd. -key 000000 -f -to C:\ProgramData
      4⤵
      Executes dropped EXE
      PID:2960
  - - C:\ProgramData\Packas\scrok.exe
      C:\ProgramData\Packas\scrok.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2220
  - - C:\ProgramData\Smart\TjNkNpAilaYvt.exe
      C:\ProgramData\Smart\TjNkNpAilaYvt.exe install
      4⤵
      Executes dropped EXE
      PID:2248
  - - C:\ProgramData\Smart\TjNkNpAilaYvt.exe
      C:\ProgramData\Smart\TjNkNpAilaYvt.exe install
      4⤵
      Executes dropped EXE
      PID:1520
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /nobreak /t 2
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:960
  - - C:\ProgramData\Smart\TjNkNpAilaYvt.exe
      C:\ProgramData\Smart\TjNkNpAilaYvt.exe start
      4⤵
      Executes dropped EXE
      PID:1600
  - - C:\ProgramData\Packas\scrok.exe
      C:\ProgramData\Packas\scrok.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\ProgramData\Smart\TjNkNpAilaYvt.exe
"C:\ProgramData\Smart\TjNkNpAilaYvt.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:308
- C:\ProgramData\Smart\setup.exe
  "C:\ProgramData\Smart\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\ProgramData\NVIDIARV\svchost.exe
    "C:\ProgramData\NVIDIARV\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2212
- - C:\ProgramData\NVIDIARV\svchost.exe
    "C:\ProgramData\NVIDIARV\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1852
- - C:\ProgramData\NVIDIARV\svchost.exe
    "C:\ProgramData\NVIDIARV\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76d473.rbs

Filesize
1KB

MD5
cae7d1d3791a96ea6f44dd9f18ff02af

SHA1
dbff7261eb343aaefccb01c89e7fb9a5fbcf601a

SHA256
57752ca7bd0788b6cdd0be3d06fc3508c95e5ffeb55e2c72dcffda4dabd9ea15

SHA512
f4356b109659102c40aafcc6c00cbab9d568b7cf51e1562b1d54b73f75e103f41ae842cf8f2188d02aaafe0ab25957acb332df513b3f669c03bdca2901463cae

Download Submit
C:\ProgramData\Smart\TjNkNpAilaYvt.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\ProgramData\Smart\TjNkNpAilaYvt.wrapper.log

Filesize
1009B

MD5
91e999cbf69b026100c16cde761d802d

SHA1
b1290523162726ed7cd42a29852d738956c0364f

SHA256
bd02b678fa9cc7a63b16cca7b6dee1886e4bb2845fdf392b81e139a73d2c4a32

SHA512
ef3f3f1b6362cce0d91486d71603cad48c4c3525c3fae5e47de39aeed277a9692efcd77e46c34cc2885d73c04c3e529579e60cc4be475e7af42eaf536bcec89e

Download Submit
C:\ProgramData\Smart\TjNkNpAilaYvt.wrapper.log

Filesize
330B

MD5
900e534b8f043f293c17eb3e196cc0ae

SHA1
14fa7b4c0fee7e6ba34905f73b5b8b460e5a933d

SHA256
d680afbe867a966c72778bdbe772394c8c92d81473972a31e5306dd77e1bd237

SHA512
5d4c3482f821746f1d37182d8d91bb27cc7d870f55e396d2d57c5a314041d2a5e4858d659600eeab07cf38d8a4837b1ad0e19ab7c36915865e703f8ca0c91b18

Download Submit
C:\ProgramData\Smart\TjNkNpAilaYvt.wrapper.log

Filesize
613B

MD5
e25c3e1289c9f82f2eeb5ad2de73cf01

SHA1
376c352e50d5bc31079d19440416fe2b48b29f59

SHA256
40ffb7b6eaf12b1ce2cc1f792a77e3402b35dce3f5ee7b887b98a4ccc3bd5785

SHA512
36e5ecf9daccbc20f66155c5105b3e66771dc67d18402ad4c430b9ea2541dbf2980154b17c54aa8210f32810336f643cc3bbaa8281bcab7d719286744ce576ac

Download Submit
C:\ProgramData\Smart\TjNkNpAilaYvt.wrapper.log

Filesize
769B

MD5
2e74b4f598f7d737a1d0a219208cadf0

SHA1
2a5e0eb2f63d9ab3d501e29002f7d2ef40c0f0c5

SHA256
37857f210a7ad49e81f569cf370aa7e5556ff11234f0588c36c73e7e26183816

SHA512
a6c83f6d971a93c3bb8ebe654c29b8b0c9ce617230c2b8417c80d0d2bd4373a0004878ebe8163ae9c64a4dfe1d4c713774a040f263e574ad43701073c3b120fb

Download Submit
C:\ProgramData\Smart\TjNkNpAilaYvt.wrapper.log

Filesize
935B

MD5
71479529d60220959f54b2382c5d4e72

SHA1
f2f89f95085be7661e772470acbc0ab387bb7f86

SHA256
d435717f68d70047c0486bb63f72e0db7f6faad76cf9b09c70c59cf03f42f72a

SHA512
6521f9f5567856012ce3f98e9213981a307f11f21ddb244e2b6f7b09ea7702ee8d36cab223f67551ab5c4e2aabadd21150050bad68199385846ace22138cbbb3

Download Submit
C:\ProgramData\Smart\TjNkNpAilaYvt.xml

Filesize
298B

MD5
2c706293a3cfff8cc184a8e9a3b3da08

SHA1
873d7c9f51aa6cebd4ad3ae5930d1de84bb4437d

SHA256
ed28baf8be3a588d50ed246c2cd741bbd498aee74ea0675d57e0b33236e22067

SHA512
4aba3e25507ba5c29219ff51553f3616d07aeeb30f7465f9e921eea94cdcb411d1f48d1eefed647c22405df275e7f9d7506aac52202aae137391c6831463b043

Download Submit
C:\ProgramData\Smart\setup.exe

Filesize
4.7MB

MD5
113f2ba0cb86477d66f1d8c85a1babfc

SHA1
b5501c19f3fe899565df3bead0580fa3fee54856

SHA256
6cc5816529c56e5b0c871accbbb3de9abf83ac541645f587da4607d60d3b0e11

SHA512
50617759533ca626d79bb19764da0a44774ced9d59a4a6386eda46ad6c21dc54189605b7555fee870059e447c5d4dde28c7c68dc185ab5cd53002f68f4c27d40

Download Submit
C:\ProgramData\setup\ddd

Filesize
10.7MB

MD5
82caf2f7b43286317bd12b703c63670f

SHA1
9aed1ac05263c1ae297966862a60ca8007aa93e1

SHA256
e5f84ec6545e825601ff3510a1847d0554640851969aaeba53af2fc74c68dc20

SHA512
4c060a2bbb35e80831ca5008c80ffeb5c703fbba37f9bd9f0ddcb660628bb50c8ce9f4035fdc31da705bb019224926ac30276fd54333c70f5d496a82007d1f39

Download Submit
C:\Windows\Installer\MSID4AD.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Windows\Installer\MSID5E7.tmp

Filesize
1.1MB

MD5
ae463676775a1dd0b7a28ddb265b4065

SHA1
dff64c17885c7628b22631a2cdc9da83e417d348

SHA256
83fbfcaff3da3eb89f9aec29e6574cf15502fd670cbb2ab0c8a84451b2598b22

SHA512
e47c2db249e7a08c5d2864671fbc235e48aebecbe0b2c2334d1a4cba1b5b3037522ff89408589f3559b3a1eaf507bd338645387d55800029bb3b941d4c7744d6

Download Submit
\ProgramData\NVIDIARV\svchost.exe

Filesize
3.4MB

MD5
e67516972f762b64b2dc4b03ba8296b3

SHA1
15a764f0dd0f0e98b1dbc2e54858ea4228123853

SHA256
f23fc1c9fc311388f659a3c3c839c8c2be94b74837b5af19afcfc0df9e8b25e1

SHA512
e1e29ae8854932944377039ec681a443b7528366568991f89845c62d6d65503355a5e76a22c2495209cacd1f64e8346c41671d3af1e691a7b64183c5734f40da

Download Submit
\ProgramData\Packas\scrok.exe

Filesize
2.7MB

MD5
ac30909929056007eaf0fbcf53c3a21f

SHA1
7046d48c84748b246ebaa1c0153e8f81d3b0acc1

SHA256
f11baf3657a9bbfeb5d140a37d456573f589212447446a1519033ad010b9f58f

SHA512
71a40652f3cdfbd33cfc539855d6cbb1fba601e83bbd4b3e4f5e397144b3abfed5d148b486aec4eec17136e063609f93beae72a5e78d12d876dd79ccd3c9c849

Download Submit
\ProgramData\setup\aa.exe

Filesize
1.0MB

MD5
09c448be7e7d84e6e544cc03afbb05d8

SHA1
ddc13e71a72bc49c60f89b98cbb79c2449cfa07e

SHA256
a0f127a70943b0262060498c1723c795a8e2980f1acf0c42ee8c1dae72ae54b5

SHA512
e5f7a988a999e7e34d0aa2d2a5b2fbb22689588d3def4bed4518ceed38710e3714c5614bab192b0ce6bcac5172a87ebf3b3b923e495eb7344c70bd11f4bf1c12

Download Submit
memory/296-156-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/296-154-0x0000000000400000-0x0000000000911000-memory.dmp

Filesize
5.1MB

Download
memory/596-68-0x0000000000490000-0x00000000004B9000-memory.dmp

Filesize
164KB

Download
memory/744-117-0x000000013FA60000-0x000000014000C000-memory.dmp

Filesize
5.7MB

Download
memory/744-116-0x0000000077B00000-0x0000000077B02000-memory.dmp

Filesize
8KB

Download
memory/1520-82-0x0000000001360000-0x0000000001436000-memory.dmp

Filesize
856KB

Download
memory/1600-91-0x0000000000250000-0x0000000000326000-memory.dmp

Filesize
856KB

Download
memory/1664-127-0x0000000000400000-0x0000000000B99000-memory.dmp

Filesize
7.6MB

Download
memory/1664-124-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1664-122-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1664-126-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1852-150-0x0000000000400000-0x0000000000911000-memory.dmp

Filesize
5.1MB

Download
memory/2212-152-0x0000000000400000-0x0000000000911000-memory.dmp

Filesize
5.1MB

Download
memory/2220-60-0x0000000077B00000-0x0000000077B02000-memory.dmp

Filesize
8KB

Download
memory/2220-64-0x0000000077B00000-0x0000000077B02000-memory.dmp

Filesize
8KB

Download
memory/2220-62-0x0000000077B00000-0x0000000077B02000-memory.dmp

Filesize
8KB

Download
memory/2220-65-0x000000013FFE0000-0x000000014058C000-memory.dmp

Filesize
5.7MB

Download
memory/2248-74-0x0000000000C00000-0x0000000000CD6000-memory.dmp

Filesize
856KB

Download
memory/2960-55-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download