gh0strat | b8f70b0e7640bc7a6556b9db8a67229e0bdb95ce52ba6bb4c4cc5823d722bb4b

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

luoma2 (2).msi
Size

3.9MB
MD5

daa3ec4cd16303cd510f8c95ebbfb8fd
SHA1

304c9caf4edc41e9a0ecfd6115cc684f9e23a316
SHA256

65f0a236ce67ad31629c7f7826058a2ff2d7a0b01e9f965ef6559f7ad38bf78a
SHA512

0b53adb67a9d44791172c5b9c13ad47413a2eb30213d4584165477164321d03307e9da3d12edec73e76ee79297983419aaca6a9fadb2c2a5b273cd29f2990acc
SSDEEP

98304:18+N9QHCaCS1B1a/OxyzH7usEdKMUWnVf3CYk4p20B7Kk:1NKvFB1aOAzH7u1c6pCYk9A9

Score

10^/10

gh0strat purplefox discovery execution rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/5716-76-0x000000002BC80000-0x000000002BE3D000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/5716-76-0x000000002BC80000-0x000000002BE3D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2812	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	ImCmkefCIwvS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	ImCmkefCIwvS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	ImCmkefCIwvS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	ImCmkefCIwvS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	ImCmkefCIwvS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	ImCmkefCIwvS.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe	QMXzDrCWmwXRNKK.exe
File created	C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe	MsiExec.exe
File created	C:\Program Files\MonitorAccentUpgrade\igc964.dll	msiexec.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS	QMXzDrCWmwXRNKK.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe	MsiExec.exe
File created	C:\Program Files\MonitorAccentUpgrade\wegame.exe	MsiExec.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade	ImCmkefCIwvS.exe
File created	C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe	msiexec.exe
File created	C:\Program Files\MonitorAccentUpgrade\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\MonitorAccentUpgrade\VjLlMrQGpGLvBWy	msiexec.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\VGWTihpFnYDSOUb	QMXzDrCWmwXRNKK.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\2_ImCmkefCIwvS.exe	QMXzDrCWmwXRNKK.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC9D8.tmp	msiexec.exe
File created	C:\Windows\Installer\e57c94b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0741D0F8-F95F-408C-A996-D18BD8AAA38B}	msiexec.exe
File created	C:\Windows\Installer\e57c94d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c94b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 6 IoCs

pid	Process
4260	QMXzDrCWmwXRNKK.exe
5092	QMXzDrCWmwXRNKK.exe
980	ImCmkefCIwvS.exe
5504	xUOZdwMgclhR.exe
3796	wegame.exe
5716	ImCmkefCIwvS.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImCmkefCIwvS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xUOZdwMgclhR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImCmkefCIwvS.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003ace5ea140a78ecc0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003ace5ea10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003ace5ea1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3ace5ea1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003ace5ea100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ImCmkefCIwvS.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	wegame.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	wegame.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	wegame.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	wegame.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8F0D1470F59FC8049A691DB88DAA3AB8	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Version = "134217730"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BEB8733A883FF0E4A83E7D0A4071D730	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BEB8733A883FF0E4A83E7D0A4071D730\8F0D1470F59FC8049A691DB88DAA3AB8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\PackageName = "luoma2 (2).msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8F0D1470F59FC8049A691DB88DAA3AB8\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\ProductName = "MonitorAccentUpgrade"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\PackageCode = "3AA3ACCE3DD344B46AF076DDE918A19D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\AdvertiseFlags = "388"	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2696	msiexec.exe
2696	msiexec.exe
2812	powershell.exe
2812	powershell.exe
2812	powershell.exe
980	ImCmkefCIwvS.exe
980	ImCmkefCIwvS.exe
3796	wegame.exe
3796	wegame.exe
3796	wegame.exe
3796	wegame.exe
5716	ImCmkefCIwvS.exe
5716	ImCmkefCIwvS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1008	msiexec.exe
Token: SeSecurityPrivilege	2696	msiexec.exe
Token: SeCreateTokenPrivilege	1008	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1008	msiexec.exe
Token: SeLockMemoryPrivilege	1008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1008	msiexec.exe
Token: SeMachineAccountPrivilege	1008	msiexec.exe
Token: SeTcbPrivilege	1008	msiexec.exe
Token: SeSecurityPrivilege	1008	msiexec.exe
Token: SeTakeOwnershipPrivilege	1008	msiexec.exe
Token: SeLoadDriverPrivilege	1008	msiexec.exe
Token: SeSystemProfilePrivilege	1008	msiexec.exe
Token: SeSystemtimePrivilege	1008	msiexec.exe
Token: SeProfSingleProcessPrivilege	1008	msiexec.exe
Token: SeIncBasePriorityPrivilege	1008	msiexec.exe
Token: SeCreatePagefilePrivilege	1008	msiexec.exe
Token: SeCreatePermanentPrivilege	1008	msiexec.exe
Token: SeBackupPrivilege	1008	msiexec.exe
Token: SeRestorePrivilege	1008	msiexec.exe
Token: SeShutdownPrivilege	1008	msiexec.exe
Token: SeDebugPrivilege	1008	msiexec.exe
Token: SeAuditPrivilege	1008	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1008	msiexec.exe
Token: SeChangeNotifyPrivilege	1008	msiexec.exe
Token: SeRemoteShutdownPrivilege	1008	msiexec.exe
Token: SeUndockPrivilege	1008	msiexec.exe
Token: SeSyncAgentPrivilege	1008	msiexec.exe
Token: SeEnableDelegationPrivilege	1008	msiexec.exe
Token: SeManageVolumePrivilege	1008	msiexec.exe
Token: SeImpersonatePrivilege	1008	msiexec.exe
Token: SeCreateGlobalPrivilege	1008	msiexec.exe
Token: SeBackupPrivilege	5168	vssvc.exe
Token: SeRestorePrivilege	5168	vssvc.exe
Token: SeAuditPrivilege	5168	vssvc.exe
Token: SeBackupPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeBackupPrivilege	3684	srtasks.exe
Token: SeRestorePrivilege	3684	srtasks.exe
Token: SeSecurityPrivilege	3684	srtasks.exe
Token: SeTakeOwnershipPrivilege	3684	srtasks.exe
Token: SeBackupPrivilege	3684	srtasks.exe
Token: SeRestorePrivilege	3684	srtasks.exe
Token: SeSecurityPrivilege	3684	srtasks.exe
Token: SeTakeOwnershipPrivilege	3684	srtasks.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1008	msiexec.exe
1008	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 3684	2696	msiexec.exe	100
PID 2696 wrote to memory of 3684	2696	msiexec.exe	100
PID 2696 wrote to memory of 3556	2696	msiexec.exe	102
PID 2696 wrote to memory of 3556	2696	msiexec.exe	102
PID 3556 wrote to memory of 2812	3556	MsiExec.exe	103
PID 3556 wrote to memory of 2812	3556	MsiExec.exe	103
PID 3556 wrote to memory of 4260	3556	MsiExec.exe	105
PID 3556 wrote to memory of 4260	3556	MsiExec.exe	105
PID 3556 wrote to memory of 5092	3556	MsiExec.exe	107
PID 3556 wrote to memory of 5092	3556	MsiExec.exe	107
PID 3556 wrote to memory of 980	3556	MsiExec.exe	109
PID 3556 wrote to memory of 980	3556	MsiExec.exe	109
PID 3556 wrote to memory of 980	3556	MsiExec.exe	109
PID 5504 wrote to memory of 3796	5504	xUOZdwMgclhR.exe	111
PID 5504 wrote to memory of 3796	5504	xUOZdwMgclhR.exe	111
PID 5504 wrote to memory of 3796	5504	xUOZdwMgclhR.exe	111
PID 3796 wrote to memory of 5716	3796	wegame.exe	112
PID 3796 wrote to memory of 5716	3796	wegame.exe	112
PID 3796 wrote to memory of 5716	3796	wegame.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\luoma2 (2).msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1008

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3684
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding D01DAAEB3E4A6D1F2A4B925056BFAF4A E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MonitorAccentUpgrade','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe
    "C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe" x "C:\Program Files\MonitorAccentUpgrade\VjLlMrQGpGLvBWy." -key "]6!78DdiKjGuvOKWaXSe" -f -to "C:\Program Files\MonitorAccentUpgrade"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:4260
- - C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe
    "C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe" x "C:\Program Files\MonitorAccentUpgrade\VGWTihpFnYDSOUb." -not "1_ImCmkefCIwvS.exe" -not "sss" -not "1_guXHBpJjoUzqOtpY.exe" -not "1_" -not "1_" -not "sa" -key "#2]52NyUPRyGSDcWankx" -f -to "C:\Program Files\MonitorAccentUpgrade"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:5092
- - C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe
    "C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe" -nbg 106
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5168

C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe
"C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe" -nbg 102
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5504
- C:\Program Files\MonitorAccentUpgrade\wegame.exe
  "C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe" -nbg 102
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe
    "C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe" -nbg 72
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5716

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c94c.rbs

Filesize
7KB

MD5
6241b88de1d3d1ee7b1a5a8416651748

SHA1
fa97b30f64d8ed9b8327a5c49b719dc268010d1e

SHA256
49f86fe359139699b6e7e075f8fe1c85ef91bd24d5d694dc6ba6ad11ab35cb2f

SHA512
883934e0a35171ea7dd0552243a875528d77aeb6ecf9d8a035e614bd3d5cf5f59d1c2ab7061f0bac46145afceeb2c18715094ff4cca3828f7249d755e29c7752

Download Submit
C:\Program Files\MonitorAccentUpgrade\2_ImCmkefCIwvS.exe

Filesize
5.6MB

MD5
1dea5b679ece4af01ea4426b1c0b4f09

SHA1
eeb32377f13639260252982c332c70ba9742bde5

SHA256
66f6aedfbec41891470de9b6422bd1a11ae1505d3c3955013024d37019314454

SHA512
aec3c80c1d292be92dffde78abf3109e3e9838ae3ff4f0ab136814de357107157b092090b10ed793d2d27ed38674009ec0bc3d12415345701ce132bb1ebebd8d

Download Submit
C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe

Filesize
1.1MB

MD5
f0955f0293bcf104cedbd9bef3b9bf06

SHA1
9234781ec8fd66172afa50ffa37a3d0f9c1d3037

SHA256
7a94b4f1d6323a758c7b0b6344036f166bff0fd44f1c3c86f05b3688023496cb

SHA512
a4d53801689bf4f362ca86142b9bb2c2165e4e2b61937a4352963a1a78d8c7357da77ebe917c869ca8446e980fcdf0abb968253e8ce9218550ba447ad3a1101d

Download Submit
C:\Program Files\MonitorAccentUpgrade\VGWTihpFnYDSOUb

Filesize
3.3MB

MD5
e255d381e9d4a362b8fb7ad2cebfb0ee

SHA1
499bc663e9d1c14a2c93947d274885aaeb840ffe

SHA256
c1e288c75df5ca0bef1a881e2d541b886d29cb5e20809c78e4fe7fd803afec63

SHA512
5263e09e85c049b1ca9857f3fb5db768abba00b89ed68392bd4cb3bc543b89f110f626bafd2674904c1d24d2c0e65486434f72324e04174fdea3c7cceadc0117

Download Submit
C:\Program Files\MonitorAccentUpgrade\VjLlMrQGpGLvBWy

Filesize
3.3MB

MD5
cd81710739119d66aff29d65f5277173

SHA1
f329860b20a53a0a336ef0e2ae2941a8c89d0b05

SHA256
3332efedf6d13e556ffc2247ac97c68f1199993537fae7827699e1d7d148cd22

SHA512
f3909ccae467420c6c471b516041041e8ddb758867c7f692ee395736212eedce0d5e0f689d88c46f1345e9adb2efc36983e7a67c1004bc390fdc3fe553a05c9b

Download Submit
C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe

Filesize
1.0MB

MD5
5831e9e77179c55d1f08ab5a0900cf36

SHA1
a75af16800b3d25e6ea63f75fdbe7b258d2b34a1

SHA256
62b96c419e1a403eb367304d0c8ff4f6856e8922a296dcafd5c7515746ebe143

SHA512
a046a809514f96ab8a23fcbc9de92221f1e91f984f985548c744881cf8f2cc8a408b498dfe0acf501ffc0155a5dfc60e364785f086f77bd1b7d48a13add9cd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ykzhzfjq.1ls.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\e57c94b.msi

Filesize
3.9MB

MD5
daa3ec4cd16303cd510f8c95ebbfb8fd

SHA1
304c9caf4edc41e9a0ecfd6115cc684f9e23a316

SHA256
65f0a236ce67ad31629c7f7826058a2ff2d7a0b01e9f965ef6559f7ad38bf78a

SHA512
0b53adb67a9d44791172c5b9c13ad47413a2eb30213d4584165477164321d03307e9da3d12edec73e76ee79297983419aaca6a9fadb2c2a5b273cd29f2990acc

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
5b74a7281195a765e00e234c711233c4

SHA1
7d73856efeec4cd72ce620da93f3ff93c64c7f90

SHA256
0b5d214f2258f65113c04426237b35299c5e5d73028865954cd5819be090b6d2

SHA512
4de9f291dc4c9ffd505a16ae0f24ffc95d108681ec3838500e0fb8f20c6873470eb84c5cded82bfba6806f524f220cad1cd2a9e7ecd45aacc9419a8e5795756d

Download Submit
\??\Volume{a15ece3a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3ee2c99d-e8fe-49aa-949a-2d4a1f037903}_OnDiskSnapshotProp

Filesize
6KB

MD5
50a0e890d0cd4f0f3683b668fac10544

SHA1
39fff9ded18257c85c0c534cd21705619a6bdb0b

SHA256
83dfebd126581d147b1654f8cce078114b01e1b7dfaef0088c581a7afb775eba

SHA512
3e87f451aa4cb1c0379bc5050bf63efc18c9fcd21d973ca88bde38963114ce7de823a372886a9cd041510315145dc116be5c819e58b09333bcd5beed1372867d

Download Submit
memory/980-66-0x000000002A3C0000-0x000000002A3EA000-memory.dmp

Filesize
168KB

Download
memory/2812-22-0x000001F182890000-0x000001F1828B2000-memory.dmp

Filesize
136KB

Download
memory/4260-32-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5092-41-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/5716-75-0x000000002B800000-0x000000002B844000-memory.dmp

Filesize
272KB

Download
memory/5716-76-0x000000002BC80000-0x000000002BE3D000-memory.dmp

Filesize
1.7MB

Download