gh0strat | b8f70b0e7640bc7a6556b9db8a67229e0bdb95ce52ba6bb4c4cc5823d722bb4b

Analysis

max time kernel
150s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
15/04/2025, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

luoma2 (2).msi
Size

3.9MB
MD5

daa3ec4cd16303cd510f8c95ebbfb8fd
SHA1

304c9caf4edc41e9a0ecfd6115cc684f9e23a316
SHA256

65f0a236ce67ad31629c7f7826058a2ff2d7a0b01e9f965ef6559f7ad38bf78a
SHA512

0b53adb67a9d44791172c5b9c13ad47413a2eb30213d4584165477164321d03307e9da3d12edec73e76ee79297983419aaca6a9fadb2c2a5b273cd29f2990acc
SSDEEP

98304:18+N9QHCaCS1B1a/OxyzH7usEdKMUWnVf3CYk4p20B7Kk:1NKvFB1aOAzH7u1c6pCYk9A9

Score

10^/10

gh0strat purplefox discovery execution rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/3700-73-0x000000002C240000-0x000000002C3FD000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3700-73-0x000000002C240000-0x000000002C3FD000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5244	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe	msiexec.exe
File created	C:\Program Files\MonitorAccentUpgrade\valibclang2d.dll	msiexec.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\VGWTihpFnYDSOUb	QMXzDrCWmwXRNKK.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS	QMXzDrCWmwXRNKK.exe
File created	C:\Program Files\MonitorAccentUpgrade\wegame.exe	MsiExec.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade	ImCmkefCIwvS.exe
File created	C:\Program Files\MonitorAccentUpgrade\igc964.dll	msiexec.exe
File created	C:\Program Files\MonitorAccentUpgrade\VjLlMrQGpGLvBWy	msiexec.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\2_ImCmkefCIwvS.exe	QMXzDrCWmwXRNKK.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe	QMXzDrCWmwXRNKK.exe
File created	C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe	MsiExec.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe	MsiExec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57ca09.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF94C820706B78980A.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0741D0F8-F95F-408C-A996-D18BD8AAA38B}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD795D6FFDC7CD4B5.TMP	msiexec.exe
File created	C:\Windows\Installer\e57ca07.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ca07.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2996B4CF029B2C5B.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2FA17BE005296783.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB4F.tmp	msiexec.exe

Executes dropped EXE 6 IoCs

pid	Process
2192	QMXzDrCWmwXRNKK.exe
5292	QMXzDrCWmwXRNKK.exe
4528	ImCmkefCIwvS.exe
3364	xUOZdwMgclhR.exe
4276	wegame.exe
3700	ImCmkefCIwvS.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xUOZdwMgclhR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImCmkefCIwvS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImCmkefCIwvS.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a77a072ed3fae53f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a77a072e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a77a072e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da77a072e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a77a072e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ImCmkefCIwvS.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ImCmkefCIwvS.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	ImCmkefCIwvS.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	wegame.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Version = "134217730"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\PackageCode = "3AA3ACCE3DD344B46AF076DDE918A19D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\PackageName = "luoma2 (2).msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8F0D1470F59FC8049A691DB88DAA3AB8\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\ProductName = "MonitorAccentUpgrade"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BEB8733A883FF0E4A83E7D0A4071D730	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8F0D1470F59FC8049A691DB88DAA3AB8	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BEB8733A883FF0E4A83E7D0A4071D730\8F0D1470F59FC8049A691DB88DAA3AB8	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
6080	msiexec.exe
6080	msiexec.exe
5244	powershell.exe
5244	powershell.exe
4528	ImCmkefCIwvS.exe
4528	ImCmkefCIwvS.exe
4276	wegame.exe
4276	wegame.exe
4276	wegame.exe
4276	wegame.exe
3700	ImCmkefCIwvS.exe
3700	ImCmkefCIwvS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1760	msiexec.exe
Token: SeSecurityPrivilege	6080	msiexec.exe
Token: SeCreateTokenPrivilege	1760	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1760	msiexec.exe
Token: SeLockMemoryPrivilege	1760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1760	msiexec.exe
Token: SeMachineAccountPrivilege	1760	msiexec.exe
Token: SeTcbPrivilege	1760	msiexec.exe
Token: SeSecurityPrivilege	1760	msiexec.exe
Token: SeTakeOwnershipPrivilege	1760	msiexec.exe
Token: SeLoadDriverPrivilege	1760	msiexec.exe
Token: SeSystemProfilePrivilege	1760	msiexec.exe
Token: SeSystemtimePrivilege	1760	msiexec.exe
Token: SeProfSingleProcessPrivilege	1760	msiexec.exe
Token: SeIncBasePriorityPrivilege	1760	msiexec.exe
Token: SeCreatePagefilePrivilege	1760	msiexec.exe
Token: SeCreatePermanentPrivilege	1760	msiexec.exe
Token: SeBackupPrivilege	1760	msiexec.exe
Token: SeRestorePrivilege	1760	msiexec.exe
Token: SeShutdownPrivilege	1760	msiexec.exe
Token: SeDebugPrivilege	1760	msiexec.exe
Token: SeAuditPrivilege	1760	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1760	msiexec.exe
Token: SeChangeNotifyPrivilege	1760	msiexec.exe
Token: SeRemoteShutdownPrivilege	1760	msiexec.exe
Token: SeUndockPrivilege	1760	msiexec.exe
Token: SeSyncAgentPrivilege	1760	msiexec.exe
Token: SeEnableDelegationPrivilege	1760	msiexec.exe
Token: SeManageVolumePrivilege	1760	msiexec.exe
Token: SeImpersonatePrivilege	1760	msiexec.exe
Token: SeCreateGlobalPrivilege	1760	msiexec.exe
Token: SeBackupPrivilege	1156	vssvc.exe
Token: SeRestorePrivilege	1156	vssvc.exe
Token: SeAuditPrivilege	1156	vssvc.exe
Token: SeBackupPrivilege	6080	msiexec.exe
Token: SeRestorePrivilege	6080	msiexec.exe
Token: SeRestorePrivilege	6080	msiexec.exe
Token: SeTakeOwnershipPrivilege	6080	msiexec.exe
Token: SeRestorePrivilege	6080	msiexec.exe
Token: SeTakeOwnershipPrivilege	6080	msiexec.exe
Token: SeDebugPrivilege	5244	powershell.exe
Token: SeRestorePrivilege	6080	msiexec.exe
Token: SeTakeOwnershipPrivilege	6080	msiexec.exe
Token: SeRestorePrivilege	6080	msiexec.exe
Token: SeTakeOwnershipPrivilege	6080	msiexec.exe
Token: SeRestorePrivilege	6080	msiexec.exe
Token: SeTakeOwnershipPrivilege	6080	msiexec.exe
Token: SeRestorePrivilege	6080	msiexec.exe
Token: SeTakeOwnershipPrivilege	6080	msiexec.exe
Token: SeRestorePrivilege	6080	msiexec.exe
Token: SeTakeOwnershipPrivilege	6080	msiexec.exe
Token: SeRestorePrivilege	6080	msiexec.exe
Token: SeTakeOwnershipPrivilege	6080	msiexec.exe
Token: SeRestorePrivilege	6080	msiexec.exe
Token: SeTakeOwnershipPrivilege	6080	msiexec.exe
Token: SeRestorePrivilege	6080	msiexec.exe
Token: SeTakeOwnershipPrivilege	6080	msiexec.exe
Token: SeRestorePrivilege	6080	msiexec.exe
Token: SeTakeOwnershipPrivilege	6080	msiexec.exe
Token: SeRestorePrivilege	6080	msiexec.exe
Token: SeTakeOwnershipPrivilege	6080	msiexec.exe
Token: SeRestorePrivilege	6080	msiexec.exe
Token: SeTakeOwnershipPrivilege	6080	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1760	msiexec.exe
1760	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 6080 wrote to memory of 3652	6080	msiexec.exe	84
PID 6080 wrote to memory of 3652	6080	msiexec.exe	84
PID 6080 wrote to memory of 5348	6080	msiexec.exe	86
PID 6080 wrote to memory of 5348	6080	msiexec.exe	86
PID 5348 wrote to memory of 5244	5348	MsiExec.exe	88
PID 5348 wrote to memory of 5244	5348	MsiExec.exe	88
PID 5348 wrote to memory of 2192	5348	MsiExec.exe	90
PID 5348 wrote to memory of 2192	5348	MsiExec.exe	90
PID 5348 wrote to memory of 5292	5348	MsiExec.exe	92
PID 5348 wrote to memory of 5292	5348	MsiExec.exe	92
PID 5348 wrote to memory of 4528	5348	MsiExec.exe	94
PID 5348 wrote to memory of 4528	5348	MsiExec.exe	94
PID 5348 wrote to memory of 4528	5348	MsiExec.exe	94
PID 3364 wrote to memory of 4276	3364	xUOZdwMgclhR.exe	96
PID 3364 wrote to memory of 4276	3364	xUOZdwMgclhR.exe	96
PID 3364 wrote to memory of 4276	3364	xUOZdwMgclhR.exe	96
PID 4276 wrote to memory of 3700	4276	wegame.exe	97
PID 4276 wrote to memory of 3700	4276	wegame.exe	97
PID 4276 wrote to memory of 3700	4276	wegame.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\luoma2 (2).msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1760

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6080
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3652
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 39B32B99A1130D581B1E258E7B7AF3C0 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:5348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MonitorAccentUpgrade','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5244
- - C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe
    "C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe" x "C:\Program Files\MonitorAccentUpgrade\VjLlMrQGpGLvBWy." -key "]6!78DdiKjGuvOKWaXSe" -f -to "C:\Program Files\MonitorAccentUpgrade"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:2192
- - C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe
    "C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe" x "C:\Program Files\MonitorAccentUpgrade\VGWTihpFnYDSOUb." -not "1_ImCmkefCIwvS.exe" -not "sss" -not "1_guXHBpJjoUzqOtpY.exe" -not "1_" -not "1_" -not "sa" -key "#2]52NyUPRyGSDcWankx" -f -to "C:\Program Files\MonitorAccentUpgrade"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:5292
- - C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe
    "C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe" -nbg 106
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:4528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe
"C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe" -nbg 102
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Program Files\MonitorAccentUpgrade\wegame.exe
  "C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe" -nbg 102
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe
    "C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe" -nbg 72
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3700

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ca08.rbs

Filesize
7KB

MD5
e811038d1ca7ef6fa1ecd081d9ef8ae3

SHA1
461433ad0b01c6fb0a75c40fc35369a8e1cd663b

SHA256
752c6a643619632765a64806fd0fa5df6845fdbeccd27fe5dde74c251a230cc2

SHA512
92c22a77bd64fc804e97134ff1c79c3815bbc2d5d42f8ae3ffa9a4acec1c48039e3eaa995b54affa02ada4f3998d99fa837e053813282e63ac904b0a4612c6fe

Download Submit
C:\Program Files\MonitorAccentUpgrade\2_ImCmkefCIwvS.exe

Filesize
5.6MB

MD5
1dea5b679ece4af01ea4426b1c0b4f09

SHA1
eeb32377f13639260252982c332c70ba9742bde5

SHA256
66f6aedfbec41891470de9b6422bd1a11ae1505d3c3955013024d37019314454

SHA512
aec3c80c1d292be92dffde78abf3109e3e9838ae3ff4f0ab136814de357107157b092090b10ed793d2d27ed38674009ec0bc3d12415345701ce132bb1ebebd8d

Download Submit
C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe

Filesize
1.1MB

MD5
f0955f0293bcf104cedbd9bef3b9bf06

SHA1
9234781ec8fd66172afa50ffa37a3d0f9c1d3037

SHA256
7a94b4f1d6323a758c7b0b6344036f166bff0fd44f1c3c86f05b3688023496cb

SHA512
a4d53801689bf4f362ca86142b9bb2c2165e4e2b61937a4352963a1a78d8c7357da77ebe917c869ca8446e980fcdf0abb968253e8ce9218550ba447ad3a1101d

Download Submit
C:\Program Files\MonitorAccentUpgrade\VGWTihpFnYDSOUb

Filesize
3.3MB

MD5
e255d381e9d4a362b8fb7ad2cebfb0ee

SHA1
499bc663e9d1c14a2c93947d274885aaeb840ffe

SHA256
c1e288c75df5ca0bef1a881e2d541b886d29cb5e20809c78e4fe7fd803afec63

SHA512
5263e09e85c049b1ca9857f3fb5db768abba00b89ed68392bd4cb3bc543b89f110f626bafd2674904c1d24d2c0e65486434f72324e04174fdea3c7cceadc0117

Download Submit
C:\Program Files\MonitorAccentUpgrade\VjLlMrQGpGLvBWy

Filesize
3.3MB

MD5
cd81710739119d66aff29d65f5277173

SHA1
f329860b20a53a0a336ef0e2ae2941a8c89d0b05

SHA256
3332efedf6d13e556ffc2247ac97c68f1199993537fae7827699e1d7d148cd22

SHA512
f3909ccae467420c6c471b516041041e8ddb758867c7f692ee395736212eedce0d5e0f689d88c46f1345e9adb2efc36983e7a67c1004bc390fdc3fe553a05c9b

Download Submit
C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe

Filesize
1.0MB

MD5
5831e9e77179c55d1f08ab5a0900cf36

SHA1
a75af16800b3d25e6ea63f75fdbe7b258d2b34a1

SHA256
62b96c419e1a403eb367304d0c8ff4f6856e8922a296dcafd5c7515746ebe143

SHA512
a046a809514f96ab8a23fcbc9de92221f1e91f984f985548c744881cf8f2cc8a408b498dfe0acf501ffc0155a5dfc60e364785f086f77bd1b7d48a13add9cd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kvg03czj.aak.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\e57ca07.msi

Filesize
3.9MB

MD5
daa3ec4cd16303cd510f8c95ebbfb8fd

SHA1
304c9caf4edc41e9a0ecfd6115cc684f9e23a316

SHA256
65f0a236ce67ad31629c7f7826058a2ff2d7a0b01e9f965ef6559f7ad38bf78a

SHA512
0b53adb67a9d44791172c5b9c13ad47413a2eb30213d4584165477164321d03307e9da3d12edec73e76ee79297983419aaca6a9fadb2c2a5b273cd29f2990acc

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
c6bf067886c04ccf35bd7d4b3b5098c5

SHA1
67bdaaa317b061154aee2934678b71023982d235

SHA256
7e6285d88517fb6680c4df02f5075a83d4b4b0a91514cfd1cf8ec1eacb477e2e

SHA512
9df5c548cf858e735bdfc5c9f5ed3c2e848e80b2b5342b745e768ce5018708b816dbf6591d6f49c74b0713a4c0647e3af305d137f35b2e1888085392deed0b9f

Download Submit
\??\Volume{2e077aa7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f76eb586-3065-4831-8c84-99b8d3c32783}_OnDiskSnapshotProp

Filesize
6KB

MD5
610faa9fe494a71a136b2f3f57743b72

SHA1
c5a4e21492f3ae749be1e6f7dc6aa65bfb2ac7de

SHA256
21f2ed06d77df5e52cbf7aec5da54d32e8234f729ea4d53654c76ee5d5680258

SHA512
a706f1c912782ad7d95a240eff5f6ddb84cecf495edf70263a4985e4780b7db4111bd5a2f01fbe53b0d1374ea4ce7beed0537512faa22c0f180b2f7cc1bc7d62

Download Submit
memory/2192-29-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/3700-70-0x000000002BDD0000-0x000000002BE14000-memory.dmp

Filesize
272KB

Download
memory/3700-73-0x000000002C240000-0x000000002C3FD000-memory.dmp

Filesize
1.7MB

Download
memory/4528-61-0x000000002A440000-0x000000002A46A000-memory.dmp

Filesize
168KB

Download
memory/5244-13-0x0000023E1C090000-0x0000023E1C0B2000-memory.dmp

Filesize
136KB

Download
memory/5292-38-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download