gh0strat | b8f70b0e7640bc7a6556b9db8a67229e0bdb95ce52ba6bb4c4cc5823d722bb4b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

luoma2 (2).msi
Size

3.9MB
MD5

daa3ec4cd16303cd510f8c95ebbfb8fd
SHA1

304c9caf4edc41e9a0ecfd6115cc684f9e23a316
SHA256

65f0a236ce67ad31629c7f7826058a2ff2d7a0b01e9f965ef6559f7ad38bf78a
SHA512

0b53adb67a9d44791172c5b9c13ad47413a2eb30213d4584165477164321d03307e9da3d12edec73e76ee79297983419aaca6a9fadb2c2a5b273cd29f2990acc
SSDEEP

98304:18+N9QHCaCS1B1a/OxyzH7usEdKMUWnVf3CYk4p20B7Kk:1NKvFB1aOAzH7u1c6pCYk9A9

Score

10^/10

gh0strat purplefox discovery execution rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2500-74-0x000000002BD30000-0x000000002BEED000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2500-74-0x000000002BD30000-0x000000002BEED000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3328	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS	QMXzDrCWmwXRNKK.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe	QMXzDrCWmwXRNKK.exe
File created	C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe	MsiExec.exe
File created	C:\Program Files\MonitorAccentUpgrade\igc964.dll	msiexec.exe
File created	C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe	msiexec.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe	MsiExec.exe
File created	C:\Program Files\MonitorAccentUpgrade\wegame.exe	MsiExec.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade	ImCmkefCIwvS.exe
File created	C:\Program Files\MonitorAccentUpgrade\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\MonitorAccentUpgrade\VjLlMrQGpGLvBWy	msiexec.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\VGWTihpFnYDSOUb	QMXzDrCWmwXRNKK.exe
File opened for modification	C:\Program Files\MonitorAccentUpgrade\2_ImCmkefCIwvS.exe	QMXzDrCWmwXRNKK.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e579a6b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0741D0F8-F95F-408C-A996-D18BD8AAA38B}	msiexec.exe
File opened for modification	C:\Windows\Installer\e579a6b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9B36.tmp	msiexec.exe
File created	C:\Windows\Installer\e579a6d.msi	msiexec.exe

Executes dropped EXE 6 IoCs

pid	Process
1460	QMXzDrCWmwXRNKK.exe
3768	QMXzDrCWmwXRNKK.exe
1308	ImCmkefCIwvS.exe
2808	xUOZdwMgclhR.exe
620	wegame.exe
2500	ImCmkefCIwvS.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImCmkefCIwvS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xUOZdwMgclhR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ImCmkefCIwvS.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000009f6a16e717f4bff0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000009f6a16e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090009f6a16e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d09f6a16e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000009f6a16e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	ImCmkefCIwvS.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	ImCmkefCIwvS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	wegame.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BEB8733A883FF0E4A83E7D0A4071D730\8F0D1470F59FC8049A691DB88DAA3AB8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\PackageName = "luoma2 (2).msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\PackageCode = "3AA3ACCE3DD344B46AF076DDE918A19D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8F0D1470F59FC8049A691DB88DAA3AB8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8F0D1470F59FC8049A691DB88DAA3AB8\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\ProductName = "MonitorAccentUpgrade"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Version = "134217730"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BEB8733A883FF0E4A83E7D0A4071D730	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F0D1470F59FC8049A691DB88DAA3AB8\Clients = 3a0000000000	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	wegame.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2984	msiexec.exe
2984	msiexec.exe
3328	powershell.exe
3328	powershell.exe
3328	powershell.exe
1308	ImCmkefCIwvS.exe
1308	ImCmkefCIwvS.exe
620	wegame.exe
620	wegame.exe
620	wegame.exe
620	wegame.exe
2500	ImCmkefCIwvS.exe
2500	ImCmkefCIwvS.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5428	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5428	msiexec.exe
Token: SeSecurityPrivilege	2984	msiexec.exe
Token: SeCreateTokenPrivilege	5428	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5428	msiexec.exe
Token: SeLockMemoryPrivilege	5428	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5428	msiexec.exe
Token: SeMachineAccountPrivilege	5428	msiexec.exe
Token: SeTcbPrivilege	5428	msiexec.exe
Token: SeSecurityPrivilege	5428	msiexec.exe
Token: SeTakeOwnershipPrivilege	5428	msiexec.exe
Token: SeLoadDriverPrivilege	5428	msiexec.exe
Token: SeSystemProfilePrivilege	5428	msiexec.exe
Token: SeSystemtimePrivilege	5428	msiexec.exe
Token: SeProfSingleProcessPrivilege	5428	msiexec.exe
Token: SeIncBasePriorityPrivilege	5428	msiexec.exe
Token: SeCreatePagefilePrivilege	5428	msiexec.exe
Token: SeCreatePermanentPrivilege	5428	msiexec.exe
Token: SeBackupPrivilege	5428	msiexec.exe
Token: SeRestorePrivilege	5428	msiexec.exe
Token: SeShutdownPrivilege	5428	msiexec.exe
Token: SeDebugPrivilege	5428	msiexec.exe
Token: SeAuditPrivilege	5428	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5428	msiexec.exe
Token: SeChangeNotifyPrivilege	5428	msiexec.exe
Token: SeRemoteShutdownPrivilege	5428	msiexec.exe
Token: SeUndockPrivilege	5428	msiexec.exe
Token: SeSyncAgentPrivilege	5428	msiexec.exe
Token: SeEnableDelegationPrivilege	5428	msiexec.exe
Token: SeManageVolumePrivilege	5428	msiexec.exe
Token: SeImpersonatePrivilege	5428	msiexec.exe
Token: SeCreateGlobalPrivilege	5428	msiexec.exe
Token: SeBackupPrivilege	4404	vssvc.exe
Token: SeRestorePrivilege	4404	vssvc.exe
Token: SeAuditPrivilege	4404	vssvc.exe
Token: SeBackupPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5428	msiexec.exe
5428	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 5060	2984	msiexec.exe	98
PID 2984 wrote to memory of 5060	2984	msiexec.exe	98
PID 2984 wrote to memory of 4304	2984	msiexec.exe	100
PID 2984 wrote to memory of 4304	2984	msiexec.exe	100
PID 4304 wrote to memory of 3328	4304	MsiExec.exe	102
PID 4304 wrote to memory of 3328	4304	MsiExec.exe	102
PID 4304 wrote to memory of 1460	4304	MsiExec.exe	104
PID 4304 wrote to memory of 1460	4304	MsiExec.exe	104
PID 4304 wrote to memory of 3768	4304	MsiExec.exe	106
PID 4304 wrote to memory of 3768	4304	MsiExec.exe	106
PID 4304 wrote to memory of 1308	4304	MsiExec.exe	108
PID 4304 wrote to memory of 1308	4304	MsiExec.exe	108
PID 4304 wrote to memory of 1308	4304	MsiExec.exe	108
PID 2808 wrote to memory of 620	2808	xUOZdwMgclhR.exe	110
PID 2808 wrote to memory of 620	2808	xUOZdwMgclhR.exe	110
PID 2808 wrote to memory of 620	2808	xUOZdwMgclhR.exe	110
PID 620 wrote to memory of 2500	620	wegame.exe	111
PID 620 wrote to memory of 2500	620	wegame.exe	111
PID 620 wrote to memory of 2500	620	wegame.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\luoma2 (2).msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5428

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5060
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding EE45C0E18AC82AE73312F13FEC9BC5F2 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MonitorAccentUpgrade','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3328
- - C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe
    "C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe" x "C:\Program Files\MonitorAccentUpgrade\VjLlMrQGpGLvBWy." -key "]6!78DdiKjGuvOKWaXSe" -f -to "C:\Program Files\MonitorAccentUpgrade"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:1460
- - C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe
    "C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe" x "C:\Program Files\MonitorAccentUpgrade\VGWTihpFnYDSOUb." -not "1_ImCmkefCIwvS.exe" -not "sss" -not "1_guXHBpJjoUzqOtpY.exe" -not "1_" -not "1_" -not "sa" -key "#2]52NyUPRyGSDcWankx" -f -to "C:\Program Files\MonitorAccentUpgrade"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:3768
- - C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe
    "C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe" -nbg 106
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe
"C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe" -nbg 102
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Program Files\MonitorAccentUpgrade\wegame.exe
  "C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe" -nbg 102
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe
    "C:\Program Files\MonitorAccentUpgrade\ImCmkefCIwvS.exe" -nbg 72
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2500

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579a6c.rbs

Filesize
7KB

MD5
9cc18e97f8bda6da142a5c5ace3dbd9d

SHA1
91bbc39ecacfb366b65b8a5edd9bef690b9254af

SHA256
1d19b391b7ec5345a7cc8a1d73afb0f0498c89ff597c7d0335d03a587c35965e

SHA512
e94365ec411f10c5324e56f5acd1ad736c39a434640c85bee4d235e4377f987ef7e26295440fd3ca3b860d6578403d2ef45cbae94b51d2098d4421e40c59a929

Download Submit
C:\Program Files\MonitorAccentUpgrade\2_ImCmkefCIwvS.exe

Filesize
5.6MB

MD5
1dea5b679ece4af01ea4426b1c0b4f09

SHA1
eeb32377f13639260252982c332c70ba9742bde5

SHA256
66f6aedfbec41891470de9b6422bd1a11ae1505d3c3955013024d37019314454

SHA512
aec3c80c1d292be92dffde78abf3109e3e9838ae3ff4f0ab136814de357107157b092090b10ed793d2d27ed38674009ec0bc3d12415345701ce132bb1ebebd8d

Download Submit
C:\Program Files\MonitorAccentUpgrade\QMXzDrCWmwXRNKK.exe

Filesize
1.1MB

MD5
f0955f0293bcf104cedbd9bef3b9bf06

SHA1
9234781ec8fd66172afa50ffa37a3d0f9c1d3037

SHA256
7a94b4f1d6323a758c7b0b6344036f166bff0fd44f1c3c86f05b3688023496cb

SHA512
a4d53801689bf4f362ca86142b9bb2c2165e4e2b61937a4352963a1a78d8c7357da77ebe917c869ca8446e980fcdf0abb968253e8ce9218550ba447ad3a1101d

Download Submit
C:\Program Files\MonitorAccentUpgrade\VGWTihpFnYDSOUb

Filesize
3.3MB

MD5
e255d381e9d4a362b8fb7ad2cebfb0ee

SHA1
499bc663e9d1c14a2c93947d274885aaeb840ffe

SHA256
c1e288c75df5ca0bef1a881e2d541b886d29cb5e20809c78e4fe7fd803afec63

SHA512
5263e09e85c049b1ca9857f3fb5db768abba00b89ed68392bd4cb3bc543b89f110f626bafd2674904c1d24d2c0e65486434f72324e04174fdea3c7cceadc0117

Download Submit
C:\Program Files\MonitorAccentUpgrade\VjLlMrQGpGLvBWy

Filesize
3.3MB

MD5
cd81710739119d66aff29d65f5277173

SHA1
f329860b20a53a0a336ef0e2ae2941a8c89d0b05

SHA256
3332efedf6d13e556ffc2247ac97c68f1199993537fae7827699e1d7d148cd22

SHA512
f3909ccae467420c6c471b516041041e8ddb758867c7f692ee395736212eedce0d5e0f689d88c46f1345e9adb2efc36983e7a67c1004bc390fdc3fe553a05c9b

Download Submit
C:\Program Files\MonitorAccentUpgrade\xUOZdwMgclhR.exe

Filesize
1.0MB

MD5
5831e9e77179c55d1f08ab5a0900cf36

SHA1
a75af16800b3d25e6ea63f75fdbe7b258d2b34a1

SHA256
62b96c419e1a403eb367304d0c8ff4f6856e8922a296dcafd5c7515746ebe143

SHA512
a046a809514f96ab8a23fcbc9de92221f1e91f984f985548c744881cf8f2cc8a408b498dfe0acf501ffc0155a5dfc60e364785f086f77bd1b7d48a13add9cd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tazsounz.3x2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\e579a6b.msi

Filesize
3.9MB

MD5
daa3ec4cd16303cd510f8c95ebbfb8fd

SHA1
304c9caf4edc41e9a0ecfd6115cc684f9e23a316

SHA256
65f0a236ce67ad31629c7f7826058a2ff2d7a0b01e9f965ef6559f7ad38bf78a

SHA512
0b53adb67a9d44791172c5b9c13ad47413a2eb30213d4584165477164321d03307e9da3d12edec73e76ee79297983419aaca6a9fadb2c2a5b273cd29f2990acc

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
e2d2f2bf9d58acdea2007347d6491355

SHA1
8aeb17b68fdfe22f9567b4af38b8eaede51b34c3

SHA256
2557ad1988f03342aed58a7d0a70ff63a5f1c97ab90b8d39d0413e39d85c92f5

SHA512
1dc9b3a5216960052081a1dbf0faade782f8f18ebf642078e693e352a439f4523a8663feda8a09e54a4b79410b0a97d9ea4e96ec97e26e1fa200be0c91c966df

Download Submit
\??\Volume{6ea1f609-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{97af7c6a-ffbe-4577-9be4-edd2531c7c50}_OnDiskSnapshotProp

Filesize
6KB

MD5
d6cf9aff678774816401c78c6dedeeae

SHA1
68f8dc04f4e7d567fe29d3fe6992e153d4807e8e

SHA256
b9544beb8dfa9a55337424b20241a5e7da4aa18748d16a348a02165cca31521f

SHA512
0665ee59689a1864f168016b65385d907f72d4951f1cf24179946362b0cca9423b27974b28b4a267601dc25e8d614d5e24a5efade90a077767ca8abac8bb56d4

Download Submit
memory/1308-62-0x0000000009BC0000-0x0000000009BEA000-memory.dmp

Filesize
168KB

Download
memory/1460-30-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2500-71-0x000000002B8B0000-0x000000002B8F4000-memory.dmp

Filesize
272KB

Download
memory/2500-74-0x000000002BD30000-0x000000002BEED000-memory.dmp

Filesize
1.7MB

Download
memory/3328-18-0x000001D6EC2E0000-0x000001D6EC302000-memory.dmp

Filesize
136KB

Download
memory/3768-39-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download