Analysis
-
max time kernel
63s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
14-09-2022 12:38
Errors
General
-
Target
3EBCE3A4.msi
-
Size
1.4MB
-
MD5
808c722e8a8c165b817196f050f70d39
-
SHA1
104c7633f2320b8d1385132a36e36a24536309e4
-
SHA256
2371a00ddd8b0a220b818aaed2cfa0a7453a35662579005113445e686ae23216
-
SHA512
8849ab9196bbf51c039174da290c47027c72e333ed2dcf51b256a6a1f8a620f220c8f4273f84c3f6583efe39870b9d163e5d1c9c3830a7db4313a18cf6e1080b
-
SSDEEP
24576:iWuDXX4QP04BMeRocDP1NOYRn4nJjgDyk7TS4MclFdBbfYNn+Nnnm6ByMEUT:i7XIfi5ooRqJ8O6FlFdB0N+Nnnm6U4
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 14 IoCs
-
Modifies data under HKEY_USERS 25 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3EBCE3A4.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 894C6E31EBC10C6133CEF45F981F01DF2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C2F08A738BD6FED76A073E67AA3BD345 E Global\MSI00002⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3967855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI12D.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
C:\Windows\Installer\MSI12D.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
C:\Windows\Installer\MSI8E.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
C:\Windows\Installer\MSI8E.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
C:\Windows\Installer\MSIDE.tmpFilesize
118KB
MD54b49c57cbefa1d2773da1f95338e294d
SHA1108ea90d8a42cf31f7d8d7710b5fd713ca048ef9
SHA25668c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08
SHA51242c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165
-
C:\Windows\Installer\MSIDE.tmpFilesize
118KB
MD54b49c57cbefa1d2773da1f95338e294d
SHA1108ea90d8a42cf31f7d8d7710b5fd713ca048ef9
SHA25668c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08
SHA51242c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165
-
C:\Windows\Installer\MSIFCD3.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
C:\Windows\Installer\MSIFCD3.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
C:\Windows\Installer\MSIFFF1.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
C:\Windows\Installer\MSIFFF1.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
memory/1436-158-0x0000000000000000-mapping.dmp
-
memory/1700-162-0x0000000000000000-mapping.dmp
-
memory/1928-163-0x0000000000000000-mapping.dmp
-
memory/2260-156-0x0000000000000000-mapping.dmp
-
memory/2284-154-0x0000000000000000-mapping.dmp
-
memory/2312-160-0x0000000000000000-mapping.dmp
-
memory/3048-161-0x0000000000000000-mapping.dmp
-
memory/3652-150-0x0000000002CD0000-0x0000000002CD3000-memory.dmpFilesize
12KB
-
memory/3652-146-0x0000000002B80000-0x0000000002B83000-memory.dmpFilesize
12KB
-
memory/3652-143-0x0000000075220000-0x0000000075285000-memory.dmpFilesize
404KB
-
memory/3652-144-0x0000000002B80000-0x0000000002B83000-memory.dmpFilesize
12KB
-
memory/3652-149-0x0000000075220000-0x0000000075285000-memory.dmpFilesize
404KB
-
memory/3652-148-0x0000000075240000-0x0000000075290000-memory.dmpFilesize
320KB
-
memory/3652-132-0x0000000000000000-mapping.dmp
-
memory/3652-147-0x0000000075220000-0x0000000075285000-memory.dmpFilesize
404KB
-
memory/3652-145-0x0000000075220000-0x0000000075285000-memory.dmpFilesize
404KB
-
memory/3664-151-0x0000000000000000-mapping.dmp
-
memory/3776-159-0x0000000000000000-mapping.dmp
-
memory/3904-155-0x0000000000000000-mapping.dmp
-
memory/4576-152-0x0000000000000000-mapping.dmp
-
memory/4740-153-0x0000000000000000-mapping.dmp
-
memory/4960-157-0x0000000000000000-mapping.dmp