Analysis
-
max time kernel
60s -
max time network
56s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
14-10-2022 12:08
General
-
Target
2E0ECB2F.msi
-
Size
1.4MB
-
MD5
f725bab929df4fe2626849ba269b7fcb
-
SHA1
907fe41722644b3dd6851766cc2a70c1d2b28434
-
SHA256
0a970e58599c403de3ef186fff03565913e47b5c22f9bdf55b84a9f497b10520
-
SHA512
1e09187e521e91cd34772af31ea83e873024fcb22bbe7bd438a29a6a437773be43b28d68928af09917dc32755bacfced923748380ec05a0485cfe1609acac213
-
SSDEEP
24576:y0uDXX4HK04BMeRocDP1Nc076i9aJjgDyk7TS4MclFdBbfYNn+Nnnm6ByMEUT:y9XIri5ood7FEJ8O6FlFdB0N+Nnnm6U4
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 14 IoCs
-
Modifies data under HKEY_USERS 13 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 52 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2E0ECB2F.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D83386D76333924F2DEE2D6D594ADA6A2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BEB43B69AA329EF951015F3E9EB81C19 E Global\MSI00002⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Installer\MSI6BAF.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
C:\Windows\Installer\MSI7FC5.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
C:\Windows\Installer\MSI840B.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
C:\Windows\Installer\MSI8574.tmpFilesize
118KB
MD54b49c57cbefa1d2773da1f95338e294d
SHA1108ea90d8a42cf31f7d8d7710b5fd713ca048ef9
SHA25668c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08
SHA51242c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165
-
C:\Windows\Installer\MSI865F.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
\Windows\Installer\MSI6BAF.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
\Windows\Installer\MSI7FC5.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
\Windows\Installer\MSI840B.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
\Windows\Installer\MSI8574.tmpFilesize
118KB
MD54b49c57cbefa1d2773da1f95338e294d
SHA1108ea90d8a42cf31f7d8d7710b5fd713ca048ef9
SHA25668c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08
SHA51242c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165
-
\Windows\Installer\MSI865F.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
memory/1000-859-0x0000000000000000-mapping.dmp
-
memory/2152-503-0x0000000000000000-mapping.dmp
-
memory/2388-255-0x0000000000000000-mapping.dmp
-
memory/2532-1753-0x0000000000000000-mapping.dmp
-
memory/2768-1219-0x0000000000000000-mapping.dmp
-
memory/3000-681-0x0000000000000000-mapping.dmp
-
memory/3084-1931-0x0000000000000000-mapping.dmp
-
memory/3148-323-0x0000000000000000-mapping.dmp
-
memory/3292-1575-0x0000000000000000-mapping.dmp
-
memory/3628-1041-0x0000000000000000-mapping.dmp
-
memory/3912-2109-0x0000000000000000-mapping.dmp
-
memory/4264-1397-0x0000000000000000-mapping.dmp
-
memory/4544-2287-0x0000000000000000-mapping.dmp
-
memory/4744-149-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-185-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-120-0x0000000000000000-mapping.dmp
-
memory/4744-148-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-150-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-151-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-152-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-147-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-153-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-154-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-155-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-156-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-157-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-159-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-158-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-160-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-161-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-162-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-163-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-164-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-165-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-166-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-169-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-171-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-174-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-173-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-172-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-170-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-176-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-175-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-178-0x0000000004620000-0x0000000004623000-memory.dmpFilesize
12KB
-
memory/4744-177-0x0000000072F60000-0x0000000072FC5000-memory.dmpFilesize
404KB
-
memory/4744-180-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-181-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-183-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-182-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-179-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-145-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-184-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-146-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-144-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-143-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-189-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-191-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-192-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-190-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-142-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-186-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-196-0x0000000072F60000-0x0000000072FC5000-memory.dmpFilesize
404KB
-
memory/4744-197-0x00000000044A0000-0x00000000044A3000-memory.dmpFilesize
12KB
-
memory/4744-141-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-140-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-139-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-138-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-137-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-134-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-246-0x00000000044D0000-0x00000000044D3000-memory.dmpFilesize
12KB
-
memory/4744-251-0x00000000044D0000-0x00000000044D3000-memory.dmpFilesize
12KB
-
memory/4744-253-0x00000000044D0000-0x00000000044D3000-memory.dmpFilesize
12KB
-
memory/4744-249-0x0000000072F80000-0x0000000072FD0000-memory.dmpFilesize
320KB
-
memory/4744-245-0x0000000072F60000-0x0000000072FC5000-memory.dmpFilesize
404KB
-
memory/4744-136-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-135-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-133-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-132-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-131-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-911-0x00000000044A0000-0x00000000044A3000-memory.dmpFilesize
12KB
-
memory/4744-963-0x00000000044D0000-0x00000000044D3000-memory.dmpFilesize
12KB
-
memory/4744-962-0x00000000044D0000-0x00000000044D3000-memory.dmpFilesize
12KB
-
memory/4744-964-0x00000000044D0000-0x00000000044D3000-memory.dmpFilesize
12KB
-
memory/4744-130-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-129-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-127-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-126-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-124-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-123-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-122-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB
-
memory/4744-121-0x0000000076EF0000-0x000000007707E000-memory.dmpFilesize
1.6MB