34159049a92a5849bc9c11bd8ed4411aa5f5ecac4a80ddc2cc9f5df22980c1ec

Resubmissions

23-02-2023 09:14

230223-k7fhnsfd53 10

23-02-2023 09:11

230223-k53v7afd47 10

Analysis

max time kernel
39s
max time network
41s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-02-2023 09:11

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

9D8AA271.msi
Size

1.4MB
MD5

7a72d5e6044805ea4d2f37bdbdc0ab2d
SHA1

9b54a2d8ee1ead6bf053f0aaf724e4d44e1de8ae
SHA256

34159049a92a5849bc9c11bd8ed4411aa5f5ecac4a80ddc2cc9f5df22980c1ec
SHA512

f100069fe104f7bb9154247f26e130d739eeb4e834ef6e801901bb489847c6791c5ec53f9160de3f8295483d52004890b79af27a4057f5c2d7d9eb4d9ceb0ff9
SSDEEP

24576:KUuDXXNGj04BMeRocDP1Nz4lDhkPTG4Mcgiwkew8vroUQGDXDNSnf6BlMRUT:KdXdJi5oo+FeBRSw8vlQIzNSnf6y4

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

Processes:

MsiExec.exe

pid process

1108 MsiExec.exe
1108 MsiExec.exe
1108 MsiExec.exe
1108 MsiExec.exe

pid	process
1108	MsiExec.exe
1108	MsiExec.exe
1108	MsiExec.exe
1108	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI148C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI14DB.tmp	msiexec.exe
File created	C:\Windows\Installer\6c129a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\6c129a.ipi	msiexec.exe
File created	C:\Windows\Installer\6c1298.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI12D6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E11.tmp	msiexec.exe
File created	C:\Windows\dbcode21mk.log	msiexec.exe
File created	C:\Windows\setupact64.log	msiexec.exe
File opened for modification	C:\Windows\Installer\6c1298.msi	msiexec.exe

Modifies data under HKEY_USERS 31 IoCs

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exemsiexec.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1192 msiexec.exe
1192 msiexec.exe

pid	process
1192	msiexec.exe
1192	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1396	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1396	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeSecurityPrivilege	1192	msiexec.exe
Token: SeCreateTokenPrivilege	1396	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1396	msiexec.exe
Token: SeLockMemoryPrivilege	1396	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1396	msiexec.exe
Token: SeMachineAccountPrivilege	1396	msiexec.exe
Token: SeTcbPrivilege	1396	msiexec.exe
Token: SeSecurityPrivilege	1396	msiexec.exe
Token: SeTakeOwnershipPrivilege	1396	msiexec.exe
Token: SeLoadDriverPrivilege	1396	msiexec.exe
Token: SeSystemProfilePrivilege	1396	msiexec.exe
Token: SeSystemtimePrivilege	1396	msiexec.exe
Token: SeProfSingleProcessPrivilege	1396	msiexec.exe
Token: SeIncBasePriorityPrivilege	1396	msiexec.exe
Token: SeCreatePagefilePrivilege	1396	msiexec.exe
Token: SeCreatePermanentPrivilege	1396	msiexec.exe
Token: SeBackupPrivilege	1396	msiexec.exe
Token: SeRestorePrivilege	1396	msiexec.exe
Token: SeShutdownPrivilege	1396	msiexec.exe
Token: SeDebugPrivilege	1396	msiexec.exe
Token: SeAuditPrivilege	1396	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1396	msiexec.exe
Token: SeChangeNotifyPrivilege	1396	msiexec.exe
Token: SeRemoteShutdownPrivilege	1396	msiexec.exe
Token: SeUndockPrivilege	1396	msiexec.exe
Token: SeSyncAgentPrivilege	1396	msiexec.exe
Token: SeEnableDelegationPrivilege	1396	msiexec.exe
Token: SeManageVolumePrivilege	1396	msiexec.exe
Token: SeImpersonatePrivilege	1396	msiexec.exe
Token: SeCreateGlobalPrivilege	1396	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeRestorePrivilege	1192	msiexec.exe
Token: SeTakeOwnershipPrivilege	1192	msiexec.exe
Token: SeShutdownPrivilege	1192	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1396 msiexec.exe
1396 msiexec.exe

pid	process
1396	msiexec.exe
1396	msiexec.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	process	target process
PID 1192 wrote to memory of 1108	1192	msiexec.exe	MsiExec.exe
PID 1192 wrote to memory of 1108	1192	msiexec.exe	MsiExec.exe
PID 1192 wrote to memory of 1108	1192	msiexec.exe	MsiExec.exe
PID 1192 wrote to memory of 1108	1192	msiexec.exe	MsiExec.exe
PID 1192 wrote to memory of 1108	1192	msiexec.exe	MsiExec.exe
PID 1192 wrote to memory of 1108	1192	msiexec.exe	MsiExec.exe
PID 1192 wrote to memory of 1108	1192	msiexec.exe	MsiExec.exe
PID 1192 wrote to memory of 1500	1192	msiexec.exe	MsiExec.exe
PID 1192 wrote to memory of 1500	1192	msiexec.exe	MsiExec.exe
PID 1192 wrote to memory of 1500	1192	msiexec.exe	MsiExec.exe
PID 1192 wrote to memory of 1500	1192	msiexec.exe	MsiExec.exe
PID 1192 wrote to memory of 1500	1192	msiexec.exe	MsiExec.exe
PID 1192 wrote to memory of 1500	1192	msiexec.exe	MsiExec.exe
PID 1192 wrote to memory of 1500	1192	msiexec.exe	MsiExec.exe
PID 1500 wrote to memory of 900	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 900	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 900	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 900	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1976	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1976	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1976	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1976	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 560	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 560	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 560	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 560	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1532	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1532	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1532	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1532	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1788	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1788	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1788	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1788	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1924	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1924	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1924	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1924	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 524	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 524	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 524	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 524	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 576	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 576	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 576	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 576	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 2024	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 2024	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 2024	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 2024	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1504	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1504	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1504	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1504	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1332	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1332	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1332	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1332	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1692	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1692	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1692	1500	MsiExec.exe	netsh.exe
PID 1500 wrote to memory of 1692	1500	MsiExec.exe	netsh.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9D8AA271.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1396

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1BFC32E9A5F171F3E9A3AD85AA33C4D7
2⤵
- Loads dropped DLL
PID:1108

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4EDF8C002E127DC986B6C2D05FF991DB M Global\MSI0000
2⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install
3⤵
- Modifies data under HKEY_USERS
PID:900

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
3⤵
- Modifies data under HKEY_USERS
PID:1976

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
3⤵
- Modifies data under HKEY_USERS
PID:560

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
3⤵
- Modifies data under HKEY_USERS
PID:1532

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
3⤵
- Modifies data under HKEY_USERS
PID:1788

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
3⤵
- Modifies data under HKEY_USERS
PID:1924

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
3⤵
- Modifies data under HKEY_USERS
PID:524

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
3⤵
- Modifies data under HKEY_USERS
PID:576

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
3⤵
- Modifies data under HKEY_USERS
PID:2024

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
3⤵
- Modifies data under HKEY_USERS
PID:1504

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
3⤵
- Modifies data under HKEY_USERS
PID:1332

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
3⤵
- Modifies data under HKEY_USERS
PID:1692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1788

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1552

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\6c129b.rbs
Filesize
2KB

MD5
3856eafb8d3c30a714b55dc1a835dcec

SHA1
f78cf11eda1f9c38bbe93980901ac60fc7ce1906

SHA256
472acb82b0858119d94db546ba80578f122ed53235b2b48342b2fe6a57c1e835

SHA512
6c96deba6c66b68ae5622628a88097a3611dea23d8dcdfa8fb4aaeab16a3d0f45745797b1307cf5753f60fbee722fe91340cb949027df4d6e205c4a7da2f5f9b

Download Submit
C:\Windows\Installer\MSI12D6.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
C:\Windows\Installer\MSI148C.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
C:\Windows\Installer\MSI14DB.tmp
Filesize
118KB

MD5
4b49c57cbefa1d2773da1f95338e294d

SHA1
108ea90d8a42cf31f7d8d7710b5fd713ca048ef9

SHA256
68c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08

SHA512
42c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165

Download Submit
C:\Windows\Installer\MSI16BF.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
C:\Windows\Installer\MSI16BF.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
\Windows\Installer\MSI12D6.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
\Windows\Installer\MSI148C.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
\Windows\Installer\MSI14DB.tmp
Filesize
118KB

MD5
4b49c57cbefa1d2773da1f95338e294d

SHA1
108ea90d8a42cf31f7d8d7710b5fd713ca048ef9

SHA256
68c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08

SHA512
42c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165

Download Submit
\Windows\Installer\MSI16BF.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
memory/1108-73-0x0000000074160000-0x00000000741C5000-memory.dmp

Filesize
404KB

Download
memory/1108-60-0x0000000000200000-0x0000000000203000-memory.dmp

Filesize
12KB

Download
memory/1108-74-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/1108-75-0x0000000074180000-0x00000000741D0000-memory.dmp

Filesize
320KB

Download
memory/1108-76-0x0000000074160000-0x00000000741C5000-memory.dmp

Filesize
404KB

Download
memory/1108-59-0x0000000074160000-0x00000000741C5000-memory.dmp

Filesize
404KB

Download
memory/1552-94-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1788-93-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads