Overview

overview

10

Static

static

1

MeeTalk.msi

windows7-x64

7

MeeTalk.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    29-03-2023 07:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MeeTalk.msi

  • Size

    186.6MB

  • MD5

    72f5d7578038f91c96340d31858cb124

  • SHA1

    dd0064c57d83a54e84d12569e0710676cd4deaba

  • SHA256

    d614d576366b76b3543346c2be3078f30938c5869b94c05030322af1e493aecb

  • SHA512

    43dc33f04f2c1e320089634d9ee3598bfa20f3e1dfb957249860a111bf1cf03923c481360c311e115a069fb4a11d64f8eb86584d179f805e72280fd4b545ddbb

  • SSDEEP

    3145728:ohkbCHNOivX2+oL7FFsrGxk50YWn1/X7JrVE0ubQYCcOxk8r5C+03i9VfJHCJpcp:oTJX2hL7FFsrGxSEVq0rba8r8PiBHYcp

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MeeTalk.msi
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1968
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 27A7AD9681B6D027525C71A781CE1BCF C
      2⤵
      • Loads dropped DLL
      PID:1612
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1316
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000057C" "00000000000003C0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1928

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MSI622D.tmp
      Filesize

      374KB

      MD5

      5e33a5224c4d523a2517ba8a96aaff42

      SHA1

      12e41a9380cc890053b5c7e19769c76bfa1608d4

      SHA256

      d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

      SHA512

      bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MSI655A.tmp
      Filesize

      374KB

      MD5

      5e33a5224c4d523a2517ba8a96aaff42

      SHA1

      12e41a9380cc890053b5c7e19769c76bfa1608d4

      SHA256

      d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

      SHA512

      bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MSI65B8.tmp
      Filesize

      374KB

      MD5

      5e33a5224c4d523a2517ba8a96aaff42

      SHA1

      12e41a9380cc890053b5c7e19769c76bfa1608d4

      SHA256

      d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

      SHA512

      bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MSI65B8.tmp
      Filesize

      374KB

      MD5

      5e33a5224c4d523a2517ba8a96aaff42

      SHA1

      12e41a9380cc890053b5c7e19769c76bfa1608d4

      SHA256

      d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

      SHA512

      bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MSI67AC.tmp
      Filesize

      374KB

      MD5

      5e33a5224c4d523a2517ba8a96aaff42

      SHA1

      12e41a9380cc890053b5c7e19769c76bfa1608d4

      SHA256

      d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

      SHA512

      bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MSI622D.tmp
      Filesize

      374KB

      MD5

      5e33a5224c4d523a2517ba8a96aaff42

      SHA1

      12e41a9380cc890053b5c7e19769c76bfa1608d4

      SHA256

      d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

      SHA512

      bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MSI655A.tmp
      Filesize

      374KB

      MD5

      5e33a5224c4d523a2517ba8a96aaff42

      SHA1

      12e41a9380cc890053b5c7e19769c76bfa1608d4

      SHA256

      d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

      SHA512

      bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MSI65B8.tmp
      Filesize

      374KB

      MD5

      5e33a5224c4d523a2517ba8a96aaff42

      SHA1

      12e41a9380cc890053b5c7e19769c76bfa1608d4

      SHA256

      d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

      SHA512

      bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

      Download Submit
    • \Users\Admin\AppData\Local\Temp\MSI67AC.tmp
      Filesize

      374KB

      MD5

      5e33a5224c4d523a2517ba8a96aaff42

      SHA1

      12e41a9380cc890053b5c7e19769c76bfa1608d4

      SHA256

      d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

      SHA512

      bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

      Download Submit