Analysis
-
max time kernel
152s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29-03-2023 07:43
Static task
static1
Behavioral task
behavioral1
Sample
MeeTalk.msi
Resource
win7-20230220-en
General
-
Target
MeeTalk.msi
-
Size
186.6MB
-
MD5
72f5d7578038f91c96340d31858cb124
-
SHA1
dd0064c57d83a54e84d12569e0710676cd4deaba
-
SHA256
d614d576366b76b3543346c2be3078f30938c5869b94c05030322af1e493aecb
-
SHA512
43dc33f04f2c1e320089634d9ee3598bfa20f3e1dfb957249860a111bf1cf03923c481360c311e115a069fb4a11d64f8eb86584d179f805e72280fd4b545ddbb
-
SSDEEP
3145728:ohkbCHNOivX2+oL7FFsrGxk50YWn1/X7JrVE0ubQYCcOxk8r5C+03i9VfJHCJpcp:oTJX2hL7FFsrGxSEVq0rba8r8PiBHYcp
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exepid process 1612 MsiExec.exe 1612 MsiExec.exe 1612 MsiExec.exe 1612 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Windows directory 3 IoCs
Processes:
DrvInst.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
DrvInst.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 1968 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1968 msiexec.exe Token: SeIncreaseQuotaPrivilege 1968 msiexec.exe Token: SeRestorePrivilege 996 msiexec.exe Token: SeTakeOwnershipPrivilege 996 msiexec.exe Token: SeSecurityPrivilege 996 msiexec.exe Token: SeCreateTokenPrivilege 1968 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1968 msiexec.exe Token: SeLockMemoryPrivilege 1968 msiexec.exe Token: SeIncreaseQuotaPrivilege 1968 msiexec.exe Token: SeMachineAccountPrivilege 1968 msiexec.exe Token: SeTcbPrivilege 1968 msiexec.exe Token: SeSecurityPrivilege 1968 msiexec.exe Token: SeTakeOwnershipPrivilege 1968 msiexec.exe Token: SeLoadDriverPrivilege 1968 msiexec.exe Token: SeSystemProfilePrivilege 1968 msiexec.exe Token: SeSystemtimePrivilege 1968 msiexec.exe Token: SeProfSingleProcessPrivilege 1968 msiexec.exe Token: SeIncBasePriorityPrivilege 1968 msiexec.exe Token: SeCreatePagefilePrivilege 1968 msiexec.exe Token: SeCreatePermanentPrivilege 1968 msiexec.exe Token: SeBackupPrivilege 1968 msiexec.exe Token: SeRestorePrivilege 1968 msiexec.exe Token: SeShutdownPrivilege 1968 msiexec.exe Token: SeDebugPrivilege 1968 msiexec.exe Token: SeAuditPrivilege 1968 msiexec.exe Token: SeSystemEnvironmentPrivilege 1968 msiexec.exe Token: SeChangeNotifyPrivilege 1968 msiexec.exe Token: SeRemoteShutdownPrivilege 1968 msiexec.exe Token: SeUndockPrivilege 1968 msiexec.exe Token: SeSyncAgentPrivilege 1968 msiexec.exe Token: SeEnableDelegationPrivilege 1968 msiexec.exe Token: SeManageVolumePrivilege 1968 msiexec.exe Token: SeImpersonatePrivilege 1968 msiexec.exe Token: SeCreateGlobalPrivilege 1968 msiexec.exe Token: SeCreateTokenPrivilege 1968 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1968 msiexec.exe Token: SeLockMemoryPrivilege 1968 msiexec.exe Token: SeIncreaseQuotaPrivilege 1968 msiexec.exe Token: SeMachineAccountPrivilege 1968 msiexec.exe Token: SeTcbPrivilege 1968 msiexec.exe Token: SeSecurityPrivilege 1968 msiexec.exe Token: SeTakeOwnershipPrivilege 1968 msiexec.exe Token: SeLoadDriverPrivilege 1968 msiexec.exe Token: SeSystemProfilePrivilege 1968 msiexec.exe Token: SeSystemtimePrivilege 1968 msiexec.exe Token: SeProfSingleProcessPrivilege 1968 msiexec.exe Token: SeIncBasePriorityPrivilege 1968 msiexec.exe Token: SeCreatePagefilePrivilege 1968 msiexec.exe Token: SeCreatePermanentPrivilege 1968 msiexec.exe Token: SeBackupPrivilege 1968 msiexec.exe Token: SeRestorePrivilege 1968 msiexec.exe Token: SeShutdownPrivilege 1968 msiexec.exe Token: SeDebugPrivilege 1968 msiexec.exe Token: SeAuditPrivilege 1968 msiexec.exe Token: SeSystemEnvironmentPrivilege 1968 msiexec.exe Token: SeChangeNotifyPrivilege 1968 msiexec.exe Token: SeRemoteShutdownPrivilege 1968 msiexec.exe Token: SeUndockPrivilege 1968 msiexec.exe Token: SeSyncAgentPrivilege 1968 msiexec.exe Token: SeEnableDelegationPrivilege 1968 msiexec.exe Token: SeManageVolumePrivilege 1968 msiexec.exe Token: SeImpersonatePrivilege 1968 msiexec.exe Token: SeCreateGlobalPrivilege 1968 msiexec.exe Token: SeCreateTokenPrivilege 1968 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1968 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
msiexec.exedescription pid process target process PID 996 wrote to memory of 1612 996 msiexec.exe MsiExec.exe PID 996 wrote to memory of 1612 996 msiexec.exe MsiExec.exe PID 996 wrote to memory of 1612 996 msiexec.exe MsiExec.exe PID 996 wrote to memory of 1612 996 msiexec.exe MsiExec.exe PID 996 wrote to memory of 1612 996 msiexec.exe MsiExec.exe PID 996 wrote to memory of 1612 996 msiexec.exe MsiExec.exe PID 996 wrote to memory of 1612 996 msiexec.exe MsiExec.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MeeTalk.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 27A7AD9681B6D027525C71A781CE1BCF C2⤵
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000057C" "00000000000003C0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSI622D.tmpFilesize
374KB
MD55e33a5224c4d523a2517ba8a96aaff42
SHA112e41a9380cc890053b5c7e19769c76bfa1608d4
SHA256d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c
SHA512bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1
-
C:\Users\Admin\AppData\Local\Temp\MSI655A.tmpFilesize
374KB
MD55e33a5224c4d523a2517ba8a96aaff42
SHA112e41a9380cc890053b5c7e19769c76bfa1608d4
SHA256d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c
SHA512bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1
-
C:\Users\Admin\AppData\Local\Temp\MSI65B8.tmpFilesize
374KB
MD55e33a5224c4d523a2517ba8a96aaff42
SHA112e41a9380cc890053b5c7e19769c76bfa1608d4
SHA256d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c
SHA512bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1
-
C:\Users\Admin\AppData\Local\Temp\MSI65B8.tmpFilesize
374KB
MD55e33a5224c4d523a2517ba8a96aaff42
SHA112e41a9380cc890053b5c7e19769c76bfa1608d4
SHA256d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c
SHA512bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1
-
C:\Users\Admin\AppData\Local\Temp\MSI67AC.tmpFilesize
374KB
MD55e33a5224c4d523a2517ba8a96aaff42
SHA112e41a9380cc890053b5c7e19769c76bfa1608d4
SHA256d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c
SHA512bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1
-
\Users\Admin\AppData\Local\Temp\MSI622D.tmpFilesize
374KB
MD55e33a5224c4d523a2517ba8a96aaff42
SHA112e41a9380cc890053b5c7e19769c76bfa1608d4
SHA256d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c
SHA512bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1
-
\Users\Admin\AppData\Local\Temp\MSI655A.tmpFilesize
374KB
MD55e33a5224c4d523a2517ba8a96aaff42
SHA112e41a9380cc890053b5c7e19769c76bfa1608d4
SHA256d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c
SHA512bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1
-
\Users\Admin\AppData\Local\Temp\MSI65B8.tmpFilesize
374KB
MD55e33a5224c4d523a2517ba8a96aaff42
SHA112e41a9380cc890053b5c7e19769c76bfa1608d4
SHA256d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c
SHA512bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1
-
\Users\Admin\AppData\Local\Temp\MSI67AC.tmpFilesize
374KB
MD55e33a5224c4d523a2517ba8a96aaff42
SHA112e41a9380cc890053b5c7e19769c76bfa1608d4
SHA256d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c
SHA512bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1