Analysis
-
max time kernel
31s -
max time network
37s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
09-04-2023 09:55
Errors
General
-
Target
SMB1.msi
-
Size
2.6MB
-
MD5
5bab2f1dd53b3ae08dab8a1a2d7c145c
-
SHA1
2225b068ab2ca4c021d3baba82b8a950e8004fe4
-
SHA256
78375c2ea7c8fb7fb40d41f750eab63271348a11559ddb71410b16e66326d373
-
SHA512
86eb2bd142cb38c621cd51e146ab70702802577ceb6bbe3f4cf96d3c6c59a63c0ee34ab6119519f162e33a92f6997000f0659b93f3bfff9b431d2dcab223cbe5
-
SSDEEP
49152:eCxZBWV19qVgK35goah9ZXT8IQXdZXPNH5fRTQCZ:POE5cpsXd3T
Malware Config
Signatures
-
ASPack v2.12-2.42 11 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Loads dropped DLL 5 IoCs
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 14 IoCs
-
Modifies data under HKEY_USERS 28 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 53 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SMB1.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1967E60859E34143BDADF7AC21F467412⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B08430095E0B76AB27F1490CD8B8847D E Global\MSI00002⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=21 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad2855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e56a484.rbsFilesize
2KB
MD5f88352c63a633bce7e62935e4dac1cf6
SHA168e53f47b824bd449185a2ec4dbd2828dbeb8061
SHA2567172cea0100da8428d12e9423ff399b3999a493ffd67c8bf812fce6b4dab1878
SHA51283e95fbe50f038d8b4bfbc4e0531da92f1ec22f57ead7ac016484c5a1f79f8e3992cb5d34b34dfd8f6a229440650e87aa721efc272eae47dfcef7cb2639a1996
-
C:\Windows\Installer\MSIA55D.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
C:\Windows\Installer\MSIA7CF.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
C:\Windows\Installer\MSIA86C.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
C:\Windows\Installer\MSIA86C.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
C:\Windows\Installer\MSIA919.tmpFilesize
288KB
MD5c625553f92e25719a64f0ee9805e9a69
SHA1e53066055bb35818b9fc1d9717f5a035b39139f1
SHA256d62ba3fe050f85f818582acccaf49a499c6fcaed23a2b914c08626e8b8cf4286
SHA5128e0875946f115166dc2a54d73f0d5cfdee3aa4d669bf86623e74b0363d1863c4fea18ba0ce2e3335fd4a9385924026f0dc11973ef4405502625ef8ecabe54273
-
C:\Windows\Installer\MSIA9D5.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
\Windows\Installer\MSIA55D.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
\Windows\Installer\MSIA7CF.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
\Windows\Installer\MSIA86C.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
\Windows\Installer\MSIA919.tmpFilesize
288KB
MD5c625553f92e25719a64f0ee9805e9a69
SHA1e53066055bb35818b9fc1d9717f5a035b39139f1
SHA256d62ba3fe050f85f818582acccaf49a499c6fcaed23a2b914c08626e8b8cf4286
SHA5128e0875946f115166dc2a54d73f0d5cfdee3aa4d669bf86623e74b0363d1863c4fea18ba0ce2e3335fd4a9385924026f0dc11973ef4405502625ef8ecabe54273
-
\Windows\Installer\MSIA9D5.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
memory/4764-139-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-146-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-145-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-151-0x00000000736A0000-0x000000007372A000-memory.dmpFilesize
552KB
-
memory/4764-152-0x00000000736A0000-0x000000007372A000-memory.dmpFilesize
552KB
-
memory/4764-140-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-134-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-159-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-160-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-162-0x00000000736A0000-0x000000007372A000-memory.dmpFilesize
552KB
-
memory/4764-161-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-163-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-133-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB