Overview

overview

7

Static

static

3

meiqia.exe

windows7-x64

7

meiqia.exe

windows10-1703-x64

7

meiqia.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    234s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    28-08-2023 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    meiqia.exe

  • Size

    77.0MB

  • MD5

    271313fbc3ce884ecafc1499e8bd723e

  • SHA1

    59b0bc49a08858def6e80e942a27121de819c3e4

  • SHA256

    18914983f78c1484e78baa455c3485b3903ab08cf80c199ba6c3006f1152650c

  • SHA512

    f311aaf60e7c5c48dfb8207770b67fd6946eb60ccc21c80a5985feeab160acd6c4a28ab1deadb62ef773356a3882116472ae1f5b1505813cacff33ee93f81088

  • SSDEEP

    1572864:Nf0Qtdlg/eD8dI1LY0HswFYZxj6f+Uu6WjhwolICaTiw:Rhw/eD8dI15zG6mT6WtjlXjw

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\meiqia.exe
    "C:\Users\Admin\AppData\Local\Temp\meiqia.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\mqq\美洽桥梁一点通 1.3.0\install\美洽桥梁一点通.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\meiqia.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692975833 "
      2⤵
      • Enumerates connected drives
      • Suspicious use of FindShellTrayWindow
      PID:2508
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E9D7A7DCA5B274BB71D04ED05932A067 C
      2⤵
      • Loads dropped DLL
      PID:2200
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 91FC810E292717DCC4EA0EF3D08C4D5C C
      2⤵
      • Loads dropped DLL
      PID:2488
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B1DD864705C1CC56C057753C15B746FC
      2⤵
      • Loads dropped DLL
      PID:928
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:2908
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000580" "0000000000000578"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2600

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MSIB819.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIBC4D.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIBE41.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIBE41.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIBECF.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIBFBA.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\mqq\美洽桥梁一点通 1.3.0\install\美洽桥梁一点通.msi
      Filesize

      1.4MB

      MD5

      a4a92b6e4ee1d309373bcda57f25cab3

      SHA1

      8e0689795adb0f985761215e8786186093b67a01

      SHA256

      784bde7381b3ffd64fb6348150a7bc8b3c9bd037d5b9b5e5079fe7d6e7fcace8

      SHA512

      06d73a6e0c5046e2c99215eb6f0b6e2be588e1edc557c7750f7f7a7354cdece6b688a0c6226f0a8033b86b1e6842d4bfaeeca02d6a6805875022cb70bc36c170

      Download Submit

    • C:\Users\Admin\AppData\Roaming\mqq\美洽桥梁一点通 1.3.0\install\美洽桥梁一点通.msi
      Filesize

      1.4MB

      MD5

      a4a92b6e4ee1d309373bcda57f25cab3

      SHA1

      8e0689795adb0f985761215e8786186093b67a01

      SHA256

      784bde7381b3ffd64fb6348150a7bc8b3c9bd037d5b9b5e5079fe7d6e7fcace8

      SHA512

      06d73a6e0c5046e2c99215eb6f0b6e2be588e1edc557c7750f7f7a7354cdece6b688a0c6226f0a8033b86b1e6842d4bfaeeca02d6a6805875022cb70bc36c170

      Download Submit

    • C:\Windows\Installer\MSI7B48.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • C:\Windows\Installer\MSI7E07.tmp
      Filesize

      597KB

      MD5

      999c6b224a8215a8ffe9792c82d93754

      SHA1

      9aa98fd47aa4472a9d44c1d41233d9c767deee4c

      SHA256

      2e15823e8384eb7a15cb5daae61ebb031f3928bc511e74115d950afa98ef9572

      SHA512

      7438d35e7263b8b9918c163beafeb18bc35cab7b8577487e24089517016b85e8e13817f13caee011bb1e4ed35af28d3a91e99950c24a2566c0b6453092fa1347

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSIB819.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSIBC4D.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSIBE41.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSIBECF.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSIBFBA.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • \Windows\Installer\MSI7B48.tmp
      Filesize

      436KB

      MD5

      475d20c0ea477a35660e3f67ecf0a1df

      SHA1

      67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

      SHA256

      426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

      SHA512

      99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

      Download Submit

    • \Windows\Installer\MSI7E07.tmp
      Filesize

      597KB

      MD5

      999c6b224a8215a8ffe9792c82d93754

      SHA1

      9aa98fd47aa4472a9d44c1d41233d9c767deee4c

      SHA256

      2e15823e8384eb7a15cb5daae61ebb031f3928bc511e74115d950afa98ef9572

      SHA512

      7438d35e7263b8b9918c163beafeb18bc35cab7b8577487e24089517016b85e8e13817f13caee011bb1e4ed35af28d3a91e99950c24a2566c0b6453092fa1347

      Download Submit

    • memory/2636-30-0x0000000000470000-0x0000000000471000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2636-0-0x0000000000470000-0x0000000000471000-memory.dmp

      Filesize

      4KB

      Download