Overview

overview

7

Static

static

3

meiqia.exe

windows7-x64

7

meiqia.exe

windows10-1703-x64

7

meiqia.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    287s
  • max time network
    257s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-08-2023 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    meiqia.exe

  • Size

    77.0MB

  • MD5

    271313fbc3ce884ecafc1499e8bd723e

  • SHA1

    59b0bc49a08858def6e80e942a27121de819c3e4

  • SHA256

    18914983f78c1484e78baa455c3485b3903ab08cf80c199ba6c3006f1152650c

  • SHA512

    f311aaf60e7c5c48dfb8207770b67fd6946eb60ccc21c80a5985feeab160acd6c4a28ab1deadb62ef773356a3882116472ae1f5b1505813cacff33ee93f81088

  • SSDEEP

    1572864:Nf0Qtdlg/eD8dI1LY0HswFYZxj6f+Uu6WjhwolICaTiw:Rhw/eD8dI15zG6mT6WtjlXjw

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 9 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\meiqia.exe
    "C:\Users\Admin\AppData\Local\Temp\meiqia.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\mqq\美洽桥梁一点通 1.3.0\install\美洽桥梁一点通.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\meiqia.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692994647 "
      2⤵
      • Enumerates connected drives
      • Suspicious use of FindShellTrayWindow
      PID:3112
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 8516CC1B8ADA33B2A7E6A1423A970B13 C
      2⤵
      • Loads dropped DLL
      PID:3568
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2DF1ED0FCD78B980A7E0334AB701449D C
      2⤵
      • Loads dropped DLL
      PID:4632
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:308
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 66D5B78B0AF203B5C2EF65FC3309C79E
        2⤵
        • Loads dropped DLL
        PID:3036
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:4488
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
        1⤵
        • Modifies data under HKEY_USERS
        PID:3584

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\MSIA569.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIA884.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIA9FC.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIA9FC.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIAAB9.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIAB18.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIAC90.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mqq\美洽桥梁一点通 1.3.0\install\美洽桥梁一点通.msi
        Filesize

        1.4MB

        MD5

        a4a92b6e4ee1d309373bcda57f25cab3

        SHA1

        8e0689795adb0f985761215e8786186093b67a01

        SHA256

        784bde7381b3ffd64fb6348150a7bc8b3c9bd037d5b9b5e5079fe7d6e7fcace8

        SHA512

        06d73a6e0c5046e2c99215eb6f0b6e2be588e1edc557c7750f7f7a7354cdece6b688a0c6226f0a8033b86b1e6842d4bfaeeca02d6a6805875022cb70bc36c170

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mqq\美洽桥梁一点通 1.3.0\install\美洽桥梁一点通.msi
        Filesize

        1.4MB

        MD5

        a4a92b6e4ee1d309373bcda57f25cab3

        SHA1

        8e0689795adb0f985761215e8786186093b67a01

        SHA256

        784bde7381b3ffd64fb6348150a7bc8b3c9bd037d5b9b5e5079fe7d6e7fcace8

        SHA512

        06d73a6e0c5046e2c99215eb6f0b6e2be588e1edc557c7750f7f7a7354cdece6b688a0c6226f0a8033b86b1e6842d4bfaeeca02d6a6805875022cb70bc36c170

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mqq\美洽桥梁一点通 1.3.0\install\美洽桥梁一点通1.cab
        Filesize

        72.8MB

        MD5

        9fe464c0fd15d162e89056b9b38f8bb7

        SHA1

        2c4a59ea47613b85cea6b0b6059126deaa06856a

        SHA256

        19542ce5c90bbe78864069d5ad75dde935cd07b94429be61790dd8e7910a4821

        SHA512

        cda8d43ebb1db6c9810d279a8f9af02f28cdd7ca4d548ca2c0cf2948b9cc53a32fb2d2bdb471b2845afc2d45f404cba126a93c008a39966d56e9752ca05f7b52

        Download Submit

      • C:\Windows\Installer\MSI12A4.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Windows\Installer\MSI141C.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Windows\Installer\MSI14D8.tmp
        Filesize

        597KB

        MD5

        999c6b224a8215a8ffe9792c82d93754

        SHA1

        9aa98fd47aa4472a9d44c1d41233d9c767deee4c

        SHA256

        2e15823e8384eb7a15cb5daae61ebb031f3928bc511e74115d950afa98ef9572

        SHA512

        7438d35e7263b8b9918c163beafeb18bc35cab7b8577487e24089517016b85e8e13817f13caee011bb1e4ed35af28d3a91e99950c24a2566c0b6453092fa1347

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        25.0MB

        MD5

        21157edd3f7dd203fd90b0f3fd21f8b8

        SHA1

        6cd4353056c4eee85349b996ac6a38322023448d

        SHA256

        b01d12a499cc4bd8cd1d9964442abe4a1717bd691d8ab13cac0bea5e5af36835

        SHA512

        86afeec2d0315f8380aeb809977cc243ce0e20a0ba715a793e2c3bf782647683ae55b416f03505f21a920917aa0aa3a5669e0d1156205ebf5a646994be8c7b0f

        Download Submit

      • \??\Volume{2aa6c8f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b5238912-d4d1-48fc-8c6a-4479baf27044}_OnDiskSnapshotProp
        Filesize

        5KB

        MD5

        a107604d229440727247ccea8a953abf

        SHA1

        b305a13d2bf3084e037c7b5da972b7ff902f7213

        SHA256

        59b70ac5e95d9603224438f753d2122785668ab8c5a6acfd9781977800f1b743

        SHA512

        77ae97de3bdea20a952f199d7601ffde8e4d1be496cbebc5eb1ae9abfba46a9a6d2d5c115ac4fcb8184c419c2eaaa89fb9d316faa980c63927f91b8d6ad3431f

        Download Submit

      • \Users\Admin\AppData\Local\Temp\MSIA569.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • \Users\Admin\AppData\Local\Temp\MSIA884.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • \Users\Admin\AppData\Local\Temp\MSIA9FC.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • \Users\Admin\AppData\Local\Temp\MSIAAB9.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • \Users\Admin\AppData\Local\Temp\MSIAB18.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • \Users\Admin\AppData\Local\Temp\MSIAC90.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • \Windows\Installer\MSI12A4.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • \Windows\Installer\MSI141C.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • \Windows\Installer\MSI14D8.tmp
        Filesize

        597KB

        MD5

        999c6b224a8215a8ffe9792c82d93754

        SHA1

        9aa98fd47aa4472a9d44c1d41233d9c767deee4c

        SHA256

        2e15823e8384eb7a15cb5daae61ebb031f3928bc511e74115d950afa98ef9572

        SHA512

        7438d35e7263b8b9918c163beafeb18bc35cab7b8577487e24089517016b85e8e13817f13caee011bb1e4ed35af28d3a91e99950c24a2566c0b6453092fa1347

        Download Submit