Overview

overview

7

Static

static

3

meiqia.exe

windows7-x64

7

meiqia.exe

windows10-1703-x64

7

meiqia.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    297s
  • max time network
    300s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-08-2023 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    meiqia.exe

  • Size

    77.0MB

  • MD5

    271313fbc3ce884ecafc1499e8bd723e

  • SHA1

    59b0bc49a08858def6e80e942a27121de819c3e4

  • SHA256

    18914983f78c1484e78baa455c3485b3903ab08cf80c199ba6c3006f1152650c

  • SHA512

    f311aaf60e7c5c48dfb8207770b67fd6946eb60ccc21c80a5985feeab160acd6c4a28ab1deadb62ef773356a3882116472ae1f5b1505813cacff33ee93f81088

  • SSDEEP

    1572864:Nf0Qtdlg/eD8dI1LY0HswFYZxj6f+Uu6WjhwolICaTiw:Rhw/eD8dI15zG6mT6WtjlXjw

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 9 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\meiqia.exe
    "C:\Users\Admin\AppData\Local\Temp\meiqia.exe"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3460
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\mqq\美洽桥梁一点通 1.3.0\install\美洽桥梁一点通.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\meiqia.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692994648 "
      2⤵
      • Enumerates connected drives
      • Suspicious use of FindShellTrayWindow
      PID:4264
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3800
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 07867C19F61720552E2928630C0DAD21 C
      2⤵
      • Loads dropped DLL
      PID:5052
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 26C4ADFE20E21C72675282139D017564 C
      2⤵
      • Loads dropped DLL
      PID:2892
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1048
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 3462D882A093868A0EEB3353A230195B
        2⤵
        • Loads dropped DLL
        PID:4744
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:4136

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\MSIA847.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIA847.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIABA1.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIABA1.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIAC9C.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIAC9C.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIAC9C.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIACDC.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIACDC.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIAD2B.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIAD2B.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIAF10.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIAF10.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mqq\美洽桥梁一点通 1.3.0\install\美洽桥梁一点通.msi
        Filesize

        1.4MB

        MD5

        a4a92b6e4ee1d309373bcda57f25cab3

        SHA1

        8e0689795adb0f985761215e8786186093b67a01

        SHA256

        784bde7381b3ffd64fb6348150a7bc8b3c9bd037d5b9b5e5079fe7d6e7fcace8

        SHA512

        06d73a6e0c5046e2c99215eb6f0b6e2be588e1edc557c7750f7f7a7354cdece6b688a0c6226f0a8033b86b1e6842d4bfaeeca02d6a6805875022cb70bc36c170

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mqq\美洽桥梁一点通 1.3.0\install\美洽桥梁一点通.msi
        Filesize

        1.4MB

        MD5

        a4a92b6e4ee1d309373bcda57f25cab3

        SHA1

        8e0689795adb0f985761215e8786186093b67a01

        SHA256

        784bde7381b3ffd64fb6348150a7bc8b3c9bd037d5b9b5e5079fe7d6e7fcace8

        SHA512

        06d73a6e0c5046e2c99215eb6f0b6e2be588e1edc557c7750f7f7a7354cdece6b688a0c6226f0a8033b86b1e6842d4bfaeeca02d6a6805875022cb70bc36c170

        Download Submit

      • C:\Users\Admin\AppData\Roaming\mqq\美洽桥梁一点通 1.3.0\install\美洽桥梁一点通1.cab
        Filesize

        72.8MB

        MD5

        9fe464c0fd15d162e89056b9b38f8bb7

        SHA1

        2c4a59ea47613b85cea6b0b6059126deaa06856a

        SHA256

        19542ce5c90bbe78864069d5ad75dde935cd07b94429be61790dd8e7910a4821

        SHA512

        cda8d43ebb1db6c9810d279a8f9af02f28cdd7ca4d548ca2c0cf2948b9cc53a32fb2d2bdb471b2845afc2d45f404cba126a93c008a39966d56e9752ca05f7b52

        Download Submit

      • C:\Windows\Installer\MSI3CB1.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Windows\Installer\MSI3CB1.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Windows\Installer\MSI3D6E.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Windows\Installer\MSI3D6E.tmp
        Filesize

        436KB

        MD5

        475d20c0ea477a35660e3f67ecf0a1df

        SHA1

        67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

        SHA256

        426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

        SHA512

        99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

        Download Submit

      • C:\Windows\Installer\MSI3E1B.tmp
        Filesize

        597KB

        MD5

        999c6b224a8215a8ffe9792c82d93754

        SHA1

        9aa98fd47aa4472a9d44c1d41233d9c767deee4c

        SHA256

        2e15823e8384eb7a15cb5daae61ebb031f3928bc511e74115d950afa98ef9572

        SHA512

        7438d35e7263b8b9918c163beafeb18bc35cab7b8577487e24089517016b85e8e13817f13caee011bb1e4ed35af28d3a91e99950c24a2566c0b6453092fa1347

        Download Submit

      • C:\Windows\Installer\MSI3E1B.tmp
        Filesize

        597KB

        MD5

        999c6b224a8215a8ffe9792c82d93754

        SHA1

        9aa98fd47aa4472a9d44c1d41233d9c767deee4c

        SHA256

        2e15823e8384eb7a15cb5daae61ebb031f3928bc511e74115d950afa98ef9572

        SHA512

        7438d35e7263b8b9918c163beafeb18bc35cab7b8577487e24089517016b85e8e13817f13caee011bb1e4ed35af28d3a91e99950c24a2566c0b6453092fa1347

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        23.0MB

        MD5

        f71b9ef4af58ca956faad72c54e0fc2b

        SHA1

        7d6c7c9a7ac4126d467505810914b3d5f165758c

        SHA256

        39d9635137c1e33bf95c2862bc8b4069083156e7b8dfc046ccaee8ee6122c2a8

        SHA512

        130c15b72ac4e369fb0fa29887f94bac295621074a22cfc3ca8f5526c033121de3a48e79ca33be38c7de885e3cd8f76b75648dfa760408b70e1345fb65ec2a91

        Download Submit

      • \??\Volume{ec0ccd79-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b394cf1e-d915-4f7e-a8aa-de183cf265ec}_OnDiskSnapshotProp
        Filesize

        5KB

        MD5

        cc7c7c6e3f7031aec10f5f9065e4f3dc

        SHA1

        3b90af4a9b009ae8ff0839c40dcaedfed0ae5f5b

        SHA256

        8dcad0934a2e7e2262fad13c1dc965a37764112d59411a049c2d524a2bb9b248

        SHA512

        72dfa759ae5d75f8a44127587a3ef64e99301fd12f0202a0e5cce02ee4054ff8ba1753b518d98996d2ababed2cf70180893111d40d374d7d14a2e3c7b64f1cd9

        Download Submit