edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-03-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecureClientInstaller.exe
Size

15.8MB
MD5

d3b4eacce35fb5b50b0f45f35119508c
SHA1

18ae2430f7ea7ae5e92e95ca251711a59738f31f
SHA256

edaa4e44df8652613f83cab2b7790f3a8c0086fee134747747afc139e5481ad4
SHA512

877829fc113b126094a96170a860cfbd2e54b7b1a4fecf7d21f1722922ae0183ffc7bf154b7fc6afdc6d3dc2cf4e619c72fdbb16c0444b52486042e6f1781235
SSDEEP

393216:j3JQVz1M/0XRlPzAuIhlQd5A1eT67vXUFjyO/Nk:gC0Pbxc/eTAUlymC

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2172	SecureClientInstaller.tmp

Loads dropped DLL 2 IoCs

pid	Process
2008	SecureClientInstaller.exe
2172	SecureClientInstaller.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecureClient = "C:\\Program Files (x86)\\Cisco\\Cisco Secure Client\\client32.exe"	SecureClientInstaller.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-N9JBV.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-8C0EO.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-VPVIC.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-JIQGB.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-CAULE.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-M3JOQ.tmp	SecureClientInstaller.tmp
File opened for modification	C:\Program Files (x86)\Cisco\Cisco Secure Client\acciscossl.dll	SecureClientInstaller.tmp
File opened for modification	C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnipsec.dll	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-U9SAV.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-L115B.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-SU70P.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-AU251.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\es-es\LC_MESSAGES\is-MAODO.tmp	SecureClientInstaller.tmp
File opened for modification	C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagentutilities.dll	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-J947D.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-ROP4I.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-D6NJF.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-7I0FO.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-TT3QB.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-H9J3E.tmp	SecureClientInstaller.tmp
File opened for modification	C:\Program Files (x86)\Cisco\Cisco Secure Client\msvcp140_2.dll	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-CJHVT.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\cs-cz\LC_MESSAGES\is-A5KLK.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\pl-pl\LC_MESSAGES\is-1RR0R.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-HTSNN.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\zh-hant\LC_MESSAGES\is-BH5E4.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-FKUBM.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-2T0E0.tmp	SecureClientInstaller.tmp
File opened for modification	C:\Program Files (x86)\Cisco\Cisco Secure Client\acextwebhelper.exe	SecureClientInstaller.tmp
File opened for modification	C:\Program Files (x86)\Cisco\Cisco Secure Client\cfom.dll	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-SG4DD.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-69NU1.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-1BE8E.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-1ORIJ.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-032J4.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-SP9VG.tmp	SecureClientInstaller.tmp
File opened for modification	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\csc_ui_setup.dll	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-IMOQG.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-4DGAG.tmp	SecureClientInstaller.tmp
File opened for modification	C:\Program Files (x86)\Cisco\Cisco Secure Client\ProxyCon.exe	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\zh-cn\LC_MESSAGES\is-3TCL1.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-FA4DU.tmp	SecureClientInstaller.tmp
File opened for modification	C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_thread.dll	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-0619S.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-NCFKR.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-AH9I0.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\de-de\LC_MESSAGES\is-12TMK.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-K8287.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-MOT3Q.tmp	SecureClientInstaller.tmp
File opened for modification	C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_chrono.dll	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-FBG3O.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-MS3D3.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-K053A.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\Install\Component\is-DT122.tmp	SecureClientInstaller.tmp
File opened for modification	C:\Program Files (x86)\Cisco\Cisco Secure Client\vpnagent.exe	SecureClientInstaller.tmp
File opened for modification	C:\Program Files (x86)\Cisco\Cisco Secure Client\boost_system.dll	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-3IKV3.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-GEGP5.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-LP2G0.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-M0FHB.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-J4286.tmp	SecureClientInstaller.tmp
File opened for modification	C:\Program Files (x86)\Cisco\Cisco Secure Client\InstallHelper64.exe	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-3VFC1.tmp	SecureClientInstaller.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-8GLH6.tmp	SecureClientInstaller.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2172	SecureClientInstaller.tmp
2172	SecureClientInstaller.tmp
2436	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2172	SecureClientInstaller.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2172	2008	SecureClientInstaller.exe	28
PID 2008 wrote to memory of 2172	2008	SecureClientInstaller.exe	28
PID 2008 wrote to memory of 2172	2008	SecureClientInstaller.exe	28
PID 2008 wrote to memory of 2172	2008	SecureClientInstaller.exe	28
PID 2008 wrote to memory of 2172	2008	SecureClientInstaller.exe	28
PID 2008 wrote to memory of 2172	2008	SecureClientInstaller.exe	28
PID 2008 wrote to memory of 2172	2008	SecureClientInstaller.exe	28
PID 2172 wrote to memory of 2436	2172	SecureClientInstaller.tmp	29
PID 2172 wrote to memory of 2436	2172	SecureClientInstaller.tmp	29
PID 2172 wrote to memory of 2436	2172	SecureClientInstaller.tmp	29
PID 2172 wrote to memory of 2436	2172	SecureClientInstaller.tmp	29

C:\Users\Admin\AppData\Local\Temp\SecureClientInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\SecureClientInstaller.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\is-EJ3A5.tmp\SecureClientInstaller.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EJ3A5.tmp\SecureClientInstaller.tmp" /SL5="$70120,15648808,1044992,C:\Users\Admin\AppData\Local\Temp\SecureClientInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-6UA5M.tmp\temp_script.ps1"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe

Filesize
2.9MB

MD5
24de4ed3ff1fa997f867b591be4e001d

SHA1
744d45ebd394880598b597d882ae2b634b9261fb

SHA256
7c4330c4bd0c6890c7efc49af493056b92332c65be2bf885cd2a599369ba5349

SHA512
8a32756cffcd10d6df5f0b6da917a203115431fe101b2b7746b1d8e76956b12f6af5ce89bce29bc505558943f4d661d45e2630b4b5790625b968549146ebec88

Download Submit
C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\es-es\LC_MESSAGES\is-MAODO.tmp

Filesize
346KB

MD5
9d4300c87c9e378a13efa9999d305929

SHA1
0a7bb44a99208085296e782fd2e7b22170e7d03a

SHA256
d92d3e91f1b4036435cc6e39e2ce048de7153a54577695313aca1119df70de82

SHA512
297d7848fb011d8e79a7ee1b48d42227fc8582848b9232f4ed155b5fa1476c25654885fbd39e0207dd86f619bfc0fde41a0d448365e5b1d57d7c359b7eae3b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6UA5M.tmp\temp_script.ps1

Filesize
387B

MD5
a7237f7ca48e6413578563aacfa87c1e

SHA1
d773719ee8396df94c800f18fdf50d6167d3c6e1

SHA256
62771326f8610358752b689db082a94e536423655846774cdcac067fcf2534cf

SHA512
f1ceb76211ebb3cd12dd954d8b2f755f3ca1f9f1bf2116bc76229930a402c3d6c6f25ab3ea4c364d48edcf9a5c96e24b0e480314f48381e529dc70e3106a658a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EJ3A5.tmp\SecureClientInstaller.tmp

Filesize
3.2MB

MD5
7da27e20661e025f701f1f64927c70f8

SHA1
4d01eaaa7251e382c2b71f12af826c2575196188

SHA256
9742767b2de0c8c1305a2c3f712c76043ce6bba3f31beae7419fd64913abc3e5

SHA512
7e57d809f70844b67b0ee67ba0f2cca5ef5ee30680a9f7fd7d55a61f2cee1bfe61dbe490699955d5d94110e43bfc3f053d7ef3569788be17345d4ff4cb086019

Download Submit
\Users\Admin\AppData\Local\Temp\is-EJ3A5.tmp\SecureClientInstaller.tmp

Filesize
365KB

MD5
bc397d9cb2507f8b115f49fb3c2b44bc

SHA1
a1baa679d7521567bce4d1116550515af1cc387b

SHA256
409209fe98b66aee9d89236ef9e84d77906f4cbc2e7e6e936b7ed43fb3f081e6

SHA512
815db0130bb95f6c1d9898d49b48073ec162737befde1d94e722b9738a4b6a2655385ab008f4f3bffe6a5e3f6fdbd1b16b0247e93fb2135d18f4cd1754977439

Download Submit
memory/2008-546-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2008-110-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2008-0-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2172-529-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/2172-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2172-545-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/2172-543-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/2172-541-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2436-534-0x0000000073B60000-0x000000007410B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-540-0x0000000073B60000-0x000000007410B000-memory.dmp

Filesize
5.7MB

Download
memory/2436-538-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/2436-537-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/2436-536-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/2436-535-0x0000000073B60000-0x000000007410B000-memory.dmp

Filesize
5.7MB

Download