43eef76fa966395bde56b4e3812831ca75ad010e3b8216103358deb09bdc14d1

General

Target

C558B828.Png.msi
Size

1.4MB
MD5

c12241be2c41ae69187ca9faf83494ff
SHA1

5b1de649f2bc4eb08f1d83f7ea052de5b8fe141f
SHA256

43eef76fa966395bde56b4e3812831ca75ad010e3b8216103358deb09bdc14d1
SHA512

0b2dbf2278fef86a122952683668a795e76cb5e30c1d98b52f5fa5dbc9f1bc152c64aeeab69c9c4befd27ded3f879a3ebd9bc135c66e164d14ae5e8189c1b527
SSDEEP

24576:FsuDXXNwG04BMeRocDP1NPQDhkPTG4Mcgiwkew8vroUQGDXDNSnf6BlMRUT:FVXdsi5ooAFeBRSw8vlQIzNSnf6y4

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 12 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI9C60.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CCE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D7A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA3A3.tmp	msiexec.exe
File created	C:\Windows\dbcode21mk.log	msiexec.exe
File created	C:\Windows\Installer\f769972.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f769972.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99FE.tmp	msiexec.exe
File created	C:\Windows\Installer\f769975.ipi	msiexec.exe
File created	C:\Windows\setupact64.log	msiexec.exe
File opened for modification	C:\Windows\Installer\f769975.ipi	msiexec.exe

Loads dropped DLL 4 IoCs

Processes:

MsiExec.exe

pid process

2548 MsiExec.exe
2548 MsiExec.exe
2548 MsiExec.exe
2548 MsiExec.exe

pid	process
2548	MsiExec.exe
2548	MsiExec.exe
2548	MsiExec.exe
2548	MsiExec.exe

Modifies data under HKEY_USERS 31 IoCs

Processes:

netsh.exenetsh.exemsiexec.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

2852 msiexec.exe
2852 msiexec.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msiexec.exe

pid process

2768 msiexec.exe

pid	process
2852	msiexec.exe
2852	msiexec.exe

pid	process
2768	msiexec.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2768	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeSecurityPrivilege	2852	msiexec.exe
Token: SeCreateTokenPrivilege	2768	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2768	msiexec.exe
Token: SeLockMemoryPrivilege	2768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2768	msiexec.exe
Token: SeMachineAccountPrivilege	2768	msiexec.exe
Token: SeTcbPrivilege	2768	msiexec.exe
Token: SeSecurityPrivilege	2768	msiexec.exe
Token: SeTakeOwnershipPrivilege	2768	msiexec.exe
Token: SeLoadDriverPrivilege	2768	msiexec.exe
Token: SeSystemProfilePrivilege	2768	msiexec.exe
Token: SeSystemtimePrivilege	2768	msiexec.exe
Token: SeProfSingleProcessPrivilege	2768	msiexec.exe
Token: SeIncBasePriorityPrivilege	2768	msiexec.exe
Token: SeCreatePagefilePrivilege	2768	msiexec.exe
Token: SeCreatePermanentPrivilege	2768	msiexec.exe
Token: SeBackupPrivilege	2768	msiexec.exe
Token: SeRestorePrivilege	2768	msiexec.exe
Token: SeShutdownPrivilege	2768	msiexec.exe
Token: SeDebugPrivilege	2768	msiexec.exe
Token: SeAuditPrivilege	2768	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2768	msiexec.exe
Token: SeChangeNotifyPrivilege	2768	msiexec.exe
Token: SeRemoteShutdownPrivilege	2768	msiexec.exe
Token: SeUndockPrivilege	2768	msiexec.exe
Token: SeSyncAgentPrivilege	2768	msiexec.exe
Token: SeEnableDelegationPrivilege	2768	msiexec.exe
Token: SeManageVolumePrivilege	2768	msiexec.exe
Token: SeImpersonatePrivilege	2768	msiexec.exe
Token: SeCreateGlobalPrivilege	2768	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2768 msiexec.exe
2768 msiexec.exe

pid	process
2768	msiexec.exe
2768	msiexec.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	process	target process
PID 2852 wrote to memory of 2548	2852	msiexec.exe	MsiExec.exe
PID 2852 wrote to memory of 2548	2852	msiexec.exe	MsiExec.exe
PID 2852 wrote to memory of 2548	2852	msiexec.exe	MsiExec.exe
PID 2852 wrote to memory of 2548	2852	msiexec.exe	MsiExec.exe
PID 2852 wrote to memory of 2548	2852	msiexec.exe	MsiExec.exe
PID 2852 wrote to memory of 2548	2852	msiexec.exe	MsiExec.exe
PID 2852 wrote to memory of 2548	2852	msiexec.exe	MsiExec.exe
PID 2852 wrote to memory of 2556	2852	msiexec.exe	MsiExec.exe
PID 2852 wrote to memory of 2556	2852	msiexec.exe	MsiExec.exe
PID 2852 wrote to memory of 2556	2852	msiexec.exe	MsiExec.exe
PID 2852 wrote to memory of 2556	2852	msiexec.exe	MsiExec.exe
PID 2852 wrote to memory of 2556	2852	msiexec.exe	MsiExec.exe
PID 2852 wrote to memory of 2556	2852	msiexec.exe	MsiExec.exe
PID 2852 wrote to memory of 2556	2852	msiexec.exe	MsiExec.exe
PID 2556 wrote to memory of 2672	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2672	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2672	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2672	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2376	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2376	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2376	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2376	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2408	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2408	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2408	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2408	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 1664	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 1664	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 1664	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 1664	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 928	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 928	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 928	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 928	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2536	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2536	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2536	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2536	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 1048	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 1048	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 1048	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 1048	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2976	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2976	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2976	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2976	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 240	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 240	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 240	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 240	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 936	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 936	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 936	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 936	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 1624	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 1624	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 1624	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 1624	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2000	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2000	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2000	2556	MsiExec.exe	netsh.exe
PID 2556 wrote to memory of 2000	2556	MsiExec.exe	netsh.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\C558B828.Png.msi
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2768

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A31BA7D5ADCFB66CBBDC8C8C24DB4286
2⤵
- Loads dropped DLL
PID:2548

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 89A8A4038156C8152724B6525946714D M Global\MSI0000
2⤵
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install
3⤵
- Modifies data under HKEY_USERS
PID:2672

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
3⤵
- Modifies data under HKEY_USERS
PID:2376

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
3⤵
- Modifies data under HKEY_USERS
PID:2408

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
3⤵
- Modifies data under HKEY_USERS
PID:1664

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
3⤵
- Modifies data under HKEY_USERS
PID:928

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
3⤵
- Modifies data under HKEY_USERS
PID:2536

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
3⤵
- Modifies data under HKEY_USERS
PID:1048

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
3⤵
- Modifies data under HKEY_USERS
PID:2976

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
3⤵
- Modifies data under HKEY_USERS
PID:240

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
3⤵
- Modifies data under HKEY_USERS
PID:936

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
3⤵
- Modifies data under HKEY_USERS
PID:1624

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
3⤵
- Modifies data under HKEY_USERS
PID:2000

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f769976.rbs
Filesize
2KB

MD5
7b331f619321de7e72941a817536de15

SHA1
ee84165452c1aa2fcbdeb2028d8327b80c2a447f

SHA256
109765d17662c86432c61b95a01cd04ffd4927d2596796981bd6c4e50a50f16e

SHA512
dbc75d19642941ef4ef6f6ff036dc1cc3cc895327c6bc902a9df82123d3596b26fbdc27888da880cf247c70b8686c2081649d7316e2e589f1efe13cc904d02a4

Download Submit
C:\Windows\Installer\MSI99FE.tmp
Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
\Windows\Installer\MSI9CCE.tmp
Filesize
118KB

MD5
4b49c57cbefa1d2773da1f95338e294d

SHA1
108ea90d8a42cf31f7d8d7710b5fd713ca048ef9

SHA256
68c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08

SHA512
42c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165

Download Submit
memory/2548-5-0x0000000074400000-0x0000000074465000-memory.dmp

Filesize
404KB

Download
memory/2548-6-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/2548-11-0x0000000074400000-0x0000000074465000-memory.dmp

Filesize
404KB

Download
memory/2548-18-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download
memory/2548-17-0x0000000074420000-0x0000000074470000-memory.dmp

Filesize
320KB

Download
memory/2548-23-0x0000000074400000-0x0000000074465000-memory.dmp

Filesize
404KB

Download
memory/2548-12-0x00000000001E0000-0x00000000001E3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads