Overview

overview

6

Static

static

1

Broadband4...24.msi

windows10-1703-x64

6

Broadband4...24.msi

windows7-x64

6

Broadband4...24.msi

windows10-2004-x64

6

Broadband4...24.msi

windows11-21h2-x64

6

Analysis

  • max time kernel
    1799s
  • max time network
    1749s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28/06/2024, 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi

  • Size

    3.0MB

  • MD5

    a1795b41cf04bc3c549896a40cd116f9

  • SHA1

    40268e1facb97e9ae542e9beae0db8b644a1d537

  • SHA256

    c533e6eb9fef83338af394ef5043870ce8319b6eaa5e9799dcf62e2692354690

  • SHA512

    ff1d62c1dd0bdc0cf18e0a3f03f12e6971c951e327be24bf81f0efc87c061c6b58958493584092456f52e80ad25e4caf7c5fbab7915116df95384edc305203fd

  • SSDEEP

    98304:RK4U6cziwzeb4RrOQJj2OucY5rpm6JcIUH4FIu4FdE:RwdziwaburOQJj2OU7UYFI5LE

Score
6/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 18 IoCs
  • Executes dropped EXE 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 7 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi"
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:5044
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3044
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding F8807C7460B15C5EB6B77B43F381C009
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:1888
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 22C4A00E450985066105E02B86BCB2B9 E Global\MSI0000
        2⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3752
        • C:\Windows\syswow64\sc.exe
          "sc.exe" config wagent start= auto
          3⤵
          • Launches sc.exe
          PID:4140
        • C:\Windows\syswow64\sc.exe
          "sc.exe" start wagent
          3⤵
          • Launches sc.exe
          PID:528
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:516
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s Netman
      1⤵
        PID:1540
      • C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe
        "C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe" -S -w nsw-user-auth-win-3-23-13.broadband4.co.uk -g f3f1247d3986ab1c0db2e04ed8dcd85c -L 0861e0489a298d8c3b60a115376439dc -t 1800 -i -l -v -F -a -A -s BB4_ -D 850_3124
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4860
        • C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe
          "C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe" -w nsw-user-auth-win-3-23-13.broadband4.co.uk -g f3f1247d3986ab1c0db2e04ed8dcd85c -L 0861e0489a298d8c3b60a115376439dc -t 1800 -i -l -v -F -a -A -s BB4_ -D 850_3124
          2⤵
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:1012

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e57be01.rbs
        Filesize

        189KB

        MD5

        456e6de450dda91e6689811ee76b6463

        SHA1

        52e86248c6d17ba7b277a259e7a667fa0ed73552

        SHA256

        eb400e5f0be4ebebde0a4f9bb5bb7a81ba715415b09131796861d31668181f49

        SHA512

        1e838355f60056e858df95943c6cc251c0fd2a92e22daa647f62aca38530e0015599db87c90f7b035d2037adeb59beff2619379b96f7d8bd26ad13a5542dac4c

        Download Submit

      • C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe
        Filesize

        6.6MB

        MD5

        8c6a80e02dd88f70e58d89a4891782a5

        SHA1

        a51f91764883d9db6c66021e766476e24fa93d36

        SHA256

        3275792298097a5332447e9f342637de7d856bee34926b1182aa26307bc1bea8

        SHA512

        50f879d480c64db5da402940e93eb69a4bcbd9b568067c7e68c409fab396e648a01562dc5288a5879b5dc961c67014eefa3b7f2bcf5fae50fcc1dcbf81d72b53

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB
        Filesize

        834B

        MD5

        a0af4d81b2b19a99a3d01be89d5f99d9

        SHA1

        4725c1a810005f860ede9dace7f1e5a20e5230d6

        SHA256

        de9f05ceb1610cf9964f0def09d525005569602993c82a647743f192e9414d4a

        SHA512

        eb98d475d51d07b929d92fe5aa00bfa21078f567906f3650eb3bebfff39c616a21918da8f0687853310acebdb160d4f65451204619a7b8085fbbc25491bb0554

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
        Filesize

        5B

        MD5

        5bfa51f3a417b98e7443eca90fc94703

        SHA1

        8c015d80b8a23f780bdd215dc842b0f5551f63bd

        SHA256

        bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

        SHA512

        4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_BF30C13052A27490F85D7F6C00189188
        Filesize

        1KB

        MD5

        4c57191c9667009598b4fb8bc4ce1bfb

        SHA1

        0c348755947ae8ef07e9db6c186fdbe40e813d24

        SHA256

        007d8ccb5ee3001832e284c963403e0123c8f7e73a809bef8cc521d0b9bc7d63

        SHA512

        fc744c437e185ded7218d8f8c9fefdf5f821d7d5fc6f007397f12f0475acca2ab853239477b3e994a50e97322ec12a7cf4da092fdedee34557282080458cb80e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB
        Filesize

        180B

        MD5

        3fcb0f68b73c86c69d3f28c7f6170d0f

        SHA1

        d6dc22b20044323784e3b6acd0c10c10d8c47ec8

        SHA256

        542556b662e8de3ad75855cd1d615d5051397125e19cb6fe3b5b18424414da20

        SHA512

        dc35cbfc48ebb7954db0d8f81c41026fddf5b7b62a352c90ae70bfea1600efd3873c409e34215805315b26aba08fb01cf3a88039dbcbe6dd12d605b03e4ff846

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
        Filesize

        398B

        MD5

        8aa4fa37875fd347a62f35b11c3a35ca

        SHA1

        5b24788a0d7ad17870a2539eb48d11c18501756e

        SHA256

        a4002295ce33382bdcfe1d87b11b356953097be4a13d589f98b9fe9f8caf00b6

        SHA512

        66f5fc015eea5e14312ee6f9cc7458279060fbf4586bd89d6344e0230e94680d6b3525e243d014be26ef7d3e41258a3b6353f4324fbe04621d21cf84c2fe72be

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_BF30C13052A27490F85D7F6C00189188
        Filesize

        406B

        MD5

        ef90f3c6bcbe61ee6c3a31d40bdffd30

        SHA1

        dd9a1e752570e2b2deead346b58ea50c748fde7b

        SHA256

        0cf737613fb6d21eabe909ea7b48a4a5c37d94dc06e0c52053e6dea8121fe52b

        SHA512

        f190979dd1833ea7c2aa0c2aada1b5e00f9860e2c5323c879333bda1c33bdccb1e44f48db96581946d11eb5a00ac8943e79ab6caf039fcd6cf850f98a1cb95ac

        Download Submit

      • C:\Windows\Installer\MSIBF0B.tmp
        Filesize

        181KB

        MD5

        b1298b75b1c09fdbb3906aeec500f066

        SHA1

        d84b4fe247a47ea7649f75e88791d34a60454f2e

        SHA256

        826289b33e9046fd86c559ac3c888129451534bfb2f31fa264d0c62760e0e35e

        SHA512

        2359518d0c5a19123b3491143d20f453e09d973323863b51b917434a5989790f0aad47ac41fb142ab5aceed973ad924392f7efa7244a17d2374d262cc2b8fac5

        Download Submit

      • C:\Windows\Installer\e57be00.msi
        Filesize

        3.0MB

        MD5

        a1795b41cf04bc3c549896a40cd116f9

        SHA1

        40268e1facb97e9ae542e9beae0db8b644a1d537

        SHA256

        c533e6eb9fef83338af394ef5043870ce8319b6eaa5e9799dcf62e2692354690

        SHA512

        ff1d62c1dd0bdc0cf18e0a3f03f12e6971c951e327be24bf81f0efc87c061c6b58958493584092456f52e80ad25e4caf7c5fbab7915116df95384edc305203fd

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        26.0MB

        MD5

        45399ed46670673c596905e1fc89cd71

        SHA1

        a414cc0d8d5195feb2efbc4f294f9afabae1a6f9

        SHA256

        9d8f5a19c873913a90f4097d76a2b4fc28038ac037c4659b63c360d2db5c5af4

        SHA512

        eb529c4e54c058c8a0cd7c8d2ce2ac3fce1d674103d8563f9a7c75e3c210ebe5e621ed746956c7d4e387d176906eca6651cfdffcac9a63a5cf764d5baf3df4f3

        Download Submit

      • \??\Volume{38fc2686-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5fff566c-b639-4fc7-81a7-90f9934de789}_OnDiskSnapshotProp
        Filesize

        5KB

        MD5

        d7185262c9bf923cc040af5561634c32

        SHA1

        5ac9847166fac371a2bca76aafb4dae1e188236b

        SHA256

        9d0281c0422e0326394eebb0ed79149ac98197c76028ccf188d651c622a8fda6

        SHA512

        6675658554dea3e393791f401700ca661942b8a27aa1253e8bc94716ed4af025c5339d112ed841a8ee6e42b0c4f3f311d5895ffae249e320b02a8edf997af7cf

        Download Submit