Analysis
-
max time kernel
1799s -
max time network
1559s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28/06/2024, 11:10
Static task
static1
Behavioral task
behavioral1
Sample
Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi
Resource
win11-20240611-en
General
-
Target
Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi
-
Size
3.0MB
-
MD5
a1795b41cf04bc3c549896a40cd116f9
-
SHA1
40268e1facb97e9ae542e9beae0db8b644a1d537
-
SHA256
c533e6eb9fef83338af394ef5043870ce8319b6eaa5e9799dcf62e2692354690
-
SHA512
ff1d62c1dd0bdc0cf18e0a3f03f12e6971c951e327be24bf81f0efc87c061c6b58958493584092456f52e80ad25e4caf7c5fbab7915116df95384edc305203fd
-
SSDEEP
98304:RK4U6cziwzeb4RrOQJj2OucY5rpm6JcIUH4FIu4FdE:RwdziwaburOQJj2OU7UYFI5LE
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 3 2348 msiexec.exe 5 2348 msiexec.exe 7 2348 msiexec.exe 9 2348 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe msiexec.exe -
Drops file in Windows directory 20 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\wix{4D2CAC43-2B80-46E9-8DF4-CFBFBC90039D}.SchedServiceConfig.rmi MsiExec.exe File opened for modification C:\Windows\Installer\MSI3455.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2F6E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2FCD.tmp msiexec.exe File created C:\Windows\Installer\{4D2CAC43-2B80-46E9-8DF4-CFBFBC90039D}\ProductIcon.ico msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f762db5.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2EA1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3106.tmp msiexec.exe File opened for modification C:\Windows\Installer\{4D2CAC43-2B80-46E9-8DF4-CFBFBC90039D}\ProductIcon.ico msiexec.exe File opened for modification C:\Windows\Installer\MSI2EB1.tmp msiexec.exe File created C:\Windows\Installer\f762db8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3174.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI327F.tmp msiexec.exe File opened for modification C:\Windows\Installer\f762db6.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f762db5.msi msiexec.exe File created C:\Windows\Installer\f762db6.ipi msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 1484 WAgent.exe 1084 WAgent.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 576 sc.exe 780 sc.exe -
Loads dropped DLL 8 IoCs
pid Process 2284 MsiExec.exe 2284 MsiExec.exe 2296 MsiExec.exe 2296 MsiExec.exe 2296 MsiExec.exe 2296 MsiExec.exe 1484 WAgent.exe 2284 MsiExec.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\34CAC2D408B29E64D84FFCFBCB0930D9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\34CAC2D408B29E64D84FFCFBCB0930D9\ProductFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\PackageName = "Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\PackageCode = "40C6AE0483584624EB88E5E90F57CB91" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\ProductIcon = "C:\\Windows\\Installer\\{4D2CAC43-2B80-46E9-8DF4-CFBFBC90039D}\\ProductIcon.ico" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\ProductName = "Netsweeper Workstation Agent" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CD82034C7BF8A014FAACB9E7D2223859 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CD82034C7BF8A014FAACB9E7D2223859\34CAC2D408B29E64D84FFCFBCB0930D9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\34CAC2D408B29E64D84FFCFBCB0930D9\CM_C_WAgent = "ProductFeature" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\Version = "51838989" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2284 MsiExec.exe 2296 MsiExec.exe 1484 WAgent.exe 1484 WAgent.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2348 msiexec.exe Token: SeIncreaseQuotaPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2556 msiexec.exe Token: SeTakeOwnershipPrivilege 2556 msiexec.exe Token: SeSecurityPrivilege 2556 msiexec.exe Token: SeCreateTokenPrivilege 2348 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2348 msiexec.exe Token: SeLockMemoryPrivilege 2348 msiexec.exe Token: SeIncreaseQuotaPrivilege 2348 msiexec.exe Token: SeMachineAccountPrivilege 2348 msiexec.exe Token: SeTcbPrivilege 2348 msiexec.exe Token: SeSecurityPrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeLoadDriverPrivilege 2348 msiexec.exe Token: SeSystemProfilePrivilege 2348 msiexec.exe Token: SeSystemtimePrivilege 2348 msiexec.exe Token: SeProfSingleProcessPrivilege 2348 msiexec.exe Token: SeIncBasePriorityPrivilege 2348 msiexec.exe Token: SeCreatePagefilePrivilege 2348 msiexec.exe Token: SeCreatePermanentPrivilege 2348 msiexec.exe Token: SeBackupPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeShutdownPrivilege 2348 msiexec.exe Token: SeDebugPrivilege 2348 msiexec.exe Token: SeAuditPrivilege 2348 msiexec.exe Token: SeSystemEnvironmentPrivilege 2348 msiexec.exe Token: SeChangeNotifyPrivilege 2348 msiexec.exe Token: SeRemoteShutdownPrivilege 2348 msiexec.exe Token: SeUndockPrivilege 2348 msiexec.exe Token: SeSyncAgentPrivilege 2348 msiexec.exe Token: SeEnableDelegationPrivilege 2348 msiexec.exe Token: SeManageVolumePrivilege 2348 msiexec.exe Token: SeImpersonatePrivilege 2348 msiexec.exe Token: SeCreateGlobalPrivilege 2348 msiexec.exe Token: SeBackupPrivilege 3008 vssvc.exe Token: SeRestorePrivilege 3008 vssvc.exe Token: SeAuditPrivilege 3008 vssvc.exe Token: SeBackupPrivilege 2556 msiexec.exe Token: SeRestorePrivilege 2556 msiexec.exe Token: SeRestorePrivilege 1824 DrvInst.exe Token: SeRestorePrivilege 1824 DrvInst.exe Token: SeRestorePrivilege 1824 DrvInst.exe Token: SeRestorePrivilege 1824 DrvInst.exe Token: SeRestorePrivilege 1824 DrvInst.exe Token: SeRestorePrivilege 1824 DrvInst.exe Token: SeRestorePrivilege 1824 DrvInst.exe Token: SeLoadDriverPrivilege 1824 DrvInst.exe Token: SeLoadDriverPrivilege 1824 DrvInst.exe Token: SeLoadDriverPrivilege 1824 DrvInst.exe Token: SeRestorePrivilege 2556 msiexec.exe Token: SeTakeOwnershipPrivilege 2556 msiexec.exe Token: SeRestorePrivilege 2556 msiexec.exe Token: SeTakeOwnershipPrivilege 2556 msiexec.exe Token: SeRestorePrivilege 2556 msiexec.exe Token: SeTakeOwnershipPrivilege 2556 msiexec.exe Token: SeRestorePrivilege 2556 msiexec.exe Token: SeTakeOwnershipPrivilege 2556 msiexec.exe Token: SeRestorePrivilege 2556 msiexec.exe Token: SeTakeOwnershipPrivilege 2556 msiexec.exe Token: SeRestorePrivilege 2556 msiexec.exe Token: SeTakeOwnershipPrivilege 2556 msiexec.exe Token: SeRestorePrivilege 2556 msiexec.exe Token: SeTakeOwnershipPrivilege 2556 msiexec.exe Token: SeShutdownPrivilege 2296 MsiExec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2348 msiexec.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 2348 msiexec.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe 1084 WAgent.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1084 WAgent.exe 1084 WAgent.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2556 wrote to memory of 2284 2556 msiexec.exe 32 PID 2556 wrote to memory of 2284 2556 msiexec.exe 32 PID 2556 wrote to memory of 2284 2556 msiexec.exe 32 PID 2556 wrote to memory of 2284 2556 msiexec.exe 32 PID 2556 wrote to memory of 2284 2556 msiexec.exe 32 PID 2556 wrote to memory of 2284 2556 msiexec.exe 32 PID 2556 wrote to memory of 2284 2556 msiexec.exe 32 PID 2556 wrote to memory of 2296 2556 msiexec.exe 33 PID 2556 wrote to memory of 2296 2556 msiexec.exe 33 PID 2556 wrote to memory of 2296 2556 msiexec.exe 33 PID 2556 wrote to memory of 2296 2556 msiexec.exe 33 PID 2556 wrote to memory of 2296 2556 msiexec.exe 33 PID 2556 wrote to memory of 2296 2556 msiexec.exe 33 PID 2556 wrote to memory of 2296 2556 msiexec.exe 33 PID 2296 wrote to memory of 780 2296 MsiExec.exe 34 PID 2296 wrote to memory of 780 2296 MsiExec.exe 34 PID 2296 wrote to memory of 780 2296 MsiExec.exe 34 PID 2296 wrote to memory of 780 2296 MsiExec.exe 34 PID 2296 wrote to memory of 576 2296 MsiExec.exe 36 PID 2296 wrote to memory of 576 2296 MsiExec.exe 36 PID 2296 wrote to memory of 576 2296 MsiExec.exe 36 PID 2296 wrote to memory of 576 2296 MsiExec.exe 36 PID 1484 wrote to memory of 1084 1484 WAgent.exe 39 PID 1484 wrote to memory of 1084 1484 WAgent.exe 39 PID 1484 wrote to memory of 1084 1484 WAgent.exe 39 PID 1484 wrote to memory of 1084 1484 WAgent.exe 39 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2348
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A3A02790F4DC17F3272931CF43D024D72⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2284
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 89AA8650638E51DD4D96F5858620B2F8 M Global\MSI00002⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\syswow64\sc.exe"sc.exe" config wagent start= auto3⤵
- Launches sc.exe
PID:780
-
-
C:\Windows\syswow64\sc.exe"sc.exe" start wagent3⤵
- Launches sc.exe
PID:576
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000005B8" "00000000000004C4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe"C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe" -S -w nsw-user-auth-win-3-23-13.broadband4.co.uk -g f3f1247d3986ab1c0db2e04ed8dcd85c -L 0861e0489a298d8c3b60a115376439dc -t 1800 -i -l -v -F -a -A -s BB4_ -D 850_31241⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe"C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe" -w nsw-user-auth-win-3-23-13.broadband4.co.uk -g f3f1247d3986ab1c0db2e04ed8dcd85c -L 0861e0489a298d8c3b60a115376439dc -t 1800 -i -l -v -F -a -A -s BB4_ -D 850_31242⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189KB
MD5b2b86508bf10112e5158e626bdde9407
SHA1a306b1e2fdef53c580982ac89d3328ed104be480
SHA256249147125c4ccc3697a168c7d1934051b34d5a62050b5fc9e0003a13c2107063
SHA512ad8d779ad37f6d886acd4a75e02f09b4054c21732d025c34087003947fd605a9b204437807bd31518f0589e9ad1055601da59bc91252999fb18c128a19b79732
-
Filesize
6.6MB
MD58c6a80e02dd88f70e58d89a4891782a5
SHA1a51f91764883d9db6c66021e766476e24fa93d36
SHA2563275792298097a5332447e9f342637de7d856bee34926b1182aa26307bc1bea8
SHA51250f879d480c64db5da402940e93eb69a4bcbd9b568067c7e68c409fab396e648a01562dc5288a5879b5dc961c67014eefa3b7f2bcf5fae50fcc1dcbf81d72b53
-
Filesize
834B
MD5a0af4d81b2b19a99a3d01be89d5f99d9
SHA14725c1a810005f860ede9dace7f1e5a20e5230d6
SHA256de9f05ceb1610cf9964f0def09d525005569602993c82a647743f192e9414d4a
SHA512eb98d475d51d07b929d92fe5aa00bfa21078f567906f3650eb3bebfff39c616a21918da8f0687853310acebdb160d4f65451204619a7b8085fbbc25491bb0554
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_BF30C13052A27490F85D7F6C00189188
Filesize1KB
MD54c57191c9667009598b4fb8bc4ce1bfb
SHA10c348755947ae8ef07e9db6c186fdbe40e813d24
SHA256007d8ccb5ee3001832e284c963403e0123c8f7e73a809bef8cc521d0b9bc7d63
SHA512fc744c437e185ded7218d8f8c9fefdf5f821d7d5fc6f007397f12f0475acca2ab853239477b3e994a50e97322ec12a7cf4da092fdedee34557282080458cb80e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB
Filesize180B
MD582de3237a1af023edb28e8dfba947cbe
SHA13cd21d142022884ecffb0c4ae7558ca37ff57221
SHA256e191cc88ee6b079d9091a0c01d045d8108c7e5a55e9b53ffea6ab51037b125e0
SHA512f7cd8a5ef555bf6a3e43981eb02807ee9469058af0a58b7513d7fc7b759a0ae40b80f29f58ead5c479897bac5917dfa606f585ce8a7c3c28a1a88c5c9570cbc0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD522334faf922af5a6127c4f9bd906e07d
SHA18ed4fc8335fedfed7954fe6801fbb92ae5155595
SHA2566171bb645ad5b5a7df7f89ab167a5c9067eadd93deb354333f38ea4b7a31b035
SHA512ce56ab2da277b99ccd5c5634b0de7180152c0e3276460ef9365394f26d96eb639465be395978622059cff1b5e0c063c2751ce673d38c27a204e5b44c62aa2c97
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
Filesize398B
MD5a17a7feb47be5859419368f6f0e8b40c
SHA1e61f1dcbff448c93e000ee0458023e06f1d257d9
SHA2564acb423b2cb684d4c1011d87d5471c9726e2f96923e72ceddcb70a5cce5183a4
SHA512106fe6f435599f1da2efaecef558f1f4155bd13282d674cb3cf3ecd6997b48eabeff09fb0c65d798ccb6529d5250c38553cffcc5b3e19bbebe99fd9e24336ca6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_BF30C13052A27490F85D7F6C00189188
Filesize406B
MD5809622d657b8edb61e3293be5512508c
SHA14e3b1f0f80bc88acfce2665c0d9a654942dec672
SHA256b9eee60bc2a2bd10d9705d668c0b24a4f5e5aaea193d905d57def63f0b49069e
SHA512b45146ccea790491f7038329ccf47e0aa8be21c25f177f6ae96ab75cbaa5268728a2aaec6ad126d05ceb195c282b018603001ec903271b679a3391713d9c05b2
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
181KB
MD5b1298b75b1c09fdbb3906aeec500f066
SHA1d84b4fe247a47ea7649f75e88791d34a60454f2e
SHA256826289b33e9046fd86c559ac3c888129451534bfb2f31fa264d0c62760e0e35e
SHA5122359518d0c5a19123b3491143d20f453e09d973323863b51b917434a5989790f0aad47ac41fb142ab5aceed973ad924392f7efa7244a17d2374d262cc2b8fac5
-
Filesize
3.0MB
MD5a1795b41cf04bc3c549896a40cd116f9
SHA140268e1facb97e9ae542e9beae0db8b644a1d537
SHA256c533e6eb9fef83338af394ef5043870ce8319b6eaa5e9799dcf62e2692354690
SHA512ff1d62c1dd0bdc0cf18e0a3f03f12e6971c951e327be24bf81f0efc87c061c6b58958493584092456f52e80ad25e4caf7c5fbab7915116df95384edc305203fd