c533e6eb9fef83338af394ef5043870ce8319b6eaa5e9799dcf62e2692354690

Analysis

max time kernel
1799s
max time network
1559s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi
Size

3.0MB
MD5

a1795b41cf04bc3c549896a40cd116f9
SHA1

40268e1facb97e9ae542e9beae0db8b644a1d537
SHA256

c533e6eb9fef83338af394ef5043870ce8319b6eaa5e9799dcf62e2692354690
SHA512

ff1d62c1dd0bdc0cf18e0a3f03f12e6971c951e327be24bf81f0efc87c061c6b58958493584092456f52e80ad25e4caf7c5fbab7915116df95384edc305203fd
SSDEEP

98304:RK4U6cziwzeb4RrOQJj2OucY5rpm6JcIUH4FIu4FdE:RwdziwaburOQJj2OU7UYFI5LE

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2348	msiexec.exe
5	2348	msiexec.exe
7	2348	msiexec.exe
9	2348	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\wix{4D2CAC43-2B80-46E9-8DF4-CFBFBC90039D}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI3455.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F6E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2FCD.tmp	msiexec.exe
File created	C:\Windows\Installer\{4D2CAC43-2B80-46E9-8DF4-CFBFBC90039D}\ProductIcon.ico	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f762db5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2EA1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3106.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{4D2CAC43-2B80-46E9-8DF4-CFBFBC90039D}\ProductIcon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2EB1.tmp	msiexec.exe
File created	C:\Windows\Installer\f762db8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3174.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI327F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f762db6.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f762db5.msi	msiexec.exe
File created	C:\Windows\Installer\f762db6.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1484	WAgent.exe
1084	WAgent.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
576	sc.exe
780	sc.exe

Loads dropped DLL 8 IoCs

pid	Process
2284	MsiExec.exe
2284	MsiExec.exe
2296	MsiExec.exe
2296	MsiExec.exe
2296	MsiExec.exe
2296	MsiExec.exe
1484	WAgent.exe
2284	MsiExec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\34CAC2D408B29E64D84FFCFBCB0930D9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\34CAC2D408B29E64D84FFCFBCB0930D9\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\PackageName = "Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\PackageCode = "40C6AE0483584624EB88E5E90F57CB91"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\ProductIcon = "C:\\Windows\\Installer\\{4D2CAC43-2B80-46E9-8DF4-CFBFBC90039D}\\ProductIcon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\ProductName = "Netsweeper Workstation Agent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CD82034C7BF8A014FAACB9E7D2223859	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CD82034C7BF8A014FAACB9E7D2223859\34CAC2D408B29E64D84FFCFBCB0930D9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\34CAC2D408B29E64D84FFCFBCB0930D9\CM_C_WAgent = "ProductFeature"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\Version = "51838989"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2284	MsiExec.exe
2296	MsiExec.exe
1484	WAgent.exe
1484	WAgent.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2348	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeSecurityPrivilege	2556	msiexec.exe
Token: SeCreateTokenPrivilege	2348	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2348	msiexec.exe
Token: SeLockMemoryPrivilege	2348	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2348	msiexec.exe
Token: SeMachineAccountPrivilege	2348	msiexec.exe
Token: SeTcbPrivilege	2348	msiexec.exe
Token: SeSecurityPrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeLoadDriverPrivilege	2348	msiexec.exe
Token: SeSystemProfilePrivilege	2348	msiexec.exe
Token: SeSystemtimePrivilege	2348	msiexec.exe
Token: SeProfSingleProcessPrivilege	2348	msiexec.exe
Token: SeIncBasePriorityPrivilege	2348	msiexec.exe
Token: SeCreatePagefilePrivilege	2348	msiexec.exe
Token: SeCreatePermanentPrivilege	2348	msiexec.exe
Token: SeBackupPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeShutdownPrivilege	2348	msiexec.exe
Token: SeDebugPrivilege	2348	msiexec.exe
Token: SeAuditPrivilege	2348	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2348	msiexec.exe
Token: SeChangeNotifyPrivilege	2348	msiexec.exe
Token: SeRemoteShutdownPrivilege	2348	msiexec.exe
Token: SeUndockPrivilege	2348	msiexec.exe
Token: SeSyncAgentPrivilege	2348	msiexec.exe
Token: SeEnableDelegationPrivilege	2348	msiexec.exe
Token: SeManageVolumePrivilege	2348	msiexec.exe
Token: SeImpersonatePrivilege	2348	msiexec.exe
Token: SeCreateGlobalPrivilege	2348	msiexec.exe
Token: SeBackupPrivilege	3008	vssvc.exe
Token: SeRestorePrivilege	3008	vssvc.exe
Token: SeAuditPrivilege	3008	vssvc.exe
Token: SeBackupPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	1824	DrvInst.exe
Token: SeRestorePrivilege	1824	DrvInst.exe
Token: SeRestorePrivilege	1824	DrvInst.exe
Token: SeRestorePrivilege	1824	DrvInst.exe
Token: SeRestorePrivilege	1824	DrvInst.exe
Token: SeRestorePrivilege	1824	DrvInst.exe
Token: SeRestorePrivilege	1824	DrvInst.exe
Token: SeLoadDriverPrivilege	1824	DrvInst.exe
Token: SeLoadDriverPrivilege	1824	DrvInst.exe
Token: SeLoadDriverPrivilege	1824	DrvInst.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeRestorePrivilege	2556	msiexec.exe
Token: SeTakeOwnershipPrivilege	2556	msiexec.exe
Token: SeShutdownPrivilege	2296	MsiExec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2348	msiexec.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
2348	msiexec.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe
1084	WAgent.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1084	WAgent.exe
1084	WAgent.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2284	2556	msiexec.exe	32
PID 2556 wrote to memory of 2284	2556	msiexec.exe	32
PID 2556 wrote to memory of 2284	2556	msiexec.exe	32
PID 2556 wrote to memory of 2284	2556	msiexec.exe	32
PID 2556 wrote to memory of 2284	2556	msiexec.exe	32
PID 2556 wrote to memory of 2284	2556	msiexec.exe	32
PID 2556 wrote to memory of 2284	2556	msiexec.exe	32
PID 2556 wrote to memory of 2296	2556	msiexec.exe	33
PID 2556 wrote to memory of 2296	2556	msiexec.exe	33
PID 2556 wrote to memory of 2296	2556	msiexec.exe	33
PID 2556 wrote to memory of 2296	2556	msiexec.exe	33
PID 2556 wrote to memory of 2296	2556	msiexec.exe	33
PID 2556 wrote to memory of 2296	2556	msiexec.exe	33
PID 2556 wrote to memory of 2296	2556	msiexec.exe	33
PID 2296 wrote to memory of 780	2296	MsiExec.exe	34
PID 2296 wrote to memory of 780	2296	MsiExec.exe	34
PID 2296 wrote to memory of 780	2296	MsiExec.exe	34
PID 2296 wrote to memory of 780	2296	MsiExec.exe	34
PID 2296 wrote to memory of 576	2296	MsiExec.exe	36
PID 2296 wrote to memory of 576	2296	MsiExec.exe	36
PID 2296 wrote to memory of 576	2296	MsiExec.exe	36
PID 2296 wrote to memory of 576	2296	MsiExec.exe	36
PID 1484 wrote to memory of 1084	1484	WAgent.exe	39
PID 1484 wrote to memory of 1084	1484	WAgent.exe	39
PID 1484 wrote to memory of 1084	1484	WAgent.exe	39
PID 1484 wrote to memory of 1084	1484	WAgent.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2348

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A3A02790F4DC17F3272931CF43D024D7
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89AA8650638E51DD4D96F5858620B2F8 M Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\syswow64\sc.exe
    "sc.exe" config wagent start= auto
    3⤵
    - Launches sc.exe
    PID:780
- - C:\Windows\syswow64\sc.exe
    "sc.exe" start wagent
    3⤵
    - Launches sc.exe
    PID:576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000005B8" "00000000000004C4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe
"C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe" -S -w nsw-user-auth-win-3-23-13.broadband4.co.uk -g f3f1247d3986ab1c0db2e04ed8dcd85c -L 0861e0489a298d8c3b60a115376439dc -t 1800 -i -l -v -F -a -A -s BB4_ -D 850_3124
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe
  "C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe" -w nsw-user-auth-win-3-23-13.broadband4.co.uk -g f3f1247d3986ab1c0db2e04ed8dcd85c -L 0861e0489a298d8c3b60a115376439dc -t 1800 -i -l -v -F -a -A -s BB4_ -D 850_3124
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f762db7.rbs

Filesize
189KB

MD5
b2b86508bf10112e5158e626bdde9407

SHA1
a306b1e2fdef53c580982ac89d3328ed104be480

SHA256
249147125c4ccc3697a168c7d1934051b34d5a62050b5fc9e0003a13c2107063

SHA512
ad8d779ad37f6d886acd4a75e02f09b4054c21732d025c34087003947fd605a9b204437807bd31518f0589e9ad1055601da59bc91252999fb18c128a19b79732

Download Submit
C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe

Filesize
6.6MB

MD5
8c6a80e02dd88f70e58d89a4891782a5

SHA1
a51f91764883d9db6c66021e766476e24fa93d36

SHA256
3275792298097a5332447e9f342637de7d856bee34926b1182aa26307bc1bea8

SHA512
50f879d480c64db5da402940e93eb69a4bcbd9b568067c7e68c409fab396e648a01562dc5288a5879b5dc961c67014eefa3b7f2bcf5fae50fcc1dcbf81d72b53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
a0af4d81b2b19a99a3d01be89d5f99d9

SHA1
4725c1a810005f860ede9dace7f1e5a20e5230d6

SHA256
de9f05ceb1610cf9964f0def09d525005569602993c82a647743f192e9414d4a

SHA512
eb98d475d51d07b929d92fe5aa00bfa21078f567906f3650eb3bebfff39c616a21918da8f0687853310acebdb160d4f65451204619a7b8085fbbc25491bb0554

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_BF30C13052A27490F85D7F6C00189188

Filesize
1KB

MD5
4c57191c9667009598b4fb8bc4ce1bfb

SHA1
0c348755947ae8ef07e9db6c186fdbe40e813d24

SHA256
007d8ccb5ee3001832e284c963403e0123c8f7e73a809bef8cc521d0b9bc7d63

SHA512
fc744c437e185ded7218d8f8c9fefdf5f821d7d5fc6f007397f12f0475acca2ab853239477b3e994a50e97322ec12a7cf4da092fdedee34557282080458cb80e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
82de3237a1af023edb28e8dfba947cbe

SHA1
3cd21d142022884ecffb0c4ae7558ca37ff57221

SHA256
e191cc88ee6b079d9091a0c01d045d8108c7e5a55e9b53ffea6ab51037b125e0

SHA512
f7cd8a5ef555bf6a3e43981eb02807ee9469058af0a58b7513d7fc7b759a0ae40b80f29f58ead5c479897bac5917dfa606f585ce8a7c3c28a1a88c5c9570cbc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22334faf922af5a6127c4f9bd906e07d

SHA1
8ed4fc8335fedfed7954fe6801fbb92ae5155595

SHA256
6171bb645ad5b5a7df7f89ab167a5c9067eadd93deb354333f38ea4b7a31b035

SHA512
ce56ab2da277b99ccd5c5634b0de7180152c0e3276460ef9365394f26d96eb639465be395978622059cff1b5e0c063c2751ce673d38c27a204e5b44c62aa2c97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
a17a7feb47be5859419368f6f0e8b40c

SHA1
e61f1dcbff448c93e000ee0458023e06f1d257d9

SHA256
4acb423b2cb684d4c1011d87d5471c9726e2f96923e72ceddcb70a5cce5183a4

SHA512
106fe6f435599f1da2efaecef558f1f4155bd13282d674cb3cf3ecd6997b48eabeff09fb0c65d798ccb6529d5250c38553cffcc5b3e19bbebe99fd9e24336ca6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_BF30C13052A27490F85D7F6C00189188

Filesize
406B

MD5
809622d657b8edb61e3293be5512508c

SHA1
4e3b1f0f80bc88acfce2665c0d9a654942dec672

SHA256
b9eee60bc2a2bd10d9705d668c0b24a4f5e5aaea193d905d57def63f0b49069e

SHA512
b45146ccea790491f7038329ccf47e0aa8be21c25f177f6ae96ab75cbaa5268728a2aaec6ad126d05ceb195c282b018603001ec903271b679a3391713d9c05b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFC1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\MSI2EB1.tmp

Filesize
181KB

MD5
b1298b75b1c09fdbb3906aeec500f066

SHA1
d84b4fe247a47ea7649f75e88791d34a60454f2e

SHA256
826289b33e9046fd86c559ac3c888129451534bfb2f31fa264d0c62760e0e35e

SHA512
2359518d0c5a19123b3491143d20f453e09d973323863b51b917434a5989790f0aad47ac41fb142ab5aceed973ad924392f7efa7244a17d2374d262cc2b8fac5

Download Submit
C:\Windows\Installer\f762db5.msi

Filesize
3.0MB

MD5
a1795b41cf04bc3c549896a40cd116f9

SHA1
40268e1facb97e9ae542e9beae0db8b644a1d537

SHA256
c533e6eb9fef83338af394ef5043870ce8319b6eaa5e9799dcf62e2692354690

SHA512
ff1d62c1dd0bdc0cf18e0a3f03f12e6971c951e327be24bf81f0efc87c061c6b58958493584092456f52e80ad25e4caf7c5fbab7915116df95384edc305203fd

Download Submit