Analysis

  • max time kernel
    1799s
  • max time network
    1559s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    28/06/2024, 11:10

General

  • Target

    Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi

  • Size

    3.0MB

  • MD5

    a1795b41cf04bc3c549896a40cd116f9

  • SHA1

    40268e1facb97e9ae542e9beae0db8b644a1d537

  • SHA256

    c533e6eb9fef83338af394ef5043870ce8319b6eaa5e9799dcf62e2692354690

  • SHA512

    ff1d62c1dd0bdc0cf18e0a3f03f12e6971c951e327be24bf81f0efc87c061c6b58958493584092456f52e80ad25e4caf7c5fbab7915116df95384edc305203fd

  • SSDEEP

    98304:RK4U6cziwzeb4RrOQJj2OucY5rpm6JcIUH4FIu4FdE:RwdziwaburOQJj2OU7UYFI5LE

Score
6/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 20 IoCs
  • Executes dropped EXE 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 8 IoCs
  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi"
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2348
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A3A02790F4DC17F3272931CF43D024D7
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      PID:2284
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 89AA8650638E51DD4D96F5858620B2F8 M Global\MSI0000
      2⤵
      • Drops file in Windows directory
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\syswow64\sc.exe
        "sc.exe" config wagent start= auto
        3⤵
        • Launches sc.exe
        PID:780
      • C:\Windows\syswow64\sc.exe
        "sc.exe" start wagent
        3⤵
        • Launches sc.exe
        PID:576
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3008
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000005B8" "00000000000004C4"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1824
  • C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe
    "C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe" -S -w nsw-user-auth-win-3-23-13.broadband4.co.uk -g f3f1247d3986ab1c0db2e04ed8dcd85c -L 0861e0489a298d8c3b60a115376439dc -t 1800 -i -l -v -F -a -A -s BB4_ -D 850_3124
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe
      "C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe" -w nsw-user-auth-win-3-23-13.broadband4.co.uk -g f3f1247d3986ab1c0db2e04ed8dcd85c -L 0861e0489a298d8c3b60a115376439dc -t 1800 -i -l -v -F -a -A -s BB4_ -D 850_3124
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1084

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f762db7.rbs

    Filesize

    189KB

    MD5

    b2b86508bf10112e5158e626bdde9407

    SHA1

    a306b1e2fdef53c580982ac89d3328ed104be480

    SHA256

    249147125c4ccc3697a168c7d1934051b34d5a62050b5fc9e0003a13c2107063

    SHA512

    ad8d779ad37f6d886acd4a75e02f09b4054c21732d025c34087003947fd605a9b204437807bd31518f0589e9ad1055601da59bc91252999fb18c128a19b79732

  • C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe

    Filesize

    6.6MB

    MD5

    8c6a80e02dd88f70e58d89a4891782a5

    SHA1

    a51f91764883d9db6c66021e766476e24fa93d36

    SHA256

    3275792298097a5332447e9f342637de7d856bee34926b1182aa26307bc1bea8

    SHA512

    50f879d480c64db5da402940e93eb69a4bcbd9b568067c7e68c409fab396e648a01562dc5288a5879b5dc961c67014eefa3b7f2bcf5fae50fcc1dcbf81d72b53

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

    Filesize

    834B

    MD5

    a0af4d81b2b19a99a3d01be89d5f99d9

    SHA1

    4725c1a810005f860ede9dace7f1e5a20e5230d6

    SHA256

    de9f05ceb1610cf9964f0def09d525005569602993c82a647743f192e9414d4a

    SHA512

    eb98d475d51d07b929d92fe5aa00bfa21078f567906f3650eb3bebfff39c616a21918da8f0687853310acebdb160d4f65451204619a7b8085fbbc25491bb0554

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

    Filesize

    5B

    MD5

    5bfa51f3a417b98e7443eca90fc94703

    SHA1

    8c015d80b8a23f780bdd215dc842b0f5551f63bd

    SHA256

    bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

    SHA512

    4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_BF30C13052A27490F85D7F6C00189188

    Filesize

    1KB

    MD5

    4c57191c9667009598b4fb8bc4ce1bfb

    SHA1

    0c348755947ae8ef07e9db6c186fdbe40e813d24

    SHA256

    007d8ccb5ee3001832e284c963403e0123c8f7e73a809bef8cc521d0b9bc7d63

    SHA512

    fc744c437e185ded7218d8f8c9fefdf5f821d7d5fc6f007397f12f0475acca2ab853239477b3e994a50e97322ec12a7cf4da092fdedee34557282080458cb80e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

    Filesize

    180B

    MD5

    82de3237a1af023edb28e8dfba947cbe

    SHA1

    3cd21d142022884ecffb0c4ae7558ca37ff57221

    SHA256

    e191cc88ee6b079d9091a0c01d045d8108c7e5a55e9b53ffea6ab51037b125e0

    SHA512

    f7cd8a5ef555bf6a3e43981eb02807ee9469058af0a58b7513d7fc7b759a0ae40b80f29f58ead5c479897bac5917dfa606f585ce8a7c3c28a1a88c5c9570cbc0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    22334faf922af5a6127c4f9bd906e07d

    SHA1

    8ed4fc8335fedfed7954fe6801fbb92ae5155595

    SHA256

    6171bb645ad5b5a7df7f89ab167a5c9067eadd93deb354333f38ea4b7a31b035

    SHA512

    ce56ab2da277b99ccd5c5634b0de7180152c0e3276460ef9365394f26d96eb639465be395978622059cff1b5e0c063c2751ce673d38c27a204e5b44c62aa2c97

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

    Filesize

    398B

    MD5

    a17a7feb47be5859419368f6f0e8b40c

    SHA1

    e61f1dcbff448c93e000ee0458023e06f1d257d9

    SHA256

    4acb423b2cb684d4c1011d87d5471c9726e2f96923e72ceddcb70a5cce5183a4

    SHA512

    106fe6f435599f1da2efaecef558f1f4155bd13282d674cb3cf3ecd6997b48eabeff09fb0c65d798ccb6529d5250c38553cffcc5b3e19bbebe99fd9e24336ca6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_BF30C13052A27490F85D7F6C00189188

    Filesize

    406B

    MD5

    809622d657b8edb61e3293be5512508c

    SHA1

    4e3b1f0f80bc88acfce2665c0d9a654942dec672

    SHA256

    b9eee60bc2a2bd10d9705d668c0b24a4f5e5aaea193d905d57def63f0b49069e

    SHA512

    b45146ccea790491f7038329ccf47e0aa8be21c25f177f6ae96ab75cbaa5268728a2aaec6ad126d05ceb195c282b018603001ec903271b679a3391713d9c05b2

  • C:\Users\Admin\AppData\Local\Temp\TarFC1.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\Installer\MSI2EB1.tmp

    Filesize

    181KB

    MD5

    b1298b75b1c09fdbb3906aeec500f066

    SHA1

    d84b4fe247a47ea7649f75e88791d34a60454f2e

    SHA256

    826289b33e9046fd86c559ac3c888129451534bfb2f31fa264d0c62760e0e35e

    SHA512

    2359518d0c5a19123b3491143d20f453e09d973323863b51b917434a5989790f0aad47ac41fb142ab5aceed973ad924392f7efa7244a17d2374d262cc2b8fac5

  • C:\Windows\Installer\f762db5.msi

    Filesize

    3.0MB

    MD5

    a1795b41cf04bc3c549896a40cd116f9

    SHA1

    40268e1facb97e9ae542e9beae0db8b644a1d537

    SHA256

    c533e6eb9fef83338af394ef5043870ce8319b6eaa5e9799dcf62e2692354690

    SHA512

    ff1d62c1dd0bdc0cf18e0a3f03f12e6971c951e327be24bf81f0efc87c061c6b58958493584092456f52e80ad25e4caf7c5fbab7915116df95384edc305203fd