Overview

overview

6

Static

static

1

Broadband4...24.msi

windows10-1703-x64

6

Broadband4...24.msi

windows7-x64

6

Broadband4...24.msi

windows10-2004-x64

6

Broadband4...24.msi

windows11-21h2-x64

6

Analysis

  • max time kernel
    1801s
  • max time network
    1802s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 11:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi

  • Size

    3.0MB

  • MD5

    a1795b41cf04bc3c549896a40cd116f9

  • SHA1

    40268e1facb97e9ae542e9beae0db8b644a1d537

  • SHA256

    c533e6eb9fef83338af394ef5043870ce8319b6eaa5e9799dcf62e2692354690

  • SHA512

    ff1d62c1dd0bdc0cf18e0a3f03f12e6971c951e327be24bf81f0efc87c061c6b58958493584092456f52e80ad25e4caf7c5fbab7915116df95384edc305203fd

  • SSDEEP

    98304:RK4U6cziwzeb4RrOQJj2OucY5rpm6JcIUH4FIu4FdE:RwdziwaburOQJj2OU7UYFI5LE

Score
6/10

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 18 IoCs
  • Executes dropped EXE 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 7 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi"
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4268
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:5076
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 7579AAF8C21794B530BF16C80AF3193F
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:620
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding C7541F91F234EDA50336ED6A5E7C0660 E Global\MSI0000
        2⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:944
        • C:\Windows\SysWOW64\sc.exe
          "sc.exe" config wagent start= auto
          3⤵
          • Launches sc.exe
          PID:4376
        • C:\Windows\SysWOW64\sc.exe
          "sc.exe" start wagent
          3⤵
          • Launches sc.exe
          PID:2164
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:5000
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4472
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
        1⤵
          PID:4352
        • C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe
          "C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe" -S -w nsw-user-auth-win-3-23-13.broadband4.co.uk -g f3f1247d3986ab1c0db2e04ed8dcd85c -L 0861e0489a298d8c3b60a115376439dc -t 1800 -i -l -v -F -a -A -s BB4_ -D 850_3124
          1⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1860
          • C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe
            "C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe" -w nsw-user-auth-win-3-23-13.broadband4.co.uk -g f3f1247d3986ab1c0db2e04ed8dcd85c -L 0861e0489a298d8c3b60a115376439dc -t 1800 -i -l -v -F -a -A -s BB4_ -D 850_3124
            2⤵
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            PID:4696
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5012 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:4904

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Config.Msi\e596f99.rbs
            Filesize

            189KB

            MD5

            3bbcb4cde86fd0710d40310bbde2ca94

            SHA1

            d49eec0fe4434f29bc12e28093c531fdba9b9824

            SHA256

            edff485bae3405f8bd94cfc0b666a1ef1b1eeb05d0dc4841eba9ae76c76c1059

            SHA512

            1cd7648168be652dd01c08d9b63ce07e9a78d4ea66335e67e5f324d6dde11576b73e2a1bb62678600d08c046de276fde78ccb5c3f620a80953941e6765d2c186

            Download Submit

          • C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe
            Filesize

            6.6MB

            MD5

            8c6a80e02dd88f70e58d89a4891782a5

            SHA1

            a51f91764883d9db6c66021e766476e24fa93d36

            SHA256

            3275792298097a5332447e9f342637de7d856bee34926b1182aa26307bc1bea8

            SHA512

            50f879d480c64db5da402940e93eb69a4bcbd9b568067c7e68c409fab396e648a01562dc5288a5879b5dc961c67014eefa3b7f2bcf5fae50fcc1dcbf81d72b53

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB
            Filesize

            834B

            MD5

            a0af4d81b2b19a99a3d01be89d5f99d9

            SHA1

            4725c1a810005f860ede9dace7f1e5a20e5230d6

            SHA256

            de9f05ceb1610cf9964f0def09d525005569602993c82a647743f192e9414d4a

            SHA512

            eb98d475d51d07b929d92fe5aa00bfa21078f567906f3650eb3bebfff39c616a21918da8f0687853310acebdb160d4f65451204619a7b8085fbbc25491bb0554

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
            Filesize

            5B

            MD5

            5bfa51f3a417b98e7443eca90fc94703

            SHA1

            8c015d80b8a23f780bdd215dc842b0f5551f63bd

            SHA256

            bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

            SHA512

            4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_BF30C13052A27490F85D7F6C00189188
            Filesize

            1KB

            MD5

            4c57191c9667009598b4fb8bc4ce1bfb

            SHA1

            0c348755947ae8ef07e9db6c186fdbe40e813d24

            SHA256

            007d8ccb5ee3001832e284c963403e0123c8f7e73a809bef8cc521d0b9bc7d63

            SHA512

            fc744c437e185ded7218d8f8c9fefdf5f821d7d5fc6f007397f12f0475acca2ab853239477b3e994a50e97322ec12a7cf4da092fdedee34557282080458cb80e

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB
            Filesize

            180B

            MD5

            beeb91338a992799ce43ec91a1c01321

            SHA1

            49aa44d47060443119655e0509146f38fe2aa29e

            SHA256

            83966089fc9c178c889f13bb701a6972576bf5ac06271b23bf038b82eaf39676

            SHA512

            7071c7dab5f2527d8654e06f47c8aec94f205971319c4ef38e872f24fef33309f1794d25909fed693c4e64e54246700d52141d8812c3558be3a98e23a788d2c5

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
            Filesize

            398B

            MD5

            de92949c32cbc85d8b320f5a20432cf8

            SHA1

            65c6bd4d49b9705142052df354ea5061624a7ff4

            SHA256

            dce9e07265055301c11c913252b9177047bce2b3a3f1a2a14756e242b042dca5

            SHA512

            5a07ddcf2fe7508788461cf9e8e776c923966369ce268f82160a3f490555ab6a7181215134cc838cf4dfadb5bae5cb22e4655f88253024366a0fb4fb25376b93

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_BF30C13052A27490F85D7F6C00189188
            Filesize

            406B

            MD5

            01bd0524c0ed8997028c7cda7be7ffe9

            SHA1

            dd6bc55d7145407f9401fabe3de94d5c2c81a896

            SHA256

            779dee3bddf5825dfdea996c0e9748c4aea0cd69e1b9e2ec0c5f3aa7aa023f44

            SHA512

            7bd20f4fb7f68fbd89c97d369de51fdaa3dc91ca436b137c9d71ea3b910d07baefd95f27b1cfc44c08ea50278541a811217db28cd549b461f240dec29028f557

            Download Submit

          • C:\Windows\Installer\MSI8B6E.tmp
            Filesize

            181KB

            MD5

            b1298b75b1c09fdbb3906aeec500f066

            SHA1

            d84b4fe247a47ea7649f75e88791d34a60454f2e

            SHA256

            826289b33e9046fd86c559ac3c888129451534bfb2f31fa264d0c62760e0e35e

            SHA512

            2359518d0c5a19123b3491143d20f453e09d973323863b51b917434a5989790f0aad47ac41fb142ab5aceed973ad924392f7efa7244a17d2374d262cc2b8fac5

            Download Submit

          • C:\Windows\Installer\e596f98.msi
            Filesize

            3.0MB

            MD5

            a1795b41cf04bc3c549896a40cd116f9

            SHA1

            40268e1facb97e9ae542e9beae0db8b644a1d537

            SHA256

            c533e6eb9fef83338af394ef5043870ce8319b6eaa5e9799dcf62e2692354690

            SHA512

            ff1d62c1dd0bdc0cf18e0a3f03f12e6971c951e327be24bf81f0efc87c061c6b58958493584092456f52e80ad25e4caf7c5fbab7915116df95384edc305203fd

            Download Submit

          • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
            Filesize

            23.7MB

            MD5

            170b2ccdd74a3b46729ee416fb9bb658

            SHA1

            14deaa3e8e1280bb8242b7fc1fd0c23904638527

            SHA256

            861d678db884c91d64f07524f726eb28a2acc2701d748fa5c8013c9afe3ae5fb

            SHA512

            032a5b4f8d762c2a1556353553ad874ee881b802274d7139a1ae3532046daeb68233e5bc1ab9d97245c45014946b0a3a3e32b58b5aaa9a63857ba5e18ce2b0fd

            Download Submit

          • \??\Volume{d2bbef64-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1d8b3476-df7b-4e6e-ac11-9380e921631a}_OnDiskSnapshotProp
            Filesize

            6KB

            MD5

            b87d81b57a30a1e2472c637a15e28e1d

            SHA1

            e0e7192898901d14c6c7951c6307ba4c932404a3

            SHA256

            c752516c94af3f31ce3e9967ad47c8862ec915c983615243ed6539e80e19f795

            SHA512

            974250e92c3780367cf53e49da7f34ebd53af75f5a999b028321a372ab15fce7806654c57bf98a0cea420e811de62d6453463c1e8964d63bce5217a717cec4bd

            Download Submit