c533e6eb9fef83338af394ef5043870ce8319b6eaa5e9799dcf62e2692354690

Analysis

max time kernel
1798s
max time network
1730s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
28-06-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi
Size

3.0MB
MD5

a1795b41cf04bc3c549896a40cd116f9
SHA1

40268e1facb97e9ae542e9beae0db8b644a1d537
SHA256

c533e6eb9fef83338af394ef5043870ce8319b6eaa5e9799dcf62e2692354690
SHA512

ff1d62c1dd0bdc0cf18e0a3f03f12e6971c951e327be24bf81f0efc87c061c6b58958493584092456f52e80ad25e4caf7c5fbab7915116df95384edc305203fd
SSDEEP

98304:RK4U6cziwzeb4RrOQJj2OucY5rpm6JcIUH4FIu4FdE:RwdziwaburOQJj2OU7UYFI5LE

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	1524	msiexec.exe
3	1524	msiexec.exe
5	1524	msiexec.exe
6	1524	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe	msiexec.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e578983.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e578983.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A5F.tmp	msiexec.exe
File created	C:\Windows\Installer\e578985.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B6B.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{4D2CAC43-2B80-46E9-8DF4-CFBFBC90039D}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI8C0A.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA5F98A994AA73FC2.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF019DB8E4672F7C0C.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A4E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8AFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{4D2CAC43-2B80-46E9-8DF4-CFBFBC90039D}\ProductIcon.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8BAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E3D.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8A59312B13E6A5A3.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF07DA56E2A048D0B0.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4D2CAC43-2B80-46E9-8DF4-CFBFBC90039D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8ACD.tmp	msiexec.exe
File created	C:\Windows\Installer\{4D2CAC43-2B80-46E9-8DF4-CFBFBC90039D}\ProductIcon.ico	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2876	WAgent.exe
4156	WAgent.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2572	sc.exe
3548	sc.exe

Loads dropped DLL 7 IoCs

pid	Process
2352	MsiExec.exe
2352	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
2352	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000034da22877284b450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000034da2280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900034da228000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d034da228000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000034da22800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\34CAC2D408B29E64D84FFCFBCB0930D9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\Version = "51838989"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\ProductName = "Netsweeper Workstation Agent"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CD82034C7BF8A014FAACB9E7D2223859	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\PackageName = "Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\34CAC2D408B29E64D84FFCFBCB0930D9\CM_C_WAgent = "ProductFeature"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\ProductIcon = "C:\\Windows\\Installer\\{4D2CAC43-2B80-46E9-8DF4-CFBFBC90039D}\\ProductIcon.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CD82034C7BF8A014FAACB9E7D2223859\34CAC2D408B29E64D84FFCFBCB0930D9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\34CAC2D408B29E64D84FFCFBCB0930D9\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\PackageCode = "40C6AE0483584624EB88E5E90F57CB91"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\34CAC2D408B29E64D84FFCFBCB0930D9\AuthorizedLUAApp = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2352	MsiExec.exe
2352	MsiExec.exe
4516	MsiExec.exe
4516	MsiExec.exe
2876	WAgent.exe
2876	WAgent.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1524	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1524	msiexec.exe
Token: SeSecurityPrivilege	5088	msiexec.exe
Token: SeCreateTokenPrivilege	1524	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1524	msiexec.exe
Token: SeLockMemoryPrivilege	1524	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1524	msiexec.exe
Token: SeMachineAccountPrivilege	1524	msiexec.exe
Token: SeTcbPrivilege	1524	msiexec.exe
Token: SeSecurityPrivilege	1524	msiexec.exe
Token: SeTakeOwnershipPrivilege	1524	msiexec.exe
Token: SeLoadDriverPrivilege	1524	msiexec.exe
Token: SeSystemProfilePrivilege	1524	msiexec.exe
Token: SeSystemtimePrivilege	1524	msiexec.exe
Token: SeProfSingleProcessPrivilege	1524	msiexec.exe
Token: SeIncBasePriorityPrivilege	1524	msiexec.exe
Token: SeCreatePagefilePrivilege	1524	msiexec.exe
Token: SeCreatePermanentPrivilege	1524	msiexec.exe
Token: SeBackupPrivilege	1524	msiexec.exe
Token: SeRestorePrivilege	1524	msiexec.exe
Token: SeShutdownPrivilege	1524	msiexec.exe
Token: SeDebugPrivilege	1524	msiexec.exe
Token: SeAuditPrivilege	1524	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1524	msiexec.exe
Token: SeChangeNotifyPrivilege	1524	msiexec.exe
Token: SeRemoteShutdownPrivilege	1524	msiexec.exe
Token: SeUndockPrivilege	1524	msiexec.exe
Token: SeSyncAgentPrivilege	1524	msiexec.exe
Token: SeEnableDelegationPrivilege	1524	msiexec.exe
Token: SeManageVolumePrivilege	1524	msiexec.exe
Token: SeImpersonatePrivilege	1524	msiexec.exe
Token: SeCreateGlobalPrivilege	1524	msiexec.exe
Token: SeBackupPrivilege	1456	vssvc.exe
Token: SeRestorePrivilege	1456	vssvc.exe
Token: SeAuditPrivilege	1456	vssvc.exe
Token: SeBackupPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe
Token: SeShutdownPrivilege	4516	MsiExec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe
Token: SeRestorePrivilege	5088	msiexec.exe
Token: SeTakeOwnershipPrivilege	5088	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1524	msiexec.exe
1524	msiexec.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe
4156	WAgent.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4156	WAgent.exe
4156	WAgent.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 3480	5088	msiexec.exe	87
PID 5088 wrote to memory of 3480	5088	msiexec.exe	87
PID 5088 wrote to memory of 2352	5088	msiexec.exe	89
PID 5088 wrote to memory of 2352	5088	msiexec.exe	89
PID 5088 wrote to memory of 2352	5088	msiexec.exe	89
PID 5088 wrote to memory of 4516	5088	msiexec.exe	90
PID 5088 wrote to memory of 4516	5088	msiexec.exe	90
PID 5088 wrote to memory of 4516	5088	msiexec.exe	90
PID 4516 wrote to memory of 2572	4516	MsiExec.exe	91
PID 4516 wrote to memory of 2572	4516	MsiExec.exe	91
PID 4516 wrote to memory of 2572	4516	MsiExec.exe	91
PID 4516 wrote to memory of 3548	4516	MsiExec.exe	93
PID 4516 wrote to memory of 3548	4516	MsiExec.exe	93
PID 4516 wrote to memory of 3548	4516	MsiExec.exe	93
PID 2876 wrote to memory of 4156	2876	WAgent.exe	97
PID 2876 wrote to memory of 4156	2876	WAgent.exe	97
PID 2876 wrote to memory of 4156	2876	WAgent.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Broadband4 Workstation Agent 3.23.13.13 - 850_3124.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1524

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3480
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2E5A4C01BADB6A5956CD7212AA2B44E1
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2352
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0F58E9EFAAE92E9724D32068E67255AF E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config wagent start= auto
    3⤵
    - Launches sc.exe
    PID:2572
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" start wagent
    3⤵
    - Launches sc.exe
    PID:3548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:2544

C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe
"C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe" -S -w nsw-user-auth-win-3-23-13.broadband4.co.uk -g f3f1247d3986ab1c0db2e04ed8dcd85c -L 0861e0489a298d8c3b60a115376439dc -t 1800 -i -l -v -F -a -A -s BB4_ -D 850_3124
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe
  "C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe" -w nsw-user-auth-win-3-23-13.broadband4.co.uk -g f3f1247d3986ab1c0db2e04ed8dcd85c -L 0861e0489a298d8c3b60a115376439dc -t 1800 -i -l -v -F -a -A -s BB4_ -D 850_3124
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e578984.rbs

Filesize
189KB

MD5
9dec1e9b7cdfaf5882b1c8bc1b008dc7

SHA1
102f0c7a434d9367860203421a6f38a820ae1812

SHA256
f06f713cb0bda5ba098635ac1b2ba56cb6b9f397dfcace6a69b7ff9db267f7c5

SHA512
31095b6f663417d9a04cc271830f90c64e662ece7d9a4486db09ff11f367137886e63d2ce430611779a5b7fa1f2e8d71cd430e5859bf14e832406fc0375f684a

Download Submit
C:\Program Files (x86)\Netsweeper WorkStation Agent\WAgent.exe

Filesize
6.6MB

MD5
8c6a80e02dd88f70e58d89a4891782a5

SHA1
a51f91764883d9db6c66021e766476e24fa93d36

SHA256
3275792298097a5332447e9f342637de7d856bee34926b1182aa26307bc1bea8

SHA512
50f879d480c64db5da402940e93eb69a4bcbd9b568067c7e68c409fab396e648a01562dc5288a5879b5dc961c67014eefa3b7f2bcf5fae50fcc1dcbf81d72b53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
a0af4d81b2b19a99a3d01be89d5f99d9

SHA1
4725c1a810005f860ede9dace7f1e5a20e5230d6

SHA256
de9f05ceb1610cf9964f0def09d525005569602993c82a647743f192e9414d4a

SHA512
eb98d475d51d07b929d92fe5aa00bfa21078f567906f3650eb3bebfff39c616a21918da8f0687853310acebdb160d4f65451204619a7b8085fbbc25491bb0554

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_BF30C13052A27490F85D7F6C00189188

Filesize
1KB

MD5
4c57191c9667009598b4fb8bc4ce1bfb

SHA1
0c348755947ae8ef07e9db6c186fdbe40e813d24

SHA256
007d8ccb5ee3001832e284c963403e0123c8f7e73a809bef8cc521d0b9bc7d63

SHA512
fc744c437e185ded7218d8f8c9fefdf5f821d7d5fc6f007397f12f0475acca2ab853239477b3e994a50e97322ec12a7cf4da092fdedee34557282080458cb80e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
d8ea40e6135620b08df671ce75ec74c4

SHA1
849426dc04adedd5820503ec3ad889a65460ef98

SHA256
2503ef720de5845164cebd9a1d0d0a23ec242948182c749fae586d4b879a2049

SHA512
89e7d38656671aa622af579573f5fad32076d897e87521b707b1d466e56aa469070e393814a149c23c78dcb61f0b3f6031a3c9fbc927fa3d21d1b0d0b48c46eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
c98b813605c0f7ae70ea71f75aa162b4

SHA1
3b08797fd138df1a2640f06a55f8180bc9265abc

SHA256
78dbca0f2abd532a0985b05f9c090f311c732d91b505e9e71fd5e7a4ca6e5187

SHA512
5e0ee3b81186a94d3f52db0d0e217cac87c9fb2daf1d77f7c8ae20c5a248377e05610960410c0d91965f8832af2d1bd655efd2dd4f949cc266ea73a079f5c0bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_BF30C13052A27490F85D7F6C00189188

Filesize
406B

MD5
b93c15cb6aa1516f12e31aff6d01e270

SHA1
fcf2902ce3f613f64d32f53e1e586b7df1da4b5d

SHA256
ca6eef4641c338524e2bed379df0e654b7ac62bb746448800cb5ef9797890c65

SHA512
ca68e1889a40c1f0d8418eeb3a641d1a784d4e964a7ca32082d682914f33280b513b6d73afe20115ecd63b71973587a947868b903d536e174c622b7e7ce1aba7

Download Submit
C:\Windows\Installer\MSI8A5F.tmp

Filesize
181KB

MD5
b1298b75b1c09fdbb3906aeec500f066

SHA1
d84b4fe247a47ea7649f75e88791d34a60454f2e

SHA256
826289b33e9046fd86c559ac3c888129451534bfb2f31fa264d0c62760e0e35e

SHA512
2359518d0c5a19123b3491143d20f453e09d973323863b51b917434a5989790f0aad47ac41fb142ab5aceed973ad924392f7efa7244a17d2374d262cc2b8fac5

Download Submit
C:\Windows\Installer\e578983.msi

Filesize
3.0MB

MD5
a1795b41cf04bc3c549896a40cd116f9

SHA1
40268e1facb97e9ae542e9beae0db8b644a1d537

SHA256
c533e6eb9fef83338af394ef5043870ce8319b6eaa5e9799dcf62e2692354690

SHA512
ff1d62c1dd0bdc0cf18e0a3f03f12e6971c951e327be24bf81f0efc87c061c6b58958493584092456f52e80ad25e4caf7c5fbab7915116df95384edc305203fd

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
be0030aeba1fe52e91698b8486595521

SHA1
af7e97c059de3288251232c5f7be1b21a8c79792

SHA256
0edba2a6be2f1b3f7c2eca6a55e0534d898884892f752b4e39c61789dd82b40e

SHA512
72922dfda2da46abb6f01d15e69e53fa8e77c789e03e354a135c4a515356604cfef7389998cc0b0d595394e2ca689ade3a91f832b4959550e50c998551004c5c

Download Submit
\??\Volume{28a24d03-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3999f883-1d53-48c8-a42b-22d67ab8f5c0}_OnDiskSnapshotProp

Filesize
6KB

MD5
dcb76290e45343a349786a83290da17f

SHA1
d17b28b127f058de4e31e39a56bc5b44b67be6c5

SHA256
6c1b1c4f13890132e9c3c1d06c943cd19ffb62dbfeb81bc2b562c6b4d1f98f28

SHA512
df4b19b6457d187d2ba274090a15ab0c749ccb6367ab5b114646da608be5299adffe66271141b10f716ed3f1e26031e28b937d4eebe9193e20e54d13a4f98882

Download Submit