9b2a6fe00e3443378c0a5aad4b69966ee66535645c0493479a683f58a8df7fbf

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlueCatDPMeterPro_vcredist.exe
Size

769KB
MD5

c6cefeab592fd289a71b1891e920fbdc
SHA1

99a15aee36176de11e70fae62392efb0089e838e
SHA256

ed8bf8887a46f032e078d46399eba8433e6f7cf3f39b10aacfd43e398bc385dd
SHA512

f8039b20d64ead941b88efc9c5e79fb9ee143de9aa466f1a01476089ef91cc4ddf25fadad856834d77db9b3dfdcb84d469a823eae47deef099ee1cf59f7e7b9b
SSDEEP

24576:71Qr0sqpWXL1Falk+XgQnDUo1uJ60A/iL8Kff3/Vx:RQr0NEpIlkDQnDUoU8YLbfvNx

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcp110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib110.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcr110.dll	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI274F.tmp	msiexec.exe
File created	C:\Windows\Installer\f7625ed.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7625eb.ipi	msiexec.exe
File created	C:\Windows\Installer\f7625e8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7625e8.msi	msiexec.exe
File created	C:\Windows\Installer\f7625eb.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E80156F27FD89B74E8CC94DBB34CA7BA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\PackageCode = "D25D49863DEE45A4AA5AFD6AED568F6E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E80156F27FD89B74E8CC94DBB34CA7BA\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\ProductName = "Microsoft Visual C++ 2012 Prerequisites (x86)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\Version = "184610406"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DE0858A3D1093994993A04C12AFE0CDF\E80156F27FD89B74E8CC94DBB34CA7BA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DE0858A3D1093994993A04C12AFE0CDF	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\SourceList\PackageName = "vcredist-x86.11.0.61030-{1614CF08-F55E-44A6-977E-1E96E55946B7}.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E80156F27FD89B74E8CC94DBB34CA7BA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1980	msiexec.exe
1980	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2056	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2056	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeSecurityPrivilege	1980	msiexec.exe
Token: SeCreateTokenPrivilege	2056	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2056	msiexec.exe
Token: SeLockMemoryPrivilege	2056	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2056	msiexec.exe
Token: SeMachineAccountPrivilege	2056	msiexec.exe
Token: SeTcbPrivilege	2056	msiexec.exe
Token: SeSecurityPrivilege	2056	msiexec.exe
Token: SeTakeOwnershipPrivilege	2056	msiexec.exe
Token: SeLoadDriverPrivilege	2056	msiexec.exe
Token: SeSystemProfilePrivilege	2056	msiexec.exe
Token: SeSystemtimePrivilege	2056	msiexec.exe
Token: SeProfSingleProcessPrivilege	2056	msiexec.exe
Token: SeIncBasePriorityPrivilege	2056	msiexec.exe
Token: SeCreatePagefilePrivilege	2056	msiexec.exe
Token: SeCreatePermanentPrivilege	2056	msiexec.exe
Token: SeBackupPrivilege	2056	msiexec.exe
Token: SeRestorePrivilege	2056	msiexec.exe
Token: SeShutdownPrivilege	2056	msiexec.exe
Token: SeDebugPrivilege	2056	msiexec.exe
Token: SeAuditPrivilege	2056	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2056	msiexec.exe
Token: SeChangeNotifyPrivilege	2056	msiexec.exe
Token: SeRemoteShutdownPrivilege	2056	msiexec.exe
Token: SeUndockPrivilege	2056	msiexec.exe
Token: SeSyncAgentPrivilege	2056	msiexec.exe
Token: SeEnableDelegationPrivilege	2056	msiexec.exe
Token: SeManageVolumePrivilege	2056	msiexec.exe
Token: SeImpersonatePrivilege	2056	msiexec.exe
Token: SeCreateGlobalPrivilege	2056	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2056	2740	BlueCatDPMeterPro_vcredist.exe	28
PID 2740 wrote to memory of 2056	2740	BlueCatDPMeterPro_vcredist.exe	28
PID 2740 wrote to memory of 2056	2740	BlueCatDPMeterPro_vcredist.exe	28
PID 2740 wrote to memory of 2056	2740	BlueCatDPMeterPro_vcredist.exe	28
PID 2740 wrote to memory of 2056	2740	BlueCatDPMeterPro_vcredist.exe	28
PID 2740 wrote to memory of 2056	2740	BlueCatDPMeterPro_vcredist.exe	28
PID 2740 wrote to memory of 2056	2740	BlueCatDPMeterPro_vcredist.exe	28

C:\Users\Admin\AppData\Local\Temp\BlueCatDPMeterPro_vcredist.exe
"C:\Users\Admin\AppData\Local\Temp\BlueCatDPMeterPro_vcredist.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\vcredist-x86.11.0.61030-{1614CF08-F55E-44A6-977E-1E96E55946B7}.msi" /qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2056

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7625ec.rbs

Filesize
8KB

MD5
3fa7f000e4f77f2cb5ff5ff68af6af82

SHA1
b03695883687ddb73b9e728a8ac28102d03e1622

SHA256
9a28d071076677b8642e008ea5efe6a4e4eb4c9e74353ed138c98ea28d54f2bd

SHA512
087c55ecc48cf8e1625082bef3ffe83e4e2b1c39f99bf0061e0d5d737e4ab7d77a7b9f3720874cb29260ef8fbdb8550eb24c0ecb5acc01acf346275290b059d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist-x86.11.0.61030-{1614CF08-F55E-44A6-977E-1E96E55946B7}.msi

Filesize
801KB

MD5
0f80620eba4bca47cc196665d07bfba7

SHA1
b51a2dd24f62cf31be222c71d58a9a1f2136c11d

SHA256
4f4e936713e75d9b1685adada22bd329ce04238d2d5f3a90df40f6c4cdafa5e5

SHA512
6f758a5a38748d8ab90e0f7888ca4ccd927a9f78392f25ec6741e202f42513a28d95671a04111d7478c843df416888be75ebf224e8eeaea1b5239ca3961854b9

Download Submit