Analysis

  • max time kernel
    149s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 02:01

General

  • Target

    F12E5CE5.msi

  • Size

    1.4MB

  • MD5

    409fc4c1a1823228dfa9f906ac562e82

  • SHA1

    8ad688f04db5a37f9a9c7a660ea80fbe917fbb73

  • SHA256

    a119f54d6d301009a507a65baa184595244bc82aad5f24911ba45048b7b21904

  • SHA512

    7384a1952c1971788efacbeb473672671e1c321e1996ca416db376d1d2630828d71796bd7f2ab91908b2b9a76d1608fdb178c47cd0b0257fce87eb91960f1c15

  • SSDEEP

    24576:OmuDXX4St04BMeRocDP1NJnA0cGBULM0odOJjgDyk7TS4MclFdBbfYNn+Nnnm6Bl:OLXIvi5ooNXZULOMJ8O6FlFdB0N+Nnnt

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 14 IoCs
  • Loads dropped DLL 5 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\F12E5CE5.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1000
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 55915682E458CB5F7DE88E5BB0080094
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1980
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 8C5879B792773D018A15BA55E8DDA20D E Global\MSI0000
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:3376
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" interface ipv6 install
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4464
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4864
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1844
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4876
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4304
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:2268
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1964
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4540
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1984
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:4124
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:636
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:1032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57a115.rbs

    Filesize

    2KB

    MD5

    444397245c07a1eae9cb4c8f6f2d96f4

    SHA1

    a328133a24b659c4bf8e9304c89af2a94c7ece6a

    SHA256

    8fe5fe07d06f7d263e74f5b140c3dc537b049b0d6d9de982e7955b9d2a8bf25c

    SHA512

    62556c8b36fb43be9504e45504426dd0f623f81e0d7d6ca790da704cc0a903b4e6fab3bfb15a215e6ef6622a16798e154173eb68a1e0c8ee00a8966e49eaf79b

  • C:\Windows\Installer\MSIA1AE.tmp

    Filesize

    141KB

    MD5

    4ba8ef50ce73395ad623c770c10e35a7

    SHA1

    63600584c296c0cbe1775a759c34ab384e1bbf76

    SHA256

    6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

    SHA512

    0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

  • C:\Windows\Installer\MSIA55B.tmp

    Filesize

    118KB

    MD5

    4b49c57cbefa1d2773da1f95338e294d

    SHA1

    108ea90d8a42cf31f7d8d7710b5fd713ca048ef9

    SHA256

    68c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08

    SHA512

    42c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165

  • memory/1980-6-0x0000000074710000-0x0000000074775000-memory.dmp

    Filesize

    404KB

  • memory/1980-15-0x0000000074710000-0x0000000074775000-memory.dmp

    Filesize

    404KB

  • memory/1980-20-0x0000000074730000-0x0000000074780000-memory.dmp

    Filesize

    320KB