Analysis

  • max time kernel
    11s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 01:40

Errors

Reason
Machine shutdown

General

  • Target

    C558B828.msi

  • Size

    1.4MB

  • MD5

    c12241be2c41ae69187ca9faf83494ff

  • SHA1

    5b1de649f2bc4eb08f1d83f7ea052de5b8fe141f

  • SHA256

    43eef76fa966395bde56b4e3812831ca75ad010e3b8216103358deb09bdc14d1

  • SHA512

    0b2dbf2278fef86a122952683668a795e76cb5e30c1d98b52f5fa5dbc9f1bc152c64aeeab69c9c4befd27ded3f879a3ebd9bc135c66e164d14ae5e8189c1b527

  • SSDEEP

    24576:FsuDXXNwG04BMeRocDP1NPQDhkPTG4Mcgiwkew8vroUQGDXDNSnf6BlMRUT:FVXdsi5ooAFeBRSw8vlQIzNSnf6y4

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Loads dropped DLL 4 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 31 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\C558B828.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1452
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C78EAAD07BDF3103125124915E96BC71
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1864
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 1C1B5317836EF386DC344D43EA26DBA7 M Global\MSI0000
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2792
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" interface ipv6 install
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2752
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2344
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2600
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2324
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2880
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2996
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:1304
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2948
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2020
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2224
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2300
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:1312
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2244
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1380

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\f769be6.rbs

        Filesize

        2KB

        MD5

        7fc0068ac21c6d981d79d0b980929ddb

        SHA1

        a7e4fa0830cc105bec5b984446f124b6b7a76b73

        SHA256

        3c6ef955e97b5343142ba4261500c5dfa11a9e834abc8615ed7406c2fb434cc9

        SHA512

        349c557fd0d04ae459793d31c2860c68018c3992c35658ee60a4139ba0f5f4f553faa98b5b5303cdea097940610358e796d885d752dd29422bae02cd5c6f40f4

      • C:\Windows\Installer\MSI9C01.tmp

        Filesize

        141KB

        MD5

        4ba8ef50ce73395ad623c770c10e35a7

        SHA1

        63600584c296c0cbe1775a759c34ab384e1bbf76

        SHA256

        6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

        SHA512

        0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

      • C:\Windows\Installer\MSI9D99.tmp

        Filesize

        118KB

        MD5

        4b49c57cbefa1d2773da1f95338e294d

        SHA1

        108ea90d8a42cf31f7d8d7710b5fd713ca048ef9

        SHA256

        68c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08

        SHA512

        42c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165

      • memory/1864-5-0x00000000740C0000-0x0000000074125000-memory.dmp

        Filesize

        404KB

      • memory/1864-14-0x00000000740E0000-0x0000000074130000-memory.dmp

        Filesize

        320KB

      • memory/1864-19-0x00000000740C0000-0x0000000074125000-memory.dmp

        Filesize

        404KB