Analysis
-
max time kernel
11s -
max time network
12s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 01:40
Behavioral task
behavioral1
Sample
C558B828.msi
Resource
win7-20240708-en
Errors
General
-
Target
C558B828.msi
-
Size
1.4MB
-
MD5
c12241be2c41ae69187ca9faf83494ff
-
SHA1
5b1de649f2bc4eb08f1d83f7ea052de5b8fe141f
-
SHA256
43eef76fa966395bde56b4e3812831ca75ad010e3b8216103358deb09bdc14d1
-
SHA512
0b2dbf2278fef86a122952683668a795e76cb5e30c1d98b52f5fa5dbc9f1bc152c64aeeab69c9c4befd27ded3f879a3ebd9bc135c66e164d14ae5e8189c1b527
-
SSDEEP
24576:FsuDXXNwG04BMeRocDP1NPQDhkPTG4Mcgiwkew8vroUQGDXDNSnf6BlMRUT:FVXdsi5ooAFeBRSw8vlQIzNSnf6y4
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f769be2.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9C01.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9D2A.tmp msiexec.exe File created C:\Windows\Installer\f769be5.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9FCC.tmp msiexec.exe File created C:\Windows\dbcode21mk.log msiexec.exe File created C:\Windows\setupact64.log msiexec.exe File created C:\Windows\Installer\f769be2.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9D99.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9DF7.tmp msiexec.exe File opened for modification C:\Windows\Installer\f769be5.ipi msiexec.exe -
Loads dropped DLL 4 IoCs
pid Process 1864 MsiExec.exe 1864 MsiExec.exe 1864 MsiExec.exe 1864 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1452 msiexec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Modifies data under HKEY_USERS 31 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1692 msiexec.exe 1692 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 1452 msiexec.exe Token: SeIncreaseQuotaPrivilege 1452 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeSecurityPrivilege 1692 msiexec.exe Token: SeCreateTokenPrivilege 1452 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1452 msiexec.exe Token: SeLockMemoryPrivilege 1452 msiexec.exe Token: SeIncreaseQuotaPrivilege 1452 msiexec.exe Token: SeMachineAccountPrivilege 1452 msiexec.exe Token: SeTcbPrivilege 1452 msiexec.exe Token: SeSecurityPrivilege 1452 msiexec.exe Token: SeTakeOwnershipPrivilege 1452 msiexec.exe Token: SeLoadDriverPrivilege 1452 msiexec.exe Token: SeSystemProfilePrivilege 1452 msiexec.exe Token: SeSystemtimePrivilege 1452 msiexec.exe Token: SeProfSingleProcessPrivilege 1452 msiexec.exe Token: SeIncBasePriorityPrivilege 1452 msiexec.exe Token: SeCreatePagefilePrivilege 1452 msiexec.exe Token: SeCreatePermanentPrivilege 1452 msiexec.exe Token: SeBackupPrivilege 1452 msiexec.exe Token: SeRestorePrivilege 1452 msiexec.exe Token: SeShutdownPrivilege 1452 msiexec.exe Token: SeDebugPrivilege 1452 msiexec.exe Token: SeAuditPrivilege 1452 msiexec.exe Token: SeSystemEnvironmentPrivilege 1452 msiexec.exe Token: SeChangeNotifyPrivilege 1452 msiexec.exe Token: SeRemoteShutdownPrivilege 1452 msiexec.exe Token: SeUndockPrivilege 1452 msiexec.exe Token: SeSyncAgentPrivilege 1452 msiexec.exe Token: SeEnableDelegationPrivilege 1452 msiexec.exe Token: SeManageVolumePrivilege 1452 msiexec.exe Token: SeImpersonatePrivilege 1452 msiexec.exe Token: SeCreateGlobalPrivilege 1452 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeRestorePrivilege 1692 msiexec.exe Token: SeTakeOwnershipPrivilege 1692 msiexec.exe Token: SeShutdownPrivilege 1692 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1452 msiexec.exe 1452 msiexec.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 1692 wrote to memory of 1864 1692 msiexec.exe 31 PID 1692 wrote to memory of 1864 1692 msiexec.exe 31 PID 1692 wrote to memory of 1864 1692 msiexec.exe 31 PID 1692 wrote to memory of 1864 1692 msiexec.exe 31 PID 1692 wrote to memory of 1864 1692 msiexec.exe 31 PID 1692 wrote to memory of 1864 1692 msiexec.exe 31 PID 1692 wrote to memory of 1864 1692 msiexec.exe 31 PID 1692 wrote to memory of 2792 1692 msiexec.exe 32 PID 1692 wrote to memory of 2792 1692 msiexec.exe 32 PID 1692 wrote to memory of 2792 1692 msiexec.exe 32 PID 1692 wrote to memory of 2792 1692 msiexec.exe 32 PID 1692 wrote to memory of 2792 1692 msiexec.exe 32 PID 1692 wrote to memory of 2792 1692 msiexec.exe 32 PID 1692 wrote to memory of 2792 1692 msiexec.exe 32 PID 2792 wrote to memory of 2752 2792 MsiExec.exe 33 PID 2792 wrote to memory of 2752 2792 MsiExec.exe 33 PID 2792 wrote to memory of 2752 2792 MsiExec.exe 33 PID 2792 wrote to memory of 2752 2792 MsiExec.exe 33 PID 2792 wrote to memory of 2344 2792 MsiExec.exe 35 PID 2792 wrote to memory of 2344 2792 MsiExec.exe 35 PID 2792 wrote to memory of 2344 2792 MsiExec.exe 35 PID 2792 wrote to memory of 2344 2792 MsiExec.exe 35 PID 2792 wrote to memory of 2600 2792 MsiExec.exe 37 PID 2792 wrote to memory of 2600 2792 MsiExec.exe 37 PID 2792 wrote to memory of 2600 2792 MsiExec.exe 37 PID 2792 wrote to memory of 2600 2792 MsiExec.exe 37 PID 2792 wrote to memory of 2324 2792 MsiExec.exe 39 PID 2792 wrote to memory of 2324 2792 MsiExec.exe 39 PID 2792 wrote to memory of 2324 2792 MsiExec.exe 39 PID 2792 wrote to memory of 2324 2792 MsiExec.exe 39 PID 2792 wrote to memory of 2880 2792 MsiExec.exe 41 PID 2792 wrote to memory of 2880 2792 MsiExec.exe 41 PID 2792 wrote to memory of 2880 2792 MsiExec.exe 41 PID 2792 wrote to memory of 2880 2792 MsiExec.exe 41 PID 2792 wrote to memory of 2996 2792 MsiExec.exe 43 PID 2792 wrote to memory of 2996 2792 MsiExec.exe 43 PID 2792 wrote to memory of 2996 2792 MsiExec.exe 43 PID 2792 wrote to memory of 2996 2792 MsiExec.exe 43 PID 2792 wrote to memory of 1304 2792 MsiExec.exe 45 PID 2792 wrote to memory of 1304 2792 MsiExec.exe 45 PID 2792 wrote to memory of 1304 2792 MsiExec.exe 45 PID 2792 wrote to memory of 1304 2792 MsiExec.exe 45 PID 2792 wrote to memory of 2948 2792 MsiExec.exe 47 PID 2792 wrote to memory of 2948 2792 MsiExec.exe 47 PID 2792 wrote to memory of 2948 2792 MsiExec.exe 47 PID 2792 wrote to memory of 2948 2792 MsiExec.exe 47 PID 2792 wrote to memory of 2020 2792 MsiExec.exe 49 PID 2792 wrote to memory of 2020 2792 MsiExec.exe 49 PID 2792 wrote to memory of 2020 2792 MsiExec.exe 49 PID 2792 wrote to memory of 2020 2792 MsiExec.exe 49 PID 2792 wrote to memory of 2224 2792 MsiExec.exe 51 PID 2792 wrote to memory of 2224 2792 MsiExec.exe 51 PID 2792 wrote to memory of 2224 2792 MsiExec.exe 51 PID 2792 wrote to memory of 2224 2792 MsiExec.exe 51 PID 2792 wrote to memory of 2300 2792 MsiExec.exe 53 PID 2792 wrote to memory of 2300 2792 MsiExec.exe 53 PID 2792 wrote to memory of 2300 2792 MsiExec.exe 53 PID 2792 wrote to memory of 2300 2792 MsiExec.exe 53 PID 2792 wrote to memory of 1312 2792 MsiExec.exe 55 PID 2792 wrote to memory of 1312 2792 MsiExec.exe 55 PID 2792 wrote to memory of 1312 2792 MsiExec.exe 55 PID 2792 wrote to memory of 1312 2792 MsiExec.exe 55
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\C558B828.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1452
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C78EAAD07BDF3103125124915E96BC712⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1864
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1C1B5317836EF386DC344D43EA26DBA7 M Global\MSI00002⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2752
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2344
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2600
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2324
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2880
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2996
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1304
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2948
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2020
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2224
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2300
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1312
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2244
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1380
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Privilege Escalation
Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57fc0068ac21c6d981d79d0b980929ddb
SHA1a7e4fa0830cc105bec5b984446f124b6b7a76b73
SHA2563c6ef955e97b5343142ba4261500c5dfa11a9e834abc8615ed7406c2fb434cc9
SHA512349c557fd0d04ae459793d31c2860c68018c3992c35658ee60a4139ba0f5f4f553faa98b5b5303cdea097940610358e796d885d752dd29422bae02cd5c6f40f4
-
Filesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
Filesize
118KB
MD54b49c57cbefa1d2773da1f95338e294d
SHA1108ea90d8a42cf31f7d8d7710b5fd713ca048ef9
SHA25668c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08
SHA51242c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165