ee013d9ff7050f96c3ff91d49e90bb60f3a2fb4d41efd918e6cb8aac6cf94e47

Analysis

max time kernel
80s
max time network
81s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-12-2024 04:54

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

20AC0B78.msi
Size

1.4MB
MD5

9c84926dac4e5e7037747c49f58f1724
SHA1

f5695587523152a08eab8f5d11c7ab3251b107d1
SHA256

ee013d9ff7050f96c3ff91d49e90bb60f3a2fb4d41efd918e6cb8aac6cf94e47
SHA512

6b476538935d69362089d8505203dadca4330ba112252870ab5be529ed8b40cca3beff7d27a4e59587b20dd33ff19cd177a1945a7158758d3630578c75b8f17a
SSDEEP

24576:eruDXXh3j04BMeRocDP1Nxyq7KDOJjkDOk4TB4McL8dfbfr7KCN5nQ6BAMVUTH:e+Xx4i5ooIq7iOJwyZeL8dfv7jN5nQ6I

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{80395032-1630-4C4B-A997-0A7CCB72C75B}	msiexec.exe
File created	C:\Windows\Installer\e57947f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI96E3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9722.tmp	msiexec.exe
File created	C:\Windows\setupact64.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI94FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9771.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI987C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57947f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9674.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\dbcode21mk.log	msiexec.exe

Loads dropped DLL 5 IoCs

pid	Process
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe
4560	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
5116	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Modifies data under HKEY_USERS 27 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "174"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe\VBScriptSetScriptStateStarted = "240628406"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
664	msiexec.exe
664	msiexec.exe
664	msiexec.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5116	msiexec.exe
Token: SeSecurityPrivilege	664	msiexec.exe
Token: SeCreateTokenPrivilege	5116	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5116	msiexec.exe
Token: SeLockMemoryPrivilege	5116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5116	msiexec.exe
Token: SeMachineAccountPrivilege	5116	msiexec.exe
Token: SeTcbPrivilege	5116	msiexec.exe
Token: SeSecurityPrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeLoadDriverPrivilege	5116	msiexec.exe
Token: SeSystemProfilePrivilege	5116	msiexec.exe
Token: SeSystemtimePrivilege	5116	msiexec.exe
Token: SeProfSingleProcessPrivilege	5116	msiexec.exe
Token: SeIncBasePriorityPrivilege	5116	msiexec.exe
Token: SeCreatePagefilePrivilege	5116	msiexec.exe
Token: SeCreatePermanentPrivilege	5116	msiexec.exe
Token: SeBackupPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeShutdownPrivilege	5116	msiexec.exe
Token: SeDebugPrivilege	5116	msiexec.exe
Token: SeAuditPrivilege	5116	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5116	msiexec.exe
Token: SeChangeNotifyPrivilege	5116	msiexec.exe
Token: SeRemoteShutdownPrivilege	5116	msiexec.exe
Token: SeUndockPrivilege	5116	msiexec.exe
Token: SeSyncAgentPrivilege	5116	msiexec.exe
Token: SeEnableDelegationPrivilege	5116	msiexec.exe
Token: SeManageVolumePrivilege	5116	msiexec.exe
Token: SeImpersonatePrivilege	5116	msiexec.exe
Token: SeCreateGlobalPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	664	msiexec.exe
Token: SeTakeOwnershipPrivilege	664	msiexec.exe
Token: SeRestorePrivilege	664	msiexec.exe
Token: SeTakeOwnershipPrivilege	664	msiexec.exe
Token: SeRestorePrivilege	664	msiexec.exe
Token: SeTakeOwnershipPrivilege	664	msiexec.exe
Token: SeRestorePrivilege	664	msiexec.exe
Token: SeTakeOwnershipPrivilege	664	msiexec.exe
Token: SeRestorePrivilege	664	msiexec.exe
Token: SeTakeOwnershipPrivilege	664	msiexec.exe
Token: SeRestorePrivilege	664	msiexec.exe
Token: SeTakeOwnershipPrivilege	664	msiexec.exe
Token: SeRestorePrivilege	664	msiexec.exe
Token: SeTakeOwnershipPrivilege	664	msiexec.exe
Token: SeRestorePrivilege	664	msiexec.exe
Token: SeTakeOwnershipPrivilege	664	msiexec.exe
Token: SeRestorePrivilege	664	msiexec.exe
Token: SeTakeOwnershipPrivilege	664	msiexec.exe
Token: SeShutdownPrivilege	664	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5116	msiexec.exe
5116	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4860	LogonUI.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 664 wrote to memory of 4560	664	msiexec.exe	84
PID 664 wrote to memory of 4560	664	msiexec.exe	84
PID 664 wrote to memory of 4560	664	msiexec.exe	84
PID 664 wrote to memory of 344	664	msiexec.exe	86
PID 664 wrote to memory of 344	664	msiexec.exe	86
PID 664 wrote to memory of 344	664	msiexec.exe	86
PID 344 wrote to memory of 3812	344	MsiExec.exe	87
PID 344 wrote to memory of 3812	344	MsiExec.exe	87
PID 344 wrote to memory of 3812	344	MsiExec.exe	87
PID 344 wrote to memory of 4156	344	MsiExec.exe	89
PID 344 wrote to memory of 4156	344	MsiExec.exe	89
PID 344 wrote to memory of 4156	344	MsiExec.exe	89
PID 344 wrote to memory of 4116	344	MsiExec.exe	91
PID 344 wrote to memory of 4116	344	MsiExec.exe	91
PID 344 wrote to memory of 4116	344	MsiExec.exe	91
PID 344 wrote to memory of 3424	344	MsiExec.exe	93
PID 344 wrote to memory of 3424	344	MsiExec.exe	93
PID 344 wrote to memory of 3424	344	MsiExec.exe	93
PID 344 wrote to memory of 4892	344	MsiExec.exe	95
PID 344 wrote to memory of 4892	344	MsiExec.exe	95
PID 344 wrote to memory of 4892	344	MsiExec.exe	95
PID 344 wrote to memory of 3604	344	MsiExec.exe	97
PID 344 wrote to memory of 3604	344	MsiExec.exe	97
PID 344 wrote to memory of 3604	344	MsiExec.exe	97
PID 344 wrote to memory of 1296	344	MsiExec.exe	99
PID 344 wrote to memory of 1296	344	MsiExec.exe	99
PID 344 wrote to memory of 1296	344	MsiExec.exe	99
PID 344 wrote to memory of 2712	344	MsiExec.exe	101
PID 344 wrote to memory of 2712	344	MsiExec.exe	101
PID 344 wrote to memory of 2712	344	MsiExec.exe	101
PID 344 wrote to memory of 2440	344	MsiExec.exe	103
PID 344 wrote to memory of 2440	344	MsiExec.exe	103
PID 344 wrote to memory of 2440	344	MsiExec.exe	103
PID 344 wrote to memory of 4056	344	MsiExec.exe	105
PID 344 wrote to memory of 4056	344	MsiExec.exe	105
PID 344 wrote to memory of 4056	344	MsiExec.exe	105
PID 344 wrote to memory of 2116	344	MsiExec.exe	107
PID 344 wrote to memory of 2116	344	MsiExec.exe	107
PID 344 wrote to memory of 2116	344	MsiExec.exe	107
PID 344 wrote to memory of 1056	344	MsiExec.exe	109
PID 344 wrote to memory of 1056	344	MsiExec.exe	109
PID 344 wrote to memory of 1056	344	MsiExec.exe	109

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\20AC0B78.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5116

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7364D31EE412D255796CBB597CE3735C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4560
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D8F8DF6911DB9BBD462595BBE54A0994 E Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" interface ipv6 install
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3812
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4156
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4116
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3424
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4892
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3604
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1296
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2440
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4056
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2116
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1056

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a1d055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579482.rbs

Filesize
2KB

MD5
7117f1ce29d10385ba06fd8413b33c10

SHA1
a5a7e528738b324e30ffcde268112336ba6f5b1a

SHA256
e899fedd431a97b779d3487894f61edd07deda3f884a8de187927a1ad2de98ae

SHA512
b8ae327b20ed064bdbc365f00cbdac68d0afb3c7e2d17610b46396fad0aa2abd462602d460ed5e8b5b6e729bc3a494d12c345176ee7d5d5584782896a9234b42

Download Submit
C:\Windows\Installer\MSI94FC.tmp

Filesize
141KB

MD5
4ba8ef50ce73395ad623c770c10e35a7

SHA1
63600584c296c0cbe1775a759c34ab384e1bbf76

SHA256
6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

SHA512
0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

Download Submit
C:\Windows\Installer\MSI9722.tmp

Filesize
118KB

MD5
4b49c57cbefa1d2773da1f95338e294d

SHA1
108ea90d8a42cf31f7d8d7710b5fd713ca048ef9

SHA256
68c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08

SHA512
42c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165

Download Submit
memory/4560-6-0x0000000075050000-0x00000000750B5000-memory.dmp

Filesize
404KB

Download
memory/4560-15-0x0000000075050000-0x00000000750B5000-memory.dmp

Filesize
404KB

Download
memory/4560-20-0x0000000075070000-0x00000000750C0000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads