22bcaefdcd36c9cf937c146dd750376bebfd365c143373d097ff4cfff37d28f2

Resubmissions

11/07/2023, 09:10

230711-k5j33sfh98 7

11/07/2023, 09:02

230711-kzn5vafh74 7

Analysis

max time kernel
721s
max time network
728s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

T-G中文.msi
Size

38.2MB
MD5

79c85baf08ad6c4764d17ff58bf3f94b
SHA1

23af9d248019e60637d663f5269ccf6803dc6844
SHA256

22bcaefdcd36c9cf937c146dd750376bebfd365c143373d097ff4cfff37d28f2
SHA512

629446142c0a34aeedaf03445c385c33432d002a9199e29747657db4d453f3ceee292be2d85d3c43526753e5377e84fb68de5a61a983385ca0604f0937dcb7fe
SSDEEP

786432:wokxQ0yHjoDFDG6XFBa7u4/unK9OIttey4XglRjJKWbb:wRQ9oQvaODtteyjlP3

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2332	4.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023218-170.dat	upx
behavioral2/memory/2332-172-0x0000000000400000-0x00000000006A5000-memory.dmp	upx
behavioral2/files/0x0006000000023218-171.dat	upx
behavioral2/memory/2332-183-0x0000000000400000-0x00000000006A5000-memory.dmp	upx

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\T中文版\T中文版\tdata\usertag	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\61FD8CAF305801BFs	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\39FF0766F494A425s	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\prefix	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\IDI_ICON1.ico	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\TG.exe	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\F8806DD0C461824Fs	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\A7FDF864FBC10B77s	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\B9183FBBE5D5BB42s	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\D877F783D5D3EF8Cs	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\key_datas	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\1831DD508716C0FEs	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\A3FE900CEFFAD4BAs	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\shortcuts-custom.json	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\settingss	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\countries	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\4.exe	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\shortcuts-default.json	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tupdates\tupdate3007003	msiexec.exe
File created	C:\Program Files\T中文版\T中文版\tdata\419BBA3C1F4CD6FBs	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC44D.tmp	msiexec.exe
File created	C:\Windows\Installer\{1164114B-B214-4399-92C9-BBC21345E85E}\_6FEFF9B68218417F98F549.exe	msiexec.exe
File created	C:\Windows\Installer\e5dc18f.msi	msiexec.exe
File created	C:\Windows\Installer\e5dc18d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5dc18d.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1164114B-B214-4399-92C9-BBC21345E85E}	msiexec.exe
File opened for modification	C:\Windows\Installer\{1164114B-B214-4399-92C9-BBC21345E85E}\_6FEFF9B68218417F98F549.exe	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006505a1dc8b744c210000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006505a1dc0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809006505a1dc000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809196505a1dc000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006505a1dc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	4.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	4.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E	4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	4.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4A5E03028ED0DEE4EB39B7CB5BB366AD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\ProductName = "T中文版"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4A5E03028ED0DEE4EB39B7CB5BB366AD\B4114611412B9934299CBB2C31548EE5	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4114611412B9934299CBB2C31548EE5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B4114611412B9934299CBB2C31548EE5\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\PackageCode = "2F019A1F1E7E4DA4D95B82EEF75FA9D3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\ProductIcon = "C:\\Windows\\Installer\\{1164114B-B214-4399-92C9-BBC21345E85E}\\_6FEFF9B68218417F98F549.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\SourceList\PackageName = "T-G中文.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B4114611412B9934299CBB2C31548EE5\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4024	msiexec.exe
4024	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3872	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3872	msiexec.exe
Token: SeSecurityPrivilege	4024	msiexec.exe
Token: SeCreateTokenPrivilege	3872	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3872	msiexec.exe
Token: SeLockMemoryPrivilege	3872	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3872	msiexec.exe
Token: SeMachineAccountPrivilege	3872	msiexec.exe
Token: SeTcbPrivilege	3872	msiexec.exe
Token: SeSecurityPrivilege	3872	msiexec.exe
Token: SeTakeOwnershipPrivilege	3872	msiexec.exe
Token: SeLoadDriverPrivilege	3872	msiexec.exe
Token: SeSystemProfilePrivilege	3872	msiexec.exe
Token: SeSystemtimePrivilege	3872	msiexec.exe
Token: SeProfSingleProcessPrivilege	3872	msiexec.exe
Token: SeIncBasePriorityPrivilege	3872	msiexec.exe
Token: SeCreatePagefilePrivilege	3872	msiexec.exe
Token: SeCreatePermanentPrivilege	3872	msiexec.exe
Token: SeBackupPrivilege	3872	msiexec.exe
Token: SeRestorePrivilege	3872	msiexec.exe
Token: SeShutdownPrivilege	3872	msiexec.exe
Token: SeDebugPrivilege	3872	msiexec.exe
Token: SeAuditPrivilege	3872	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3872	msiexec.exe
Token: SeChangeNotifyPrivilege	3872	msiexec.exe
Token: SeRemoteShutdownPrivilege	3872	msiexec.exe
Token: SeUndockPrivilege	3872	msiexec.exe
Token: SeSyncAgentPrivilege	3872	msiexec.exe
Token: SeEnableDelegationPrivilege	3872	msiexec.exe
Token: SeManageVolumePrivilege	3872	msiexec.exe
Token: SeImpersonatePrivilege	3872	msiexec.exe
Token: SeCreateGlobalPrivilege	3872	msiexec.exe
Token: SeBackupPrivilege	2652	vssvc.exe
Token: SeRestorePrivilege	2652	vssvc.exe
Token: SeAuditPrivilege	2652	vssvc.exe
Token: SeBackupPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3872	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2332	4.exe
2332	4.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4024 wrote to memory of 4564	4024	msiexec.exe	107
PID 4024 wrote to memory of 4564	4024	msiexec.exe	107
PID 4024 wrote to memory of 2332	4024	msiexec.exe	109
PID 4024 wrote to memory of 2332	4024	msiexec.exe	109
PID 4024 wrote to memory of 2332	4024	msiexec.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\T-G中文.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3872

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4564
- C:\Program Files\T中文版\T中文版\4.exe
  "C:\Program Files\T中文版\T中文版\4.exe" /Commit
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2332

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\T中文版\T中文版\4.exe

Filesize
2.2MB

MD5
a561affc2dce69e546efbe7217ebbaa4

SHA1
95910e2539b4b2dd0d0f42a5f01281e59e68a75e

SHA256
305db789e93397b1f504ded31149eb4125d204eda5b5a754e9eaf233e5f1dc7f

SHA512
cdbc0ab9d260e0157258663d36428bacedcf0fd257d4a15ba911e5d7acec2097a915fcc3e896fbed47cf5ddc2cc0b510db9a830abffa9b73c9e3b6ec0f59e786

Download Submit
C:\Program Files\T中文版\T中文版\4.exe

Filesize
2.2MB

MD5
a561affc2dce69e546efbe7217ebbaa4

SHA1
95910e2539b4b2dd0d0f42a5f01281e59e68a75e

SHA256
305db789e93397b1f504ded31149eb4125d204eda5b5a754e9eaf233e5f1dc7f

SHA512
cdbc0ab9d260e0157258663d36428bacedcf0fd257d4a15ba911e5d7acec2097a915fcc3e896fbed47cf5ddc2cc0b510db9a830abffa9b73c9e3b6ec0f59e786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KADOH4CO.htm

Filesize
377KB

MD5
a980f2dd67bc66435619cb88ecafdffc

SHA1
47fd7eaebfc80b4c967397f475a1dc650e1c2d38

SHA256
e441d44ae9f03b05672ffefece35bf714b206a6ce25601ad0d49804e2f242c65

SHA512
b8dae8aa51aa69339bc37d72ce27ceb52c0c149373543844810387d760002a2fe888e10acc013f6d78d4c6de622dd11a399d8186a0f66662bc02d7e3cca68e85

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
7b02ad00301248ffe58b99d96c586f00

SHA1
1606676c5066d8168563295662d17b11cfe4bf2a

SHA256
80c203343e36da6b5fa5570265d0a86b5dc8b734e102efab59ce731ac4ebb040

SHA512
0f23b18d6f9e51f43da6d6692921e9328209d452bb60b181b2e3478f76e8f5b547b3cbc4c7236f202167513b0e7b46846c8ad68c0639fdc02742ef867d778b8c

Download Submit
\??\Volume{dca10565-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2c389be1-2b9c-4a4e-be3d-63627818ea63}_OnDiskSnapshotProp

Filesize
5KB

MD5
61afdc9a72cb050a286f5fb574cd7b9f

SHA1
ae7b6d2c8fdd0c807624e69f2d1a3a61f80c89bb

SHA256
a1edc6841142313fbd6da9c1041a18849c0dd04273a9f314f1deeaab494417d3

SHA512
bbc990e6261f8720c351e77302c0991f0a9c7c0ae7fae6422d77f102ceabfdd9c5f188c244851f2d6bc8e2662311a5336023bbdde599756c2180307a8bf8530f

Download Submit
memory/2332-172-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/2332-183-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download