Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
-
submitted
24-01-2024 17:01
General
-
Target
msi1217YD.msi
-
Size
112.2MB
-
MD5
73de0e9331c6fa90bc0b78d1fd8371e7
-
SHA1
df579476fbcb6b0848b73fcf52c7879461d838a8
-
SHA256
b0a480c9a1e292b18a55b8d79bc3efccdb2936510226b0f313d14df8ac67627f
-
SHA512
57e985d3044e2597cf5c22207694c95268aff713c3d80a70332e54607a3fe8ec07a451593c65a55cb2c4228c830fab9d3be86141222784834b845b7738014e73
-
SSDEEP
3145728:4B4swQOP2kt4/iUOsdQidkLgvEtRxGH2/ril:4BxOhS/iUZ7dNE1GW/ril
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 9 IoCs
-
VMProtect packed file 10 IoCs
Detects executables packed with VMProtect commercial packer.
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 20 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Modifies registry class 24 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\msi1217YD.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CF5E4BB14512A2AB11BCC623628945DB C2⤵
- Loads dropped DLL
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3F6170BCE32FC46D0B3D51834362B1CB2⤵
- Loads dropped DLL
-
-
C:\Windows\Installer\MSIDF09.tmp"C:\Windows\Installer\MSIDF09.tmp" /EnforcedRunAsAdmin /RunAsAdmin "C:\Users\Admin\AppData\Roaming\YOUDAO\217.bat"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Roaming\YOUDAO\217.bat" "3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\YOUDAO\WinRAR.exeC:\Users\Admin\AppData\Roaming\YOUDAO\WinRAR.exe x -p7758523s -ibck 1.zip tiak.exe4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\YOUDAO\RarExtInstaller.exe"C:\Users\Admin\AppData\Roaming\YOUDAO\RarExtInstaller.exe" -install5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YOUDAO\3.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c del %cd%\66.bat5⤵
-
-
C:\Users\Admin\AppData\Roaming\YOUDAO\tiak.exe"C:\Users\Admin\AppData\Roaming\YOUDAO\tiak.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\tkhkel\help360.exeC:\tkhkel\help360.exe6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\windows\Runn\Yloux.exe"C:\windows\Runn\Yloux.exe"7⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://sms-activate.ru/cn/getNumber6⤵
- Modifies Internet Explorer settings
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 &del "C:\Users\Admin\AppData\Roaming\YOUDAO\tiak.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 57⤵
- Runs ping.exe
-
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD504d502d3c34a6d2e3c2117619785935c
SHA1f5794321ac737246376ce9fbb1c10730557752d9
SHA2567a6a1ecd2d16f3f0f71e23205f8d399ef2c3848ede7d2091a487777798ab6cc8
SHA51220c88bb14893479faf8d913855ca0dcbbde7e42b30a0e95c6893aae06c8e524d57d6dcf4767883a3b5260716f1751ffac9dbc4cb1006efdcd90d5411924b04a3
-
Filesize
557KB
MD5db7612f0fd6408d664185cfc81bef0cb
SHA119a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA51225e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9
-
Filesize
10.5MB
MD5f676271690b54795a07e5cf179e52764
SHA17814cfa9c90f520f13089e6d2e80c78145079618
SHA2564f2266fd08bdb07faf29c61eb51db85e53e8cb9cfdc885115d38e28e147ab2a5
SHA5121c7c2203b442d08816756c2bd7cd7775d5a37d9cbf9e46380a3282dac4a886c424b2dd7bceec10d9f39fa98d3eb3b23fe61c3e15b6712292ce8d9e4cebe15909
-
Filesize
91B
MD5cb242c95a12c2107f242a0f1620216e1
SHA1899cf47f75e292d4a3696b23df68e19b090c0218
SHA256429376ad0492dd8b4e03dc113888cbce866b5e9b6c3e72c82c6ee3fc006f6e6f
SHA51242d56db973fa3c9f7c414d4a9f4bffe28e089ad542556ae054a0b15f264c4060d3777064461920a0fd864a57bea715f71daf5c858f6c66d960587ade3b457e4c
-
Filesize
439B
MD5ff1eac510e2fb9c00a39ee817826be7b
SHA136485d145164c922d8c4ff92fa879bdba1a9ad5e
SHA256e96ecf797d784b8bab8d70a264f1fd6ca6b679a477af4bf6887f6635f8d42bcd
SHA512d44f4cc8445371636c9a728817a4d8321220968ff70955c3dec0a7521b1741972aa92a1190a1e0b4d08770ef0e806a84226836d8ca0ff20d21355a96cc214d2f
-
Filesize
616KB
MD59b06731ee83e501c39a758c554dba159
SHA1042f43cd2f99767cdbdf23eaf1775288f981d868
SHA256d4a9d0be3da3073bc1d9dd770bd86fb58222bb61a1882d5059a6c07fba8be924
SHA512d9448d69a00c727c3b025f093da9f184906430dfd93ae2d81c29d2ce8ee5dfb8adf3340557982ef9e8d59b4d012f024ff6e39b225c1386041c0afe0f15780a62
-
Filesize
176KB
MD59ceaaadfb9303cfee55475b014084ae6
SHA132ae5c8d9bac5d164e6b30d56d83063c6b370c80
SHA256eb0a02fe41ff087051d90aebda7ce9c56737fd20896e80503e08a4633c16f600
SHA5127947941e45d0e997da24711dcd7d7a7c1357a14bf7b2acf50e6177872fe6d7c1305cd7bd0d68bcb9a5edd29a8e94e5c5a292cfaa8229281696d41218f4ba8e37
-
Filesize
22KB
MD58930103e0ca45afe89ca8efeb220eb2b
SHA1930749a346dc3d47520451a0c92edc62ae8f00f8
SHA2565a28814263254683282bc5bd0ca6ecf35b2ffe3c2e27cefdc2e1a61afb5a8e6f
SHA512aad319aaece4b7b888e1580025cc584c4249fb0f65023a039885c4dc786644afc2cf53d3de50e09543fbf4605b82121d5f3068643d5feae89a8844018c1081a9
-
Filesize
2.3MB
MD5c343e5e43e2657c82bc0ed9b80c7ffdf
SHA1a56bab6f439e105bafa212a8ac907ef6019adfe7
SHA25657b7698d4caa84cb4f6cf043cd4930ee018956337f40fbc138af21f9c2c06d3a
SHA5122e1394f27e106c0a1290dd38d5244803c88ee1f7eb14095b0ef3f74909e95e4d8265076eef60fedf9fdb0cbe7f549702af6c5092de7c03902ef56ee6db972d58
-
Filesize
7.1MB
MD5ce6e175f5e478f7eaf45889e73e8a138
SHA171a3b5dea4c388bdeb90146f0b34eec52d45627c
SHA25611ddc708690775f20bbe7e5826ce161bf0bd8d9fc48ece0e88ca1053abb4817f
SHA512896a45d5e4f54e0d4f5ee5fb3e15dc5b78a16b910f6b65aad9e61502644f2afcd64d6401e8d53d07b1e84dfffa03c223d7cce114de2053d703f07dadfcc9ea8f
-
Filesize
7.2MB
MD5e334c537ac8ec3f6a6fc7107fa392380
SHA10611edadecb35e5eb9b57d5c68e027db51af6ecc
SHA256df85b3de4556de805e222bcf877d2535a15cceee754b9952582466833da9b19b
SHA5125a6f4ba673cc8dd194708215f25204469e95411c7422ba6abaac890b2f7b39ac5bc4e11200677c17869d132e1fb8c653490d5d797ec2b7938071fd6dd57ac289
-
Filesize
409KB
MD5f7e1ad874fba884ceabfdb0f8edf74bb
SHA1dcd89a248a6e3d85bb3f7eae624a41cef9704654
SHA256bbce37f9e20f5bc59ab45dc49c985d115b13bb214561ddb874118fd91fb52ce8
SHA5125e59de04305aff37703e928a594b9114fb728e3285c09aae7706339d9f9ee77652271de5899738e8410d13224838efb3e30f5ab4e149c21458d3c971010dd209
-
Filesize
61.1MB
MD5e74fa66c286deff6232ff446216cc470
SHA1b64ad132cd9d2d0380c52f53879dcc9dcc895e4a
SHA25646c4566dcc48c174fe7bc3529d090e2425ca72b7d0d3d388ba8204f2631ae49f
SHA5127ce91721094a0d8a05c2885c7068b8c0d02e58664f7eec50ab689d9eff28df676b356ef9dedcb12e1fd92ee08a5f97f814f07e6e6c342c637dbd9a8c8ccacb9c
-
Filesize
2.5MB
MD581590a0dbb3cbc448bafb2161619d2e9
SHA10cf224e66413fd7aa32ce4c590fd1f062b60308d
SHA256f03112820d76d5d8a53615e032e1bf35565d37bca72ca52464d2b5fe13538d40
SHA512a92d8f7ab0c243fcb87113d46b1b1bdc2cef4421d517608a9b8ee1d1d74703bed2b5c6fd8a366792d27f03a59ad9aa1a61109ea94c52b14b06605048da032013
-
Filesize
3.0MB
MD59289c4d7ce63082a6b104b49382273c9
SHA1541187577d7fdea110b8868f2f059d4c2c34b9fc
SHA256875e0934d086e6bb3cc03d65d3ef60a7b2f69b966e64de015541db5748d376db
SHA512c3807c8a4e1d5aef81b19eb3df5ce54494264d75c191c6b4387902b133a2b934864706f59e927e9b1bb96712270863ca02137b49f695b10281f227fe6710628e
-
Filesize
2.6MB
MD554f23836a37e9b1ccb7293e78d380f6b
SHA1770c1c20f2c269d94ab68e4158f46d47540d75b7
SHA256778173ce9df37c9b2dbeeefc8e7c201d935d38c0f017d5909edbf30cd84f3b5b
SHA51231963bb8b74404d740086b08d178778152b2e4de5010650bdfc722870c5212a35ba0f31e55a12070e4a7380f9bba88d8a76611abe0baef6d91596e1a65dc680a
-
Filesize
2.7MB
MD5a7aa3b45fcde9c907c21315d382faab8
SHA15e6fb3adb517089f09f57cf09ec77b073b49a177
SHA256fb03d18aed866276d2a8b63610978ee7ac7eb6d2fbc9e352879f881b1e9d1b10
SHA512ea434325e06ed6b27730b3e10a0711c9f396a2eaa88a819e8db3e213724e8b49933b3329d2dfdd49277ed7819c9e4c430c017c7864c94e353e15216060559805
-
Filesize
176KB
MD53d7d682f44b0b12b5518d3e9c6c11d2a
SHA123869cb52e797c0f5c64364af8c78c49c71b9c27
SHA256702eb45ead6494f36944f5d16e5aef30de138c6d16fdf92eedd098fb59fa5347
SHA5126295f519308b8ccd4ce6cea1058340dc25fdba5414a44c8c952437dc2cdea42b783e476ded8c855d0423895c1e8d0667eda817d956322d78ceeb5e10139af550
-
Filesize
6.7MB
MD5584f2206cd07b1ead19f4b25ec252422
SHA1f5398f0cb9646e0a62685fbaa0c8355a4bbb01a2
SHA256ff8619691201493d929e5ef02012a616c3df255863b4efa2059d950315a5329e
SHA512f401d20435617846444afd5a833a957fbad33c441f2b64f3b47a78c5bb47939b6e3e06f20cd3f7c59c0bb6ae75d0d75aa1f710746f83db767002d34377e122cf
-
Filesize
6KB
MD585ee5d94aca1c877a5b022cda7c4c264
SHA132d3882ebf4859604caded6137106c729dd0377e
SHA256141b8806fd53e040e3ad7248adf5550cf9025b963dd77d73781a5d987d870627
SHA512eaa761ba3399089ba544521f6053998976b9cf83d6cf8bb7b5806334472f28afcc7de521d6f22b088a7ff7355928176fabc33e16268ffba572bfb612695a7fb9
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
19.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
19.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
19.9MB
-
Filesize
4KB
-
Filesize
8.6MB
-
Filesize
6.0MB
-
Filesize
6.0MB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
272KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
204KB
-
Filesize
272KB
-
Filesize
272KB
-
Filesize
248KB
-
Filesize
204KB
-
Filesize
272KB
-
Filesize
180KB
-
Filesize
1.6MB
-
Filesize
272KB
-
Filesize
204KB
-
Filesize
272KB
-
Filesize
204KB
-
Filesize
272KB