7fba736320971975317c51eb6ea07398ada991a3c0175e1318a554022b95936c

Analysis

max time kernel
61s
max time network
78s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
20/08/2024, 13:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

网易有道翻译.exe
Size

124.6MB
MD5

3c7902f8780d25c75927b7f822015046
SHA1

0a9083c2a0e5ea8ef44ae0a8eaff41fb86633147
SHA256

7fba736320971975317c51eb6ea07398ada991a3c0175e1318a554022b95936c
SHA512

ebe15b2bee980ca5ca5b38a970a47f0486ab91ac31d634803557d2b58cfc71d6944474a6870e44d83eba30155482059b751925b24b5a8a765d1c97852e280668
SSDEEP

3145728:JwXtRIbRtjonSpelDp6V0TNLfhy41aqWB1If8uH2:KX4b1ezi01pNO1IEuW

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4280 created 4248	4280	ydupdate.exe	91
PID 1020 created 564	1020	browsnw.exe	100

Executes dropped EXE 8 IoCs

pid	Process
1572	网易有道翻译.tmp
4280	ydupdate.exe
3792	browsnw.exe
2448	browsnw.exe
2888	browsnw.exe
4624	browsnw.exe
1020	browsnw.exe
552	browsnw.exe

Loads dropped DLL 7 IoCs

pid	Process
4280	ydupdate.exe
3792	browsnw.exe
2448	browsnw.exe
2888	browsnw.exe
4624	browsnw.exe
1020	browsnw.exe
552	browsnw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
4280	ydupdate.exe
4280	ydupdate.exe
3792	browsnw.exe
3792	browsnw.exe
2448	browsnw.exe
2448	browsnw.exe
2888	browsnw.exe
2888	browsnw.exe
4624	browsnw.exe
4624	browsnw.exe
1020	browsnw.exe
1020	browsnw.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\browsnw\browsnw.exe	browsnw.exe
File opened for modification	C:\Windows\browsnw\browsnw.exe	browsnw.exe
File created	C:\Windows\browsnw\support_report.inf	browsnw.exe
File opened for modification	C:\Windows\browsnw\support_report.inf	browsnw.exe
File created	C:\Windows\browsnw\webview_support.dll	browsnw.exe
File opened for modification	C:\Windows\browsnw\webview_support.dll	browsnw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	网易有道翻译.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	网易有道翻译.tmp

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1572	网易有道翻译.tmp
1572	网易有道翻译.tmp
2888	browsnw.exe
2888	browsnw.exe
2888	browsnw.exe
2888	browsnw.exe
2888	browsnw.exe
2888	browsnw.exe
2888	browsnw.exe
2888	browsnw.exe
2888	browsnw.exe
2888	browsnw.exe
2888	browsnw.exe
2888	browsnw.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1572	网易有道翻译.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1572	1452	网易有道翻译.exe	82
PID 1452 wrote to memory of 1572	1452	网易有道翻译.exe	82
PID 1452 wrote to memory of 1572	1452	网易有道翻译.exe	82
PID 1572 wrote to memory of 4280	1572	网易有道翻译.tmp	89
PID 1572 wrote to memory of 4280	1572	网易有道翻译.tmp	89
PID 4280 wrote to memory of 3792	4280	ydupdate.exe	92
PID 4280 wrote to memory of 3792	4280	ydupdate.exe	92
PID 4968 wrote to memory of 2448	4968	cmd.exe	94
PID 4968 wrote to memory of 2448	4968	cmd.exe	94
PID 2448 wrote to memory of 4624	2448	browsnw.exe	97
PID 2448 wrote to memory of 4624	2448	browsnw.exe	97
PID 2888 wrote to memory of 1020	2888	browsnw.exe	98
PID 2888 wrote to memory of 1020	2888	browsnw.exe	98
PID 1020 wrote to memory of 552	1020	browsnw.exe	101
PID 1020 wrote to memory of 552	1020	browsnw.exe	101

C:\Users\Admin\AppData\Local\Temp\网易有道翻译.exe
"C:\Users\Admin\AppData\Local\Temp\网易有道翻译.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\is-1M85I.tmp\网易有道翻译.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1M85I.tmp\网易有道翻译.tmp" /SL5="$6015A,129662364,735744,C:\Users\Admin\AppData\Local\Temp\网易有道翻译.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Users\Admin\AppData\Local\Programs\yodaodictr\ydupdate.exe
    "C:\Users\Admin\AppData\Local\Programs\yodaodictr\ydupdate.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\system32\winver.exe
      C:\Windows\system32\winver.exe
      4⤵
      PID:3720
  - - C:\Windows\system32\computerdefaults.exe
      C:\Windows\system32\computerdefaults.exe
      4⤵
      PID:4248
    - - C:\Users\Admin\AppData\Local\Programs\yodaodictr\browsnw.exe
        
        C:\Users\Admin\AppData\Local\Programs\yodaodictr\browsnw.exe e38bfbb348fe19059 4280 "C:\Users\Admin\AppData\Local\Programs\yodaodictr\"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3792

C:\Windows\system32\cmd.exe
cmd /c start "" "C:\Users\Admin\AppData\Local\Programs\yodaodictr\browsnw.exe" "02647ba0183bf3208" 3792 "C:\Users\Admin\AppData\Local\Programs\yodaodictr\"
1⤵
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Programs\yodaodictr\browsnw.exe
  "C:\Users\Admin\AppData\Local\Programs\yodaodictr\browsnw.exe" "02647ba0183bf3208" 3792 "C:\Users\Admin\AppData\Local\Programs\yodaodictr\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\browsnw\browsnw.exe
    C:\Windows\browsnw\browsnw.exe BD37CDB0979CFF 3792 "C:\Users\Admin\AppData\Local\Programs\yodaodictr\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4624

C:\Windows\browsnw\browsnw.exe
"C:\Windows\browsnw\browsnw.exe" "968e47a16c6"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\browsnw\browsnw.exe
  "C:\Windows\browsnw\browsnw.exe" "6C61E6E64178B742C3"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:1020
- - C:\Windows\system32\winver.exe
    C:\Windows\system32\winver.exe
    3⤵
    PID:4980
- - C:\Windows\system32\computerdefaults.exe
    C:\Windows\system32\computerdefaults.exe
    3⤵
    PID:564
  - - C:\Windows\browsnw\browsnw.exe
      C:\Windows\browsnw\browsnw.exe 75203FECC2EBFD3 1020
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\yodaodictr\appsoft3310\software3310\uD0\discr\apcation\10.3.2.0\resultui\html\css\is-DQ81C.tmp

Filesize
584B

MD5
3f7da09311b9632df92173623aaa6145

SHA1
b02c155b2f70671599965448d64a6f6479dbf0ef

SHA256
1105b229c1437d45db30e0bbcc8736fed14ddfdfe957d05f590e0530a7d0925b

SHA512
d477e6849946eb88544eefbd7913566b2675fbf00d7fff134049a1376de3d88d65316245d43680f639c00470da44d84bcaa3c611d59e2598c321f48d5dc053fe

Download Submit
C:\Users\Admin\AppData\Local\Programs\yodaodictr\appsoft3310\software3310\uD0\discr\apcation\10.3.2.0\resultui\html\js\3760.js.LICENSE.txt

Filesize
493B

MD5
5c08af88d23addb3f3b34367dc2da82b

SHA1
54c30d9bd811f8d06694cf156997d3beb728b9d3

SHA256
de87e73c7035f73f09da8e771c08794f56e7d0a16b0b44dbcbeafe83d0390e35

SHA512
a85dd7e7ba12f78d27ff9de792c71de07f57abdcf647aa7fbca5f27020554fb76286f0fdc5f42d570057a14828ffd186d4dc167ab1abfe909dce868f2ccab3a5

Download Submit
C:\Users\Admin\AppData\Local\Programs\yodaodictr\appsoft3310\software3310\uD0\discr\apcation\10.3.2.0\resultui\html\js\is-BCUJE.tmp

Filesize
614B

MD5
088232cd8447769b12116adda5b934f9

SHA1
764b61e6d7604568f2adc7e8297b6e810ca5e214

SHA256
836aa26e61f5628b45a2ff1544d1260eecc6365a97c507a8a416a85eb42ed930

SHA512
d4bf4f8d74352c922f919aa76efecfabec32e4f1a9a192c77a8b622b3e85a547c5796d1f801b2f49aeef7bb48433e9d5ffe91ada83a6f13401e11c88b043495e

Download Submit
C:\Users\Admin\AppData\Local\Programs\yodaodictr\appsoft3310\software3310\uD0\discr\apcation\10.3.2.0\resultui\html\js\is-JV8U8.tmp

Filesize
120B

MD5
3df54bba2137ec524f3fb39f2c61461a

SHA1
0c22a43aa3197066cef88cc7d507b4c7de33fcc1

SHA256
47282a6fa1469e2d7bc8936d167c17ebf0fd800941104dd15097945208ccb501

SHA512
e7462c492ff1eebe0a2843a70b64bcfd196f22163e87fc0774b1904553aa66524b511bab0d43d6a580863982ebd74162879431ac8e401a97e378c3a2d3fbf283

Download Submit
C:\Users\Admin\AppData\Local\Programs\yodaodictr\appsoft3310\software3310\uD0\discr\apcation\10.3.2.0\resultui\html\ydDict\setting_setting_settingTabDesktop.html

Filesize
8KB

MD5
87988f564a1461454d608c8ce36c1989

SHA1
e2f0a940947c15b95e4f8c474ebd2c73324a52fe

SHA256
94bfa78fd9ee5b10768910279c84051a671dce57e432e4d081fa4a707d2b9387

SHA512
961263481d70e664885f8e1bd397aef5a38c1836017c90dbd4c800d9d5c0826d3b5d8aa521bc61f2591391d4de10f782d80f380447256cdbe62b961798c4b5b7

Download Submit
C:\Users\Admin\AppData\Local\Programs\yodaodictr\appsoft3310\software3310\uD0\discr\apcation\YoudaoDict.exe

Filesize
11.5MB

MD5
192e092184f4fa0cd8d66005d80281ef

SHA1
4f5e06f289a01aeefdf4a8ea927f444fa5da0412

SHA256
249adfc48d18de2c7bee4b2742bb7d2a48b6cd88a05d610bb5ae870a3c929878

SHA512
dc9c52eaec50d3a3edf6eca9a3f6e920c63aea57c7df23f55f6fb9b968445ec5d9a4db944ecbe3eeccbe1a7e1ddcf27f243ad6bbdddd0260d1899f9b2e029966

Download Submit
C:\Users\Admin\AppData\Local\Programs\yodaodictr\support_report.inf

Filesize
9.8MB

MD5
bf06b648b091225c1fd82a539b23cb4c

SHA1
0ee421228230f3b6061867d24352b4ab3d454339

SHA256
b08e02281561e6c1633ebbc683c06eb729baee3e14ed036a1c64ec771fd9780f

SHA512
80302898062a956bcfa629d74b32a42161fef98d7dd349cd3f0f83a35fe457b5ccf9bc0b31b826a3236e9ca9b24d139fc5ef00b34110993e9e3ccea7b44f1840

Download Submit
C:\Users\Admin\AppData\Local\Programs\yodaodictr\webview_support.dll

Filesize
9.8MB

MD5
a1cfaf5704342da793a8b9369353b9fa

SHA1
9c13be5cac4662919f51b955905985f98bc32520

SHA256
db994d7f41194834ae5532c1af725b7969a2f04682b36c53441ac72a9a854ffd

SHA512
938261e8292053fde7045f1090cca9d829e382822f77f968cd74c04142a0452fef1b438caa10c29da6a65febfcff09219d11866618e7826ccf4acb0a017639ca

Download Submit
C:\Users\Admin\AppData\Local\Programs\yodaodictr\ydupdate.exe

Filesize
354KB

MD5
a8b8fc58bcf35e7536dcacfb20c99d5a

SHA1
7c3186aedfe25293cb20574075560e3484a7ccdb

SHA256
19d4601437d705cd125f9c3be9088b6ee1a9236266f5f8f99fd3cdcc49551606

SHA512
585d5e005305124001ca2599f72fcd257e985dcc9dae70a2eeccd1f1dca385dd2a11b45c509c924b27701580bd73197f51a47e6dcecee4ff097e08a449e65442

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1M85I.tmp\网易有道翻译.tmp

Filesize
2.9MB

MD5
314a684ed7065ee564838c725c448617

SHA1
32d1baa9fce9a01dc0906a36201e897d584401f7

SHA256
eab5e65fcb8303f22439e428e28ffb47cacdd61f2d87f840c36c286ddcc5bc62

SHA512
8a000a00c736b825fbec8f78a045c1331d15cce45dbadcb66572745b9f7569fdb139c6323076d5e2f7e43234f78fb4e3533f4e103c781e757a3e0966ee553489

Download Submit
memory/552-2242-0x0000013835280000-0x00000138362F7000-memory.dmp

Filesize
16.5MB

Download
memory/552-2239-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download
memory/552-2240-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download
memory/1020-2230-0x0000021284960000-0x00000212859D7000-memory.dmp

Filesize
16.5MB

Download
memory/1020-2237-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download
memory/1020-2220-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download
memory/1020-2223-0x0000021284960000-0x00000212859D7000-memory.dmp

Filesize
16.5MB

Download
memory/1020-2229-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download
memory/1020-2219-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download
memory/1452-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1452-2159-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1452-8-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1452-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/1572-27-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/1572-26-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/1572-6-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/1572-2158-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/1572-2147-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2448-2186-0x00007FFD68180000-0x00007FFD6B655000-memory.dmp

Filesize
52.8MB

Download
memory/2448-2185-0x00007FFD68180000-0x00007FFD6B655000-memory.dmp

Filesize
52.8MB

Download
memory/2448-2212-0x00007FFD68180000-0x00007FFD6B655000-memory.dmp

Filesize
52.8MB

Download
memory/2448-2188-0x0000021D53F10000-0x0000021D54F87000-memory.dmp

Filesize
16.5MB

Download
memory/2448-2189-0x0000021D53F10000-0x0000021D54F87000-memory.dmp

Filesize
16.5MB

Download
memory/2888-2227-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download
memory/2888-2235-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download
memory/2888-2203-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download
memory/2888-2204-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download
memory/2888-2207-0x000001A280A30000-0x000001A281AA7000-memory.dmp

Filesize
16.5MB

Download
memory/2888-2208-0x000001A280A30000-0x000001A281AA7000-memory.dmp

Filesize
16.5MB

Download
memory/3792-2175-0x00007FFD68180000-0x00007FFD6B655000-memory.dmp

Filesize
52.8MB

Download
memory/3792-2184-0x00007FFD68180000-0x00007FFD6B655000-memory.dmp

Filesize
52.8MB

Download
memory/3792-2178-0x0000022ADABC0000-0x0000022ADBC37000-memory.dmp

Filesize
16.5MB

Download
memory/3792-2177-0x0000022ADABC0000-0x0000022ADBC37000-memory.dmp

Filesize
16.5MB

Download
memory/3792-2174-0x00007FFD68180000-0x00007FFD6B655000-memory.dmp

Filesize
52.8MB

Download
memory/4280-2165-0x0000022E19DF0000-0x0000022E1AE67000-memory.dmp

Filesize
16.5MB

Download
memory/4280-2153-0x00007FFD68180000-0x00007FFD6B655000-memory.dmp

Filesize
52.8MB

Download
memory/4280-2154-0x00007FFD68180000-0x00007FFD6B655000-memory.dmp

Filesize
52.8MB

Download
memory/4280-2155-0x00007FFD68180000-0x00007FFD6B655000-memory.dmp

Filesize
52.8MB

Download
memory/4280-2164-0x0000022E16BE0000-0x0000022E189E0000-memory.dmp

Filesize
30.0MB

Download
memory/4280-2173-0x00007FFD68180000-0x00007FFD6B655000-memory.dmp

Filesize
52.8MB

Download
memory/4280-2166-0x0000022E19DF0000-0x0000022E1AE67000-memory.dmp

Filesize
16.5MB

Download
memory/4624-2228-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download
memory/4624-2236-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download
memory/4624-2216-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download
memory/4624-2238-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download
memory/4624-2226-0x0000017D76620000-0x0000017D77697000-memory.dmp

Filesize
16.5MB

Download
memory/4624-2222-0x0000017D76620000-0x0000017D77697000-memory.dmp

Filesize
16.5MB

Download
memory/4624-2217-0x00007FFD5F120000-0x00007FFD625F5000-memory.dmp

Filesize
52.8MB

Download