Overview

overview

7

Static

static

3

YoudaoDict_crsky.exe

windows7-x64

7

YoudaoDict_crsky.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Acrobat2Dict.dll

windows7-x64

3

Acrobat2Dict.dll

windows10-2004-x64

3

CrashRpt.dll

windows7-x64

3

CrashRpt.dll

windows10-2004-x64

3

InstallDaemon.exe

windows7-x64

3

InstallDaemon.exe

windows10-2004-x64

3

Monitor.exe

windows7-x64

3

Monitor.exe

windows10-2004-x64

3

RunDict.exe

windows7-x64

7

RunDict.exe

windows10-2004-x64

7

TextExtrac...32.dll

windows7-x64

3

TextExtrac...32.dll

windows10-2004-x64

3

TextExtrac...64.dll

windows7-x64

1

TextExtrac...64.dll

windows10-2004-x64

1

WordBook.exe

windows7-x64

3

WordBook.exe

windows10-2004-x64

3

WordStroke...32.dll

windows7-x64

3

WordStroke...32.dll

windows10-2004-x64

3

WordStroke...64.dll

windows7-x64

1

WordStroke...64.dll

windows10-2004-x64

1

XDLL.dll

windows7-x64

3

XDLL.dll

windows10-2004-x64

3

background.html

windows7-x64

3

background.html

windows10-2004-x64

3

lookup.js

windows7-x64

3

lookup.js

windows10-2004-x64

3

Analysis

  • max time kernel
    122s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/08/2024, 05:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    RunDict.exe

  • Size

    389KB

  • MD5

    46cf3f4e4154eba3a691de0850492c3d

  • SHA1

    2f8ae36888f013d56765d5e09036b3734861f214

  • SHA256

    801466b09c6cab683ee644b803e4078db52c5cd52f98f0e05a3fa736e83e800f

  • SHA512

    ea30eda94f7c221742f3a4850e0abaf4ff127e4474f7acf31b4392e5025c6ca220d59a51841c403e4d73bf45b255000f9b20672aaee820761a7fcdc87c5ddbf8

  • SSDEEP

    6144:SfaLwjN+iXdbYMYSTnz8wNW1NGv/HhQ1UCDICJlhXr7:Sx+it8m7NW3MHhQ1J5h77

Score
7/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RunDict.exe
    "C:\Users\Admin\AppData\Local\Temp\RunDict.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Users\Admin\AppData\Local\Temp\YodaoDict.exe
      "C:\Users\Admin\AppData\Local\Temp\YodaoDict.exe" start
      2⤵
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Users\Admin\AppData\Local\Temp\wordbook.exe
        hide deskdict:196974
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2232
      • C:\Users\Admin\AppData\Local\Temp\YoudaoEH.exe
        "C:\Users\Admin\AppData\Local\Temp\YoudaoEH.exe"
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:3044
      • C:\Users\Admin\AppData\Local\Temp\YoudaoWSH.exe
        C:\Users\Admin\AppData\Local\Temp\YoudaoWSH.exe 1776
        3⤵
        • Suspicious use of SetWindowsHookEx
        PID:3004
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\YoudaoGetWord32.dll" /s
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:1064
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Temp\YoudaoGetWord64.dll" /s
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:340
        • C:\Windows\system32\regsvr32.exe
          "C:\Users\Admin\AppData\Local\Temp\YoudaoGetWord64.dll" /s
          4⤵
          • Modifies registry class
          PID:2644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Youdao\DeskDict\ddupdate\dictupdate.xml
    Filesize

    5KB

    MD5

    1aaac195b685939e22902871f0337d26

    SHA1

    07ac75f91dce9f6743644d5f6036170216b9f26e

    SHA256

    a5adf51560694560eebe7348b86505f0685adabbf9bb4ebd92bb03280f993e2e

    SHA512

    31bdcd4b3664a3f177e700333881801e6050a53bce4d97dfd0391bae814e0cbd7869a85b004062bd6c3605c4c00aa676cd54bba705e7620c4cb705ce34e78f29

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\guid.dat
    Filesize

    17B

    MD5

    65df01986b2312447ce98d405298bcbb

    SHA1

    473867a75c7a4c5e31792dbfc33d77d72855cbd0

    SHA256

    5d59526b8d5185b6a14fae0814537ee1dd15126b5b148f058475a744e506a1da

    SHA512

    9b9d297acc1f6fdb4b52633d23c9356e3fe21be78da2dbcfd874b34fd045b0497b054ae7f2c8e3ad103bc7a478ce5781523e4fc31f3a0c3ac837ecc853bc39ea

    Download Submit

  • memory/1776-0-0x0000000000230000-0x0000000000253000-memory.dmp

    Filesize

    140KB

    Download

  • memory/1776-31-0x00000000054C0000-0x00000000054E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1776-32-0x0000000006D40000-0x0000000006D4F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/2232-33-0x0000000003500000-0x000000000350F000-memory.dmp

    Filesize

    60KB

    Download