Overview

overview

10

Static

static

1

YoudaoDict.msi

windows7-x64

6

YoudaoDict.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2024 01:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    YoudaoDict.msi

  • Size

    118.9MB

  • MD5

    08af6212250f9ee918dc85d224e0b195

  • SHA1

    ff8b703e8d852e02c944151231a929056303cc6d

  • SHA256

    2bd768ae300b639e34d88004ee46d4d351727d88108a33fb3cd9c0fc96f07e04

  • SHA512

    6adcc075ad6719fea7fe1fe67f3ad5c251f5b90bfc88fa045bd45cb6192e8bb3ae339217b58792b03c2f54806313b3dc6c8b47bc2c14e714fa0f185bc3e5649b

  • SSDEEP

    3145728:v9A77B6rdyb3Z38ivnfYN2mDU0KfhZSr5:87MrYTZfe2mFKJY

Score
10/10
gh0stratpurplefoxdiscoverypersistenceprivilege_escalationratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 5 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 5 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 10 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\YoudaoDict.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4944
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3624
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4672
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 248F903BEBA5A7AACE21B8A563B76836 E Global\MSI0000
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\Program Files\AlignAdvocateBrave\SdGMZBnVcZya.exe
          "C:\Program Files\AlignAdvocateBrave\SdGMZBnVcZya.exe" x "C:\Program Files\AlignAdvocateBrave\CfqbqwlsBkImozhluiNB" -o"C:\Program Files\AlignAdvocateBrave\" -pqPUSdBCyjymGowjaYcmw -y
          3⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2488
        • C:\Program Files\AlignAdvocateBrave\HBqWcVOzxI29.exe
          "C:\Program Files\AlignAdvocateBrave\HBqWcVOzxI29.exe" -number 199 -file file3 -mode mode3 -flag flag3
          3⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3664
        • C:\Program Files\AlignAdvocateBrave\YoudaoDict_fanyiweb_navigation.exe
          "C:\Program Files\AlignAdvocateBrave\YoudaoDict_fanyiweb_navigation.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2844
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:464
    • C:\Program Files\AlignAdvocateBrave\HBqWcVOzxI29.exe
      "C:\Program Files\AlignAdvocateBrave\HBqWcVOzxI29.exe" -file file3 -mode mode3 -flag flag3 -number 200
      1⤵
      • Enumerates connected drives
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57d041.rbs
      Filesize

      7KB

      MD5

      24b35411688ce8ba276846daec84c222

      SHA1

      29083199cbf67bb1e53a581f35769142101a7256

      SHA256

      7d9be4f4369f75a3900ea79bf8fecdc0e10644fc4af37aec17aac87e47d71c11

      SHA512

      8fee3d24d5d54380d9c975d16b934401f4e723dd7b5e9c7346c8abccfa0262a733113d42408781bf366f8177dcc7d501417f31f1d53cf4466fac3d1c47825b1b

      Download Submit

    • C:\Program Files\AlignAdvocateBrave\CfqbqwlsBkImozhluiNB
      Filesize

      731KB

      MD5

      586bd04dc1752714c4d67037ebcc238e

      SHA1

      74f816994933a302aa7eaa4844ceedc43aeaee80

      SHA256

      f00bf5f78c82a847e8dbdef725498f67611f33b1e5e1ba3987dfa8c5e04e5e8e

      SHA512

      57321a54aabcfae2a2e397b6401e421fad1fafd5b8e087f0c4583103fa13b277a267be24b20f046467f76f735baff13453ac811d77336aafb7fbc4f87be842fa

      Download Submit

    • C:\Program Files\AlignAdvocateBrave\HBqWcVOzxI29.exe
      Filesize

      2.0MB

      MD5

      d2c6c4a00a06a831336e914339ff38e9

      SHA1

      6ab2c58fb5c6a088ef50e1e1ebd49e86863e00f4

      SHA256

      28b09c1ab78d474a451017d23f7c5c8b8a18b5545a9c7aa9bc06bef014965ea8

      SHA512

      bd2b5d6c7fc103cc5bdd29757a0295338d3401107290cdad52c562d767a2429e6f73be5923f19213a24feadcb5bbd6ee73b0ac1d1eec8354affdfc9b60597183

      Download Submit

    • C:\Program Files\AlignAdvocateBrave\SdGMZBnVcZya.exe
      Filesize

      574KB

      MD5

      42badc1d2f03a8b1e4875740d3d49336

      SHA1

      cee178da1fb05f99af7a3547093122893bd1eb46

      SHA256

      c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

      SHA512

      6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsoDCF4.tmp\LockedList.dll
      Filesize

      95KB

      MD5

      5a94bf8916a11b5fe94aca44886c9393

      SHA1

      820d9c5e3365e323d6f43d3cce26fd9d2ea48b93

      SHA256

      0b1e46044b580121f30bedb2b5412d3170c6afaa7800d702ee71f7666904236d

      SHA512

      79cba3dcb249d88a6a6cfb4efcb65cc42a240af4edb14bcc7546d9c701a7b642362f9fe0488691a8906607ecc76f7b5ee5a4282fa057053b258eea143ac90c20

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsoDCF4.tmp\OP_WndProc.dll
      Filesize

      48KB

      MD5

      765cf74fc709fb3450fa71aac44e7f53

      SHA1

      b423271b4faac68f88fef15fa4697cf0149bad85

      SHA256

      cc46ab0bf6b19a2601cd002b06769ad08baf4ed0b14e8728973f8af96bdee57e

      SHA512

      0c347d9a2960a17f8ec9b78ede972bf3cf6567fd079a6aa5a6ac262ac227bfd36acc53a7a127fd7f387dec9f4509f4f3f754b10853a213e993ea1573e74ed7e6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsoDCF4.tmp\SkinBtn.dll
      Filesize

      4KB

      MD5

      29818862640ac659ce520c9c64e63e9e

      SHA1

      485e1e6cc552fa4f05fb767043b1e7c9eb80be64

      SHA256

      e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb

      SHA512

      ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsoDCF4.tmp\System.dll
      Filesize

      11KB

      MD5

      bf712f32249029466fa86756f5546950

      SHA1

      75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

      SHA256

      7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

      SHA512

      13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsoDCF4.tmp\btn_agree.bmp
      Filesize

      38KB

      MD5

      dab018047c171165c18329d5c59b617e

      SHA1

      88848ac4aceb7358f13d225de6d4fd0a5696517a

      SHA256

      1cf0d9e908c3134ffce859483504420578ee8ccda399c20ecc035d1e4da93734

      SHA512

      1f6c50885290a3b983b7b8ac4bfec546d74acf2c50bfd0d245164a5ee149fa28a2871d545286108345c055c4f86f2b115509fcf74a6b60bc3f814c1c1635162d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsoDCF4.tmp\btn_disagree.bmp
      Filesize

      38KB

      MD5

      5f7b90c87ea0517771862fae5f11ce94

      SHA1

      fc9f195e888d960139278c04a0e78996c6442d5b

      SHA256

      f906101e512c3119e71b6949d68ac01c8fdb5ef06f4c73eaef9a3f0bd6021ce2

      SHA512

      dc08461f1e823d898f5ba42c9d1a131f599adbcb0af28c5de950a01ec74015d3da933e675986b71dde09cc74e00689ebe5f5f6cff857d335322f18d3f385edf0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsoDCF4.tmp\checkbox_null.bmp
      Filesize

      3KB

      MD5

      5754c67775c3f4f50a4780b3bca026b1

      SHA1

      3e95c72c13d6175ef275280fe270d678acee46e9

      SHA256

      2a5d67757f61ca00227e9b482a7b15365ba836c11f5b7d723b650e6d4108e739

      SHA512

      df6744556a24d4f6b907fc6126035adca4d3ce8aba52b26112e59b24ebfc5c4e079ee8ed74df3f28fc62cc3e207041cf8fb6b6a84ec58125122c214924e0a97f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsoDCF4.tmp\nsDialogs.dll
      Filesize

      9KB

      MD5

      4ccc4a742d4423f2f0ed744fd9c81f63

      SHA1

      704f00a1acc327fd879cf75fc90d0b8f927c36bc

      SHA256

      416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

      SHA512

      790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsoDCF4.tmp\slide8.bmp
      Filesize

      908KB

      MD5

      6d20c27bc3168af9c076b459f1da05dc

      SHA1

      d49795bc5ec392f5da3a65958bc8bd2dbaaddcfe

      SHA256

      da8894cbad7c440ad992416421611071d9b82cda3a3c8287f7c1d75c0386f468

      SHA512

      e4233a72e59bd1f7ee0dc4559ef06b360025e52414c2d6f4ee317e5c193109c1e4be70fc89e74e4a6061035c7e18b97e61ab96716b4ab0ab997b178bcef9d7bb

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      f98ef578b2f12fdd2f1e7c502cf8e18a

      SHA1

      a9bdced81988fbb6582a4b494c81326af9667c60

      SHA256

      b0974e1edf38af3a25f89fd45e71d0d3aff8da219addd4d0707e30af51fdb47f

      SHA512

      dd8135516be87008e421be0138ee6da3266b762ae999e06f1f8d517f4dc159bc3e5087e9e5c5fa212c36da1baca353831bc22da9d4343e8f2a5937da3c0951b0

      Download Submit

    • \??\Volume{69d1985d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e60c607b-ae8b-4b5b-bd05-e2930826a5fc}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      8a0cbdf5ade9e94ea4f1a2ce76a7feef

      SHA1

      d0613e8dfab2ef871113c9721698b62122bbda0f

      SHA256

      844e4c355bd7537715a4267755ef2990c99b86d90ad323211cea6e746dbb2234

      SHA512

      3feb91b1c933cc0b2703cb64ef2c8bba87a0299e7418da84ddb224cf61b48d5375e3ce30891f67667f9ea061ec839baf1d34ff039efc0af698176efb98d077e6

      Download Submit

    • memory/1988-39-0x000000002BDA0000-0x000000002BF5A000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1988-37-0x000000002BDA0000-0x000000002BF5A000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1988-140-0x000000002BDA0000-0x000000002BF5A000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1988-142-0x000000002BDA0000-0x000000002BF5A000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1988-144-0x000000002BDA0000-0x000000002BF5A000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3664-21-0x000000002A440000-0x000000002A45C000-memory.dmp

      Filesize

      112KB

      Download