Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 09:02
Static task
static1
Behavioral task
behavioral1
Sample
YoudaoDict_fanyiweb_navigation.msi
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
YoudaoDict_fanyiweb_navigation.msi
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
YoudaoDict_fanyiweb_navigation.msi
-
Size
136.4MB
-
MD5
5e0ae252dac3cd6f373b22196b777bef
-
SHA1
a8882dfe7c20d90182680a097a579eb8dbe68705
-
SHA256
89f508689ba3884477bd37d9bfa1ba5f6be1cb1f1d18f3d9bb56ff18d0c315ce
-
SHA512
657c8dff4e56007cd144ba9aba020bb58dcfbed62a76f24c5409f76f63a25f56ae2918fe3c2753008eac5be4b8b3742ecd1925b7ff6fe39cc3408409d3b52fb9
-
SSDEEP
3145728:VNflHHLhwYc7Hd2C5lI2I8OEq9NPjWa/3sn3CJGWn1tTx5cYw:VJlHH9wYKdz7I29OJzPNCCws1TC
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3472-165-0x000000002B890000-0x000000002BA4B000-memory.dmp purplefox_rootkit behavioral2/memory/3472-167-0x000000002B890000-0x000000002BA4B000-memory.dmp purplefox_rootkit behavioral2/memory/3472-170-0x000000002B890000-0x000000002BA4B000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/3472-165-0x000000002B890000-0x000000002BA4B000-memory.dmp family_gh0strat behavioral2/memory/3472-167-0x000000002B890000-0x000000002BA4B000-memory.dmp family_gh0strat behavioral2/memory/3472-170-0x000000002B890000-0x000000002BA4B000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: BtKrHWYQcg4.exe File opened (read-only) \??\K: BtKrHWYQcg4.exe File opened (read-only) \??\P: BtKrHWYQcg4.exe File opened (read-only) \??\Z: BtKrHWYQcg4.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: BtKrHWYQcg4.exe File opened (read-only) \??\N: BtKrHWYQcg4.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: BtKrHWYQcg4.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: BtKrHWYQcg4.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: BtKrHWYQcg4.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: BtKrHWYQcg4.exe File opened (read-only) \??\R: BtKrHWYQcg4.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: BtKrHWYQcg4.exe File opened (read-only) \??\X: BtKrHWYQcg4.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: BtKrHWYQcg4.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: BtKrHWYQcg4.exe File opened (read-only) \??\H: BtKrHWYQcg4.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: BtKrHWYQcg4.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Q: BtKrHWYQcg4.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: BtKrHWYQcg4.exe File opened (read-only) \??\V: BtKrHWYQcg4.exe File opened (read-only) \??\U: BtKrHWYQcg4.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: BtKrHWYQcg4.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\ProvideBrokerFearless\DiBpAPdZHEfb.exe ytVmWffRazCj.exe File opened for modification C:\Program Files\ProvideBrokerFearless\DiBpAPdZHEfb.wrapper.log DiBpAPdZHEfb.exe File created C:\Program Files\ProvideBrokerFearless\dyCPqIGaifpMGXHxudpD msiexec.exe File opened for modification C:\Program Files\ProvideBrokerFearless\BtKrHWYQcg4.exe ytVmWffRazCj.exe File created C:\Program Files\ProvideBrokerFearless\MOELauncherSetup_V0TKW.exe msiexec.exe File created C:\Program Files\ProvideBrokerFearless\YoudaoDict_fanyiweb_navigation.exe msiexec.exe File created C:\Program Files\ProvideBrokerFearless\ytVmWffRazCj.exe msiexec.exe File created C:\Program Files\ProvideBrokerFearless\DiBpAPdZHEfb.xml ytVmWffRazCj.exe File created C:\Program Files\ProvideBrokerFearless\BtKrHWYQcg4.exe ytVmWffRazCj.exe File opened for modification C:\Program Files\ProvideBrokerFearless BtKrHWYQcg4.exe File opened for modification C:\Program Files\ProvideBrokerFearless\DiBpAPdZHEfb.wrapper.log DiBpAPdZHEfb.exe File opened for modification C:\Program Files\ProvideBrokerFearless\DiBpAPdZHEfb.xml ytVmWffRazCj.exe File opened for modification C:\Program Files\ProvideBrokerFearless\DiBpAPdZHEfb.exe ytVmWffRazCj.exe File opened for modification C:\Program Files\ProvideBrokerFearless\DiBpAPdZHEfb.wrapper.log DiBpAPdZHEfb.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI16DE.tmp msiexec.exe File created C:\Windows\Installer\e5813f2.msi msiexec.exe File created C:\Windows\Installer\e5813f0.msi msiexec.exe File opened for modification C:\Windows\Installer\e5813f0.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{450193B3-61FD-4CBB-9C6C-929A880DAF92} msiexec.exe -
Executes dropped EXE 8 IoCs
pid Process 1168 ytVmWffRazCj.exe 1104 BtKrHWYQcg4.exe 724 DiBpAPdZHEfb.exe 60 YoudaoDict_fanyiweb_navigation.exe 3104 DiBpAPdZHEfb.exe 4884 DiBpAPdZHEfb.exe 1284 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe -
Loads dropped DLL 6 IoCs
pid Process 60 YoudaoDict_fanyiweb_navigation.exe 60 YoudaoDict_fanyiweb_navigation.exe 60 YoudaoDict_fanyiweb_navigation.exe 60 YoudaoDict_fanyiweb_navigation.exe 60 YoudaoDict_fanyiweb_navigation.exe 60 YoudaoDict_fanyiweb_navigation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2824 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BtKrHWYQcg4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ytVmWffRazCj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BtKrHWYQcg4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YoudaoDict_fanyiweb_navigation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BtKrHWYQcg4.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fac5ebb7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BtKrHWYQcg4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz BtKrHWYQcg4.exe -
Modifies data under HKEY_USERS 13 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" BtKrHWYQcg4.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E BtKrHWYQcg4.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" BtKrHWYQcg4.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3B391054DF16BBC4C9C629A988D0FA29\ProductFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8A4DC99527F1CD243A9B6DAB2D54867A\3B391054DF16BBC4C9C629A988D0FA29 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\PackageCode = "825AD7E6D00B41F4092AF66CE4F50FC0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\Version = "151060481" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\8A4DC99527F1CD243A9B6DAB2D54867A msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\SourceList\PackageName = "YoudaoDict_fanyiweb_navigation.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3B391054DF16BBC4C9C629A988D0FA29 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\ProductName = "ProvideBrokerFearless" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3B391054DF16BBC4C9C629A988D0FA29\DeploymentFlags = "3" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1864 msiexec.exe 1864 msiexec.exe 1104 BtKrHWYQcg4.exe 1104 BtKrHWYQcg4.exe 4884 DiBpAPdZHEfb.exe 4884 DiBpAPdZHEfb.exe 1284 BtKrHWYQcg4.exe 1284 BtKrHWYQcg4.exe 1284 BtKrHWYQcg4.exe 1284 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe 3472 BtKrHWYQcg4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2824 msiexec.exe Token: SeIncreaseQuotaPrivilege 2824 msiexec.exe Token: SeSecurityPrivilege 1864 msiexec.exe Token: SeCreateTokenPrivilege 2824 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2824 msiexec.exe Token: SeLockMemoryPrivilege 2824 msiexec.exe Token: SeIncreaseQuotaPrivilege 2824 msiexec.exe Token: SeMachineAccountPrivilege 2824 msiexec.exe Token: SeTcbPrivilege 2824 msiexec.exe Token: SeSecurityPrivilege 2824 msiexec.exe Token: SeTakeOwnershipPrivilege 2824 msiexec.exe Token: SeLoadDriverPrivilege 2824 msiexec.exe Token: SeSystemProfilePrivilege 2824 msiexec.exe Token: SeSystemtimePrivilege 2824 msiexec.exe Token: SeProfSingleProcessPrivilege 2824 msiexec.exe Token: SeIncBasePriorityPrivilege 2824 msiexec.exe Token: SeCreatePagefilePrivilege 2824 msiexec.exe Token: SeCreatePermanentPrivilege 2824 msiexec.exe Token: SeBackupPrivilege 2824 msiexec.exe Token: SeRestorePrivilege 2824 msiexec.exe Token: SeShutdownPrivilege 2824 msiexec.exe Token: SeDebugPrivilege 2824 msiexec.exe Token: SeAuditPrivilege 2824 msiexec.exe Token: SeSystemEnvironmentPrivilege 2824 msiexec.exe Token: SeChangeNotifyPrivilege 2824 msiexec.exe Token: SeRemoteShutdownPrivilege 2824 msiexec.exe Token: SeUndockPrivilege 2824 msiexec.exe Token: SeSyncAgentPrivilege 2824 msiexec.exe Token: SeEnableDelegationPrivilege 2824 msiexec.exe Token: SeManageVolumePrivilege 2824 msiexec.exe Token: SeImpersonatePrivilege 2824 msiexec.exe Token: SeCreateGlobalPrivilege 2824 msiexec.exe Token: SeBackupPrivilege 4612 vssvc.exe Token: SeRestorePrivilege 4612 vssvc.exe Token: SeAuditPrivilege 4612 vssvc.exe Token: SeBackupPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe Token: SeTakeOwnershipPrivilege 1864 msiexec.exe Token: SeRestorePrivilege 1864 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2824 msiexec.exe 2824 msiexec.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1864 wrote to memory of 3992 1864 msiexec.exe 100 PID 1864 wrote to memory of 3992 1864 msiexec.exe 100 PID 1864 wrote to memory of 1180 1864 msiexec.exe 102 PID 1864 wrote to memory of 1180 1864 msiexec.exe 102 PID 1864 wrote to memory of 1180 1864 msiexec.exe 102 PID 1180 wrote to memory of 1168 1180 MsiExec.exe 103 PID 1180 wrote to memory of 1168 1180 MsiExec.exe 103 PID 1180 wrote to memory of 1168 1180 MsiExec.exe 103 PID 1180 wrote to memory of 1104 1180 MsiExec.exe 105 PID 1180 wrote to memory of 1104 1180 MsiExec.exe 105 PID 1180 wrote to memory of 1104 1180 MsiExec.exe 105 PID 1180 wrote to memory of 60 1180 MsiExec.exe 106 PID 1180 wrote to memory of 60 1180 MsiExec.exe 106 PID 1180 wrote to memory of 60 1180 MsiExec.exe 106 PID 4884 wrote to memory of 1284 4884 DiBpAPdZHEfb.exe 112 PID 4884 wrote to memory of 1284 4884 DiBpAPdZHEfb.exe 112 PID 4884 wrote to memory of 1284 4884 DiBpAPdZHEfb.exe 112 PID 1284 wrote to memory of 3472 1284 BtKrHWYQcg4.exe 113 PID 1284 wrote to memory of 3472 1284 BtKrHWYQcg4.exe 113 PID 1284 wrote to memory of 3472 1284 BtKrHWYQcg4.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2824
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3992
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 90C38518AF659E74F27E5968ADB94BF2 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Program Files\ProvideBrokerFearless\ytVmWffRazCj.exe"C:\Program Files\ProvideBrokerFearless\ytVmWffRazCj.exe" x "C:\Program Files\ProvideBrokerFearless\dyCPqIGaifpMGXHxudpD" -o"C:\Program Files\ProvideBrokerFearless\" -pjgNXmLXevyMZUbQgvJBp -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1168
-
-
C:\Program Files\ProvideBrokerFearless\BtKrHWYQcg4.exe"C:\Program Files\ProvideBrokerFearless\BtKrHWYQcg4.exe" -number 206 -file file3 -mode mode3 -flag flag33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1104
-
-
C:\Program Files\ProvideBrokerFearless\YoudaoDict_fanyiweb_navigation.exe"C:\Program Files\ProvideBrokerFearless\YoudaoDict_fanyiweb_navigation.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:60
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
C:\Program Files\ProvideBrokerFearless\DiBpAPdZHEfb.exe"C:\Program Files\ProvideBrokerFearless\DiBpAPdZHEfb.exe" install1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:724
-
C:\Program Files\ProvideBrokerFearless\DiBpAPdZHEfb.exe"C:\Program Files\ProvideBrokerFearless\DiBpAPdZHEfb.exe" start1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:3104
-
C:\Program Files\ProvideBrokerFearless\DiBpAPdZHEfb.exe"C:\Program Files\ProvideBrokerFearless\DiBpAPdZHEfb.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Program Files\ProvideBrokerFearless\BtKrHWYQcg4.exe"C:\Program Files\ProvideBrokerFearless\BtKrHWYQcg4.exe" -number 248 -file file3 -mode mode3 -flag flag32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Program Files\ProvideBrokerFearless\BtKrHWYQcg4.exe"C:\Program Files\ProvideBrokerFearless\BtKrHWYQcg4.exe" -number 362 -file file3 -mode mode3 -flag flag33⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3472
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD52c4e7cf0d53258fe50454c1207ca53c0
SHA17494858d1fb656833cb8f3a4f6a2778be674b923
SHA256c08d4206420c4c6e7445d1d68ced258577af24fc6d7076a2d37a47ab5f5d4a78
SHA512d1cabe779dd723fda5532ce2ca618fa2f0402c530290fe44ce84af57760fe0a9358226fead3844d819ba6246287f55d32d83f21784013b2763bbe5acb3c8e8b0
-
Filesize
3.2MB
MD57d9f488ced67ada533312513fc6dbd6a
SHA1b1d4aa4613fd48274dd6808e200ab7d08e21c57e
SHA2563b98e68f11d11b2746e56bf4eb72a8c467574635e1a6c0f4d5142606288a2fb6
SHA5128410fef50eca91445d34e83a52fef2111577b0c167fe5fe80a449311a3154acc5a4c479595f3a092c4cbfb0cd6901b1ba817aa5cbab3bb3a23c80b4ddf676403
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796
-
Filesize
258B
MD54c03a42e75a55f73d69c365826991150
SHA14d45d42d03635452cd9c60715753ec02f2a504d1
SHA256632503a8ab659d992e2ce12708418357612671112998a4e4ad224c70a5687ef5
SHA512d04b0c66d21ec722071f1960f244f8bedb200c6cdd8cd383beeb0970f88eef6e58538e7a3baa740bd6f19347bbc7b8e43b40d065e10cfe3f9c8b0ea248ed7931
-
Filesize
474B
MD57f2049220db9860f80cff01280d9a75f
SHA11641e30317df70142aa9346c17f967a483b79844
SHA2561c0c5e034da6dc73cc298fc2ea3770a5dff6fe3f6afdffba9e1a23927a4443df
SHA51209c9488af638d3f8e3c962f6b9428f0563d46bfc2bd2feddc8df31eaac06949647e58990d8199ba0218e9a1a3d10ae9b6d2d3cac771005f2ff33fa06c2d17000
-
Filesize
903B
MD5848b081615bdc338ca53b4986697cddb
SHA1c3f840a4fc82c95e4dc986f23995b916db097ae2
SHA2566769e2341f0d5d455b73ae905b18aecec40cb8e4d400691723792bc725ed8998
SHA512dfb75ea48adfbf282f7411605a06f4a83e726703a3e60e446c0423178ae5c1c64f0e9d33f20c2d07744716330ac3acc67ddbdf9f65d0910d3348cc27185686f8
-
Filesize
430B
MD5d73a9e906e59a8d9b76f48d5a49f3603
SHA1e6cccc679f97421da0b040ec613360429c88075e
SHA25657fc081ff9d9e67edcd924585c8a51d7c680b26ad7c0a2c20b9d05aa03744f41
SHA51272887c3d47b0bc648eb44ed04df6168c0536a17d7853c36b5ca03004e35893af6629f05c57babf4151d60df66708e7321c72856dfd99eb21837ba050330afc57
-
Filesize
1.9MB
MD5360b21de100afb1b2c3c842bc697752a
SHA1735cfd5645d93b075cf6982573712fe174d479a2
SHA256d7601627796be81e71decfe9ab4f51d9c28af123b66aba3c59386c822ea2cad1
SHA5121232dd9fbce27aded3053ebb12b0d2007626a167de5d113bda502d40c22102d432cd3c4fea5f754de8a8d2bff530adc0536adc84fe40a32bd72859df954337d7
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
1KB
MD5122cf3c4f3452a55a92edee78316e071
SHA1f2caa36d483076c92d17224cf92e260516b3cbbf
SHA25642f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c
-
Filesize
95KB
MD55a94bf8916a11b5fe94aca44886c9393
SHA1820d9c5e3365e323d6f43d3cce26fd9d2ea48b93
SHA2560b1e46044b580121f30bedb2b5412d3170c6afaa7800d702ee71f7666904236d
SHA51279cba3dcb249d88a6a6cfb4efcb65cc42a240af4edb14bcc7546d9c701a7b642362f9fe0488691a8906607ecc76f7b5ee5a4282fa057053b258eea143ac90c20
-
Filesize
48KB
MD5765cf74fc709fb3450fa71aac44e7f53
SHA1b423271b4faac68f88fef15fa4697cf0149bad85
SHA256cc46ab0bf6b19a2601cd002b06769ad08baf4ed0b14e8728973f8af96bdee57e
SHA5120c347d9a2960a17f8ec9b78ede972bf3cf6567fd079a6aa5a6ac262ac227bfd36acc53a7a127fd7f387dec9f4509f4f3f754b10853a213e993ea1573e74ed7e6
-
Filesize
4KB
MD529818862640ac659ce520c9c64e63e9e
SHA1485e1e6cc552fa4f05fb767043b1e7c9eb80be64
SHA256e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb
SHA512ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057
-
Filesize
11KB
MD5bf712f32249029466fa86756f5546950
SHA175ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA2567851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA51213f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
Filesize
38KB
MD5dab018047c171165c18329d5c59b617e
SHA188848ac4aceb7358f13d225de6d4fd0a5696517a
SHA2561cf0d9e908c3134ffce859483504420578ee8ccda399c20ecc035d1e4da93734
SHA5121f6c50885290a3b983b7b8ac4bfec546d74acf2c50bfd0d245164a5ee149fa28a2871d545286108345c055c4f86f2b115509fcf74a6b60bc3f814c1c1635162d
-
Filesize
38KB
MD55f7b90c87ea0517771862fae5f11ce94
SHA1fc9f195e888d960139278c04a0e78996c6442d5b
SHA256f906101e512c3119e71b6949d68ac01c8fdb5ef06f4c73eaef9a3f0bd6021ce2
SHA512dc08461f1e823d898f5ba42c9d1a131f599adbcb0af28c5de950a01ec74015d3da933e675986b71dde09cc74e00689ebe5f5f6cff857d335322f18d3f385edf0
-
Filesize
3KB
MD55754c67775c3f4f50a4780b3bca026b1
SHA13e95c72c13d6175ef275280fe270d678acee46e9
SHA2562a5d67757f61ca00227e9b482a7b15365ba836c11f5b7d723b650e6d4108e739
SHA512df6744556a24d4f6b907fc6126035adca4d3ce8aba52b26112e59b24ebfc5c4e079ee8ed74df3f28fc62cc3e207041cf8fb6b6a84ec58125122c214924e0a97f
-
Filesize
9KB
MD54ccc4a742d4423f2f0ed744fd9c81f63
SHA1704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
-
Filesize
908KB
MD56d20c27bc3168af9c076b459f1da05dc
SHA1d49795bc5ec392f5da3a65958bc8bd2dbaaddcfe
SHA256da8894cbad7c440ad992416421611071d9b82cda3a3c8287f7c1d75c0386f468
SHA512e4233a72e59bd1f7ee0dc4559ef06b360025e52414c2d6f4ee317e5c193109c1e4be70fc89e74e4a6061035c7e18b97e61ab96716b4ab0ab997b178bcef9d7bb
-
Filesize
23.7MB
MD5bd06e042b74c1f81f6231a8d8a1c8238
SHA139ce988bb03006c4c8d10f165889d51266c1a657
SHA256e9edd968c7f73ef3067fde90b7e77736feff58486823a944dd8b7a518d505136
SHA51297b1942b325412e8534a8f0bdbf64a91b1b4a07125933950538daf1bc9db5851afaef777be8cc915d4cc3f1873f11b0a335506683160f90a0273e24da4cef354
-
\??\Volume{fa3589b5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f0d5531c-1175-4a84-a645-397fdd833757}_OnDiskSnapshotProp
Filesize6KB
MD5655d842dd76af45da7fb72f99765ef14
SHA1d70c4cb46d6e25c8e421ccbe165d5c7c9603008f
SHA256f1c643140017a1675a0ad9ce3d546c0312a33419766517f5b50ab06e64b426e1
SHA512a0a3a9db6112a76a29d9f9cb7a2e94d2668d740a0274c0385c73af0a133b1b6feb7c6b71fbc7cd31af3099538bb047c8f8c864ddfd4524b314c8fc5d8329ece1
