f1d1c41d4b24034053d113fe36dd6f09bf5eb911bb82a306dbdcabf8ce59586f

Analysis

max time kernel
93s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YoudaoDict_fanyiweb.msi
Size

97.0MB
MD5

c449213ac5154245691aff29f55965bc
SHA1

2929b4dead1f2a55a04c3e7266d778609106fa34
SHA256

f1d1c41d4b24034053d113fe36dd6f09bf5eb911bb82a306dbdcabf8ce59586f
SHA512

9ad2d80d1188eaff7045f1585ce89f4ab238c512dac28aab6591419868d25d33d59e6a7a48d503a5360e98744747a16c5c1b6fd4a672f47a558d0c44336f8929
SSDEEP

3145728:uu0rtaVQdpmRzMODflSma6ZjNY6izXHg0i:caiWRzMgS8oXA0i

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\有道词典\有道词典\有道词典\Apack.dll	msiexec.exe
File created	C:\Program Files (x86)\有道词典\有道词典\有道词典\YoudaoDict_fanyiweb_navigation.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57ec25.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIECA2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{628D0BF9-BD83-4D3E-A4CA-AB4FDBD40155}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3C9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ec25.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEDAD.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF01F.tmp	msiexec.exe

Loads dropped DLL 10 IoCs

pid	Process
4484	MsiExec.exe
4484	MsiExec.exe
4484	MsiExec.exe
4484	MsiExec.exe
4484	MsiExec.exe
4484	MsiExec.exe
1372	MsiExec.exe
1372	MsiExec.exe
4056	MsiExec.exe
4056	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4988	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a54fc9f1d525247c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a54fc9f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a54fc9f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da54fc9f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a54fc9f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2424	msiexec.exe
2424	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4988	msiexec.exe
Token: SeSecurityPrivilege	2424	msiexec.exe
Token: SeCreateTokenPrivilege	4988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4988	msiexec.exe
Token: SeLockMemoryPrivilege	4988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4988	msiexec.exe
Token: SeMachineAccountPrivilege	4988	msiexec.exe
Token: SeTcbPrivilege	4988	msiexec.exe
Token: SeSecurityPrivilege	4988	msiexec.exe
Token: SeTakeOwnershipPrivilege	4988	msiexec.exe
Token: SeLoadDriverPrivilege	4988	msiexec.exe
Token: SeSystemProfilePrivilege	4988	msiexec.exe
Token: SeSystemtimePrivilege	4988	msiexec.exe
Token: SeProfSingleProcessPrivilege	4988	msiexec.exe
Token: SeIncBasePriorityPrivilege	4988	msiexec.exe
Token: SeCreatePagefilePrivilege	4988	msiexec.exe
Token: SeCreatePermanentPrivilege	4988	msiexec.exe
Token: SeBackupPrivilege	4988	msiexec.exe
Token: SeRestorePrivilege	4988	msiexec.exe
Token: SeShutdownPrivilege	4988	msiexec.exe
Token: SeDebugPrivilege	4988	msiexec.exe
Token: SeAuditPrivilege	4988	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4988	msiexec.exe
Token: SeChangeNotifyPrivilege	4988	msiexec.exe
Token: SeRemoteShutdownPrivilege	4988	msiexec.exe
Token: SeUndockPrivilege	4988	msiexec.exe
Token: SeSyncAgentPrivilege	4988	msiexec.exe
Token: SeEnableDelegationPrivilege	4988	msiexec.exe
Token: SeManageVolumePrivilege	4988	msiexec.exe
Token: SeImpersonatePrivilege	4988	msiexec.exe
Token: SeCreateGlobalPrivilege	4988	msiexec.exe
Token: SeCreateTokenPrivilege	4988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4988	msiexec.exe
Token: SeLockMemoryPrivilege	4988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4988	msiexec.exe
Token: SeMachineAccountPrivilege	4988	msiexec.exe
Token: SeTcbPrivilege	4988	msiexec.exe
Token: SeSecurityPrivilege	4988	msiexec.exe
Token: SeTakeOwnershipPrivilege	4988	msiexec.exe
Token: SeLoadDriverPrivilege	4988	msiexec.exe
Token: SeSystemProfilePrivilege	4988	msiexec.exe
Token: SeSystemtimePrivilege	4988	msiexec.exe
Token: SeProfSingleProcessPrivilege	4988	msiexec.exe
Token: SeIncBasePriorityPrivilege	4988	msiexec.exe
Token: SeCreatePagefilePrivilege	4988	msiexec.exe
Token: SeCreatePermanentPrivilege	4988	msiexec.exe
Token: SeBackupPrivilege	4988	msiexec.exe
Token: SeRestorePrivilege	4988	msiexec.exe
Token: SeShutdownPrivilege	4988	msiexec.exe
Token: SeDebugPrivilege	4988	msiexec.exe
Token: SeAuditPrivilege	4988	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4988	msiexec.exe
Token: SeChangeNotifyPrivilege	4988	msiexec.exe
Token: SeRemoteShutdownPrivilege	4988	msiexec.exe
Token: SeUndockPrivilege	4988	msiexec.exe
Token: SeSyncAgentPrivilege	4988	msiexec.exe
Token: SeEnableDelegationPrivilege	4988	msiexec.exe
Token: SeManageVolumePrivilege	4988	msiexec.exe
Token: SeImpersonatePrivilege	4988	msiexec.exe
Token: SeCreateGlobalPrivilege	4988	msiexec.exe
Token: SeCreateTokenPrivilege	4988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4988	msiexec.exe
Token: SeLockMemoryPrivilege	4988	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4988	msiexec.exe
4988	msiexec.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 4484	2424	msiexec.exe	84
PID 2424 wrote to memory of 4484	2424	msiexec.exe	84
PID 2424 wrote to memory of 4484	2424	msiexec.exe	84
PID 2424 wrote to memory of 2492	2424	msiexec.exe	95
PID 2424 wrote to memory of 2492	2424	msiexec.exe	95
PID 2424 wrote to memory of 1372	2424	msiexec.exe	97
PID 2424 wrote to memory of 1372	2424	msiexec.exe	97
PID 2424 wrote to memory of 1372	2424	msiexec.exe	97
PID 2424 wrote to memory of 4056	2424	msiexec.exe	98
PID 2424 wrote to memory of 4056	2424	msiexec.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0DC46E9C1D584A5CD5F560F5392C42D5 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4484
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2492
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4A63BD4BBEEF053C17FB96AC5CB878A0
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1372
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 490C7592FE5B8CB776D665D69CE37EF5
  2⤵
  - Loads dropped DLL
  PID:4056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ec26.rbs

Filesize
27KB

MD5
434285dcb6b9cb8eca31060be28f02ba

SHA1
fdab3107537374957eaa7e4dadd8ddb989380772

SHA256
727d28b3f024e3c7db86bb7d7a9cde351b421b084dd15570a16d759e21f46777

SHA512
60c235198b790cb0c83b5f91872142b709271085e647c7959959a5a2ba16b86982d66b0250d04b84286966c17305be1f580b9b79a191ae1e1ef7de39c18a7c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9693.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSIF3C9.tmp

Filesize
25KB

MD5
81902d13c01fd8a187f3a7f2b72d5dd0

SHA1
0ac01518c5588eb2788730c78f0c581f79cf2ed4

SHA256
eef31e9195cfacde7b4e7eb7384c8178d8811063b375fd4a28ae897cc180c6a6

SHA512
04d6e2e937328477803084e0ef9da2c3636cdc9d34af74e2d1871d7190be21cbb2771ae835175e104e24eccba52add1ba6f58407bfd522ef82b81d76e977f24c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
14bfb0f9a60b9f227e315cde8c5b5437

SHA1
f1545e9a9950937f2d19a5542dc0b55de28411db

SHA256
9f76e703b42b5e8246632e12c0d411d9b2446ac75f31b6a7d77b997130e68b0e

SHA512
afbbbfc0a4fe92915663283b39f48fb6de7175f007f12cb2a3e6882d4ac3397848340a94c449293e9ca48c94f8c4aa3c5daa9d852c2fe4d1e0ea794e38569194

Download Submit
\??\Volume{f1c94fa5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e2cf0c43-f2a3-4613-be70-b25bcae1e8fc}_OnDiskSnapshotProp

Filesize
6KB

MD5
a3c1713059313cbe76c679080f9637bd

SHA1
79f31e160979301c4b9c8881f3fc5cccf8e30997

SHA256
c7fde99f26b6c49b1acf2847b75a18b8990eb5f802e784f321c608f9d5f9545f

SHA512
d21552b9516190d9388f3aed7d9cc457665c514f8f47aac77d230c84cf4e3213653c490a5aa685c68b74c79432bf25a233ba3b25523b64dc06c3cf37c378cea5

Download Submit