Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2024 06:20
Static task
static1
Behavioral task
behavioral1
Sample
YoudaoDict_fanyiweb_navigation.msi
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
YoudaoDict_fanyiweb_navigation.msi
Resource
win10v2004-20240802-en
General
-
Target
YoudaoDict_fanyiweb_navigation.msi
-
Size
114.3MB
-
MD5
8634adb0215e3a90751fb0cbca90becd
-
SHA1
4d3cd1399e78730ebcb46bd0d6a6ad6a5dc1e620
-
SHA256
2c612c1987f1932d71b725d7294fd5d81aba0476ec0948812a54ff0a9db4c53c
-
SHA512
4e9d823e71a7be6251aac61c67641acd8a2c14fb227de9a45c7cf3d6a7cc9289e13457dbfe2c79ac8c8dd78e84f4798e98f484c5b4329f1c06424119fa375dcd
-
SSDEEP
3145728:UYP/W8g21cAIPkqjyInzEmbMUo0B2TPZVxLR:U+HgOcPsq/VMjg2NN
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3120-167-0x000000002BA40000-0x000000002BBFB000-memory.dmp purplefox_rootkit behavioral2/memory/3120-169-0x000000002BA40000-0x000000002BBFB000-memory.dmp purplefox_rootkit behavioral2/memory/3120-170-0x000000002BA40000-0x000000002BBFB000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/3120-167-0x000000002BA40000-0x000000002BBFB000-memory.dmp family_gh0strat behavioral2/memory/3120-169-0x000000002BA40000-0x000000002BBFB000-memory.dmp family_gh0strat behavioral2/memory/3120-170-0x000000002BA40000-0x000000002BBFB000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: ekWKvevMHU4.exe File opened (read-only) \??\X: ekWKvevMHU4.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: ekWKvevMHU4.exe File opened (read-only) \??\N: ekWKvevMHU4.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: ekWKvevMHU4.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: ekWKvevMHU4.exe File opened (read-only) \??\Y: ekWKvevMHU4.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: ekWKvevMHU4.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: ekWKvevMHU4.exe File opened (read-only) \??\W: ekWKvevMHU4.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: ekWKvevMHU4.exe File opened (read-only) \??\J: ekWKvevMHU4.exe File opened (read-only) \??\K: ekWKvevMHU4.exe File opened (read-only) \??\L: ekWKvevMHU4.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: ekWKvevMHU4.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: ekWKvevMHU4.exe File opened (read-only) \??\P: ekWKvevMHU4.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: ekWKvevMHU4.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: ekWKvevMHU4.exe File opened (read-only) \??\Z: ekWKvevMHU4.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EYbkmfmiNjLT.exe.log EYbkmfmiNjLT.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File opened for modification C:\Program Files\ExpandConnectorHappy\EYbkmfmiNjLT.xml vsIUYhBxXQGE.exe File created C:\Program Files\ExpandConnectorHappy\ekWKvevMHU4.exe vsIUYhBxXQGE.exe File opened for modification C:\Program Files\ExpandConnectorHappy\ekWKvevMHU4.exe vsIUYhBxXQGE.exe File opened for modification C:\Program Files\ExpandConnectorHappy ekWKvevMHU4.exe File created C:\Program Files\ExpandConnectorHappy\node.dll msiexec.exe File created C:\Program Files\ExpandConnectorHappy\EYbkmfmiNjLT.xml vsIUYhBxXQGE.exe File opened for modification C:\Program Files\ExpandConnectorHappy\EYbkmfmiNjLT.exe vsIUYhBxXQGE.exe File opened for modification C:\Program Files\ExpandConnectorHappy\EYbkmfmiNjLT.wrapper.log EYbkmfmiNjLT.exe File created C:\Program Files\ExpandConnectorHappy\vsIUYhBxXQGE.exe msiexec.exe File opened for modification C:\Program Files\ExpandConnectorHappy\EYbkmfmiNjLT.wrapper.log EYbkmfmiNjLT.exe File created C:\Program Files\ExpandConnectorHappy\EYbkmfmiNjLT.exe vsIUYhBxXQGE.exe File created C:\Program Files\ExpandConnectorHappy\YoudaoDict_fanyiweb_navigation.exe msiexec.exe File opened for modification C:\Program Files\ExpandConnectorHappy\EYbkmfmiNjLT.wrapper.log EYbkmfmiNjLT.exe File created C:\Program Files\ExpandConnectorHappy\MfwQXuOCukyLkKcAGzRa msiexec.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{D9333B47-F2D2-4E5E-8842-FA00A976F68F} msiexec.exe File opened for modification C:\Windows\Installer\MSI1D0.tmp msiexec.exe File created C:\Windows\Installer\e57ff03.msi msiexec.exe File created C:\Windows\Installer\e57ff01.msi msiexec.exe File opened for modification C:\Windows\Installer\e57ff01.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Executes dropped EXE 8 IoCs
pid Process 1668 vsIUYhBxXQGE.exe 4836 ekWKvevMHU4.exe 2672 EYbkmfmiNjLT.exe 764 YoudaoDict_fanyiweb_navigation.exe 4800 EYbkmfmiNjLT.exe 3508 EYbkmfmiNjLT.exe 4748 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe -
Loads dropped DLL 6 IoCs
pid Process 764 YoudaoDict_fanyiweb_navigation.exe 764 YoudaoDict_fanyiweb_navigation.exe 764 YoudaoDict_fanyiweb_navigation.exe 764 YoudaoDict_fanyiweb_navigation.exe 764 YoudaoDict_fanyiweb_navigation.exe 764 YoudaoDict_fanyiweb_navigation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1520 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ekWKvevMHU4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ekWKvevMHU4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vsIUYhBxXQGE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ekWKvevMHU4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language YoudaoDict_fanyiweb_navigation.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9aa8484b1ca68e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9aa84840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9aa8484000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9aa8484000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9aa848400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ekWKvevMHU4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ekWKvevMHU4.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A6C868ECB8AC492488BE0F0440837C4B\74B3339D2D2FE5E48824AF009A676FF8 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\SourceList\PackageName = "YoudaoDict_fanyiweb_navigation.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\74B3339D2D2FE5E48824AF009A676FF8\ProductFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A6C868ECB8AC492488BE0F0440837C4B msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\74B3339D2D2FE5E48824AF009A676FF8 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\PackageCode = "4AC3A2656E5684D44B5A4DE675AC5AD3" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\Version = "50593795" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\74B3339D2D2FE5E48824AF009A676FF8\ProductName = "ExpandConnectorHappy" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3484 msiexec.exe 3484 msiexec.exe 4836 ekWKvevMHU4.exe 4836 ekWKvevMHU4.exe 3508 EYbkmfmiNjLT.exe 4748 ekWKvevMHU4.exe 4748 ekWKvevMHU4.exe 4748 ekWKvevMHU4.exe 4748 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe 3120 ekWKvevMHU4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1520 msiexec.exe Token: SeIncreaseQuotaPrivilege 1520 msiexec.exe Token: SeSecurityPrivilege 3484 msiexec.exe Token: SeCreateTokenPrivilege 1520 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1520 msiexec.exe Token: SeLockMemoryPrivilege 1520 msiexec.exe Token: SeIncreaseQuotaPrivilege 1520 msiexec.exe Token: SeMachineAccountPrivilege 1520 msiexec.exe Token: SeTcbPrivilege 1520 msiexec.exe Token: SeSecurityPrivilege 1520 msiexec.exe Token: SeTakeOwnershipPrivilege 1520 msiexec.exe Token: SeLoadDriverPrivilege 1520 msiexec.exe Token: SeSystemProfilePrivilege 1520 msiexec.exe Token: SeSystemtimePrivilege 1520 msiexec.exe Token: SeProfSingleProcessPrivilege 1520 msiexec.exe Token: SeIncBasePriorityPrivilege 1520 msiexec.exe Token: SeCreatePagefilePrivilege 1520 msiexec.exe Token: SeCreatePermanentPrivilege 1520 msiexec.exe Token: SeBackupPrivilege 1520 msiexec.exe Token: SeRestorePrivilege 1520 msiexec.exe Token: SeShutdownPrivilege 1520 msiexec.exe Token: SeDebugPrivilege 1520 msiexec.exe Token: SeAuditPrivilege 1520 msiexec.exe Token: SeSystemEnvironmentPrivilege 1520 msiexec.exe Token: SeChangeNotifyPrivilege 1520 msiexec.exe Token: SeRemoteShutdownPrivilege 1520 msiexec.exe Token: SeUndockPrivilege 1520 msiexec.exe Token: SeSyncAgentPrivilege 1520 msiexec.exe Token: SeEnableDelegationPrivilege 1520 msiexec.exe Token: SeManageVolumePrivilege 1520 msiexec.exe Token: SeImpersonatePrivilege 1520 msiexec.exe Token: SeCreateGlobalPrivilege 1520 msiexec.exe Token: SeBackupPrivilege 3704 vssvc.exe Token: SeRestorePrivilege 3704 vssvc.exe Token: SeAuditPrivilege 3704 vssvc.exe Token: SeBackupPrivilege 3484 msiexec.exe Token: SeRestorePrivilege 3484 msiexec.exe Token: SeRestorePrivilege 3484 msiexec.exe Token: SeTakeOwnershipPrivilege 3484 msiexec.exe Token: SeRestorePrivilege 3484 msiexec.exe Token: SeTakeOwnershipPrivilege 3484 msiexec.exe Token: SeBackupPrivilege 3336 srtasks.exe Token: SeRestorePrivilege 3336 srtasks.exe Token: SeSecurityPrivilege 3336 srtasks.exe Token: SeTakeOwnershipPrivilege 3336 srtasks.exe Token: SeBackupPrivilege 3336 srtasks.exe Token: SeRestorePrivilege 3336 srtasks.exe Token: SeSecurityPrivilege 3336 srtasks.exe Token: SeTakeOwnershipPrivilege 3336 srtasks.exe Token: SeRestorePrivilege 3484 msiexec.exe Token: SeTakeOwnershipPrivilege 3484 msiexec.exe Token: SeRestorePrivilege 3484 msiexec.exe Token: SeTakeOwnershipPrivilege 3484 msiexec.exe Token: SeRestorePrivilege 3484 msiexec.exe Token: SeTakeOwnershipPrivilege 3484 msiexec.exe Token: SeRestorePrivilege 3484 msiexec.exe Token: SeTakeOwnershipPrivilege 3484 msiexec.exe Token: SeRestorePrivilege 3484 msiexec.exe Token: SeTakeOwnershipPrivilege 3484 msiexec.exe Token: SeRestorePrivilege 3484 msiexec.exe Token: SeTakeOwnershipPrivilege 3484 msiexec.exe Token: SeRestorePrivilege 3484 msiexec.exe Token: SeTakeOwnershipPrivilege 3484 msiexec.exe Token: SeRestorePrivilege 3484 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1520 msiexec.exe 1520 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3484 wrote to memory of 3336 3484 msiexec.exe 92 PID 3484 wrote to memory of 3336 3484 msiexec.exe 92 PID 3484 wrote to memory of 2524 3484 msiexec.exe 96 PID 3484 wrote to memory of 2524 3484 msiexec.exe 96 PID 2524 wrote to memory of 1668 2524 MsiExec.exe 97 PID 2524 wrote to memory of 1668 2524 MsiExec.exe 97 PID 2524 wrote to memory of 1668 2524 MsiExec.exe 97 PID 2524 wrote to memory of 4836 2524 MsiExec.exe 99 PID 2524 wrote to memory of 4836 2524 MsiExec.exe 99 PID 2524 wrote to memory of 4836 2524 MsiExec.exe 99 PID 2524 wrote to memory of 764 2524 MsiExec.exe 100 PID 2524 wrote to memory of 764 2524 MsiExec.exe 100 PID 2524 wrote to memory of 764 2524 MsiExec.exe 100 PID 3508 wrote to memory of 4748 3508 EYbkmfmiNjLT.exe 106 PID 3508 wrote to memory of 4748 3508 EYbkmfmiNjLT.exe 106 PID 3508 wrote to memory of 4748 3508 EYbkmfmiNjLT.exe 106 PID 4748 wrote to memory of 3120 4748 ekWKvevMHU4.exe 107 PID 4748 wrote to memory of 3120 4748 ekWKvevMHU4.exe 107 PID 4748 wrote to memory of 3120 4748 ekWKvevMHU4.exe 107 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1520
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 74F28E4E1950251EB2197419CD352485 E Global\MSI00002⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Program Files\ExpandConnectorHappy\vsIUYhBxXQGE.exe"C:\Program Files\ExpandConnectorHappy\vsIUYhBxXQGE.exe" x "C:\Program Files\ExpandConnectorHappy\MfwQXuOCukyLkKcAGzRa" -o"C:\Program Files\ExpandConnectorHappy\" -pmGBkxYsXraIZsNILlsWU -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668
-
-
C:\Program Files\ExpandConnectorHappy\ekWKvevMHU4.exe"C:\Program Files\ExpandConnectorHappy\ekWKvevMHU4.exe" -number 150 -file file3 -mode mode3 -flag flag33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4836
-
-
C:\Program Files\ExpandConnectorHappy\YoudaoDict_fanyiweb_navigation.exe"C:\Program Files\ExpandConnectorHappy\YoudaoDict_fanyiweb_navigation.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:764
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
C:\Program Files\ExpandConnectorHappy\EYbkmfmiNjLT.exe"C:\Program Files\ExpandConnectorHappy\EYbkmfmiNjLT.exe" install1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:2672
-
C:\Program Files\ExpandConnectorHappy\EYbkmfmiNjLT.exe"C:\Program Files\ExpandConnectorHappy\EYbkmfmiNjLT.exe" start1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4800
-
C:\Program Files\ExpandConnectorHappy\EYbkmfmiNjLT.exe"C:\Program Files\ExpandConnectorHappy\EYbkmfmiNjLT.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Program Files\ExpandConnectorHappy\ekWKvevMHU4.exe"C:\Program Files\ExpandConnectorHappy\ekWKvevMHU4.exe" -number 155 -file file3 -mode mode3 -flag flag32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Program Files\ExpandConnectorHappy\ekWKvevMHU4.exe"C:\Program Files\ExpandConnectorHappy\ekWKvevMHU4.exe" -number 362 -file file3 -mode mode3 -flag flag33⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3120
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD544e6b97abf8d1327ba3f1c8a9c0c1194
SHA1ddbe57c3cf6e4e7b43acafe96ee37c60715a113f
SHA2564b7dc932d06b2a2863894aeaaecabc4bc91ef39ef40690f5957ccad55c154d71
SHA5125467f627f31b329f3a537ab4a694c1baff1270e9abc42df1a68f2c1f05b5518ccde917833e905260184bd87be9b425fd5ffae683e9688651a2583298f2c235b6
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796
-
Filesize
264B
MD55d7bf694ce1f8f7f8f3a0c2d575104a8
SHA1ef6fa8dc6ed08263371ffc1f0ec6ae34f8e905e5
SHA2563d04ce69e44c090b6cab5c172a255faabd78a4b601609169361a8a186d84b3ad
SHA5124098550c6749eb542f6af7a6ade8bcbe9175f15971c2682e93a94f1677638fade5c0f715793f3d156dafea316c8df2a5dac4106e756fe9b4d215b7534f3b64bd
-
Filesize
419B
MD554aec951904847ffa6b9844caef21363
SHA1475aa6359528d2708c73d491deefbbfbe8310962
SHA2562b37b894e6e53e4ea8e220bee8fa19e294e2a49a74b632ab77c4cd3c6b4ab1cf
SHA51204c318170433ce214d2fcee3b74d896a04541c42dd733defd4e6d995744f4372bd0c5a617e144c564b0831a30e339a7317472abddef28ed2a4e0e99b49f99a22
-
Filesize
584B
MD53d219c20a9561fe691650451ba63e6cc
SHA16185c7911a5acdb2d804cdbc01d36b87b7a174cf
SHA256f110835b30b10b5526c539c3c0dd49acf8786db5063cc4219eef2f389ca42fa3
SHA5129d6ed6cbff39f2054b93a4fbf5eec116d4421d0ca71f76c8e683ce3d15f2bdbf827fe0b7763d21033678a7469ccd73ba4d6330d508662cc7f395836d92634291
-
Filesize
728B
MD5876caec61cd62b389749238f18138363
SHA1f8cea6e7f6353a54a9b888547a06c9094e4fd9bb
SHA256b821e17c8b13bdf5278deea3375ac537c3e7b7dc5b0c8b615203325f63cefd04
SHA512057640f8a647cad2e5bd1250a5a6754f01b7c8eedc3a62624d19f91ad4b429716bb9799a5ab4da06fc7c91eae2afb94e1683188ebd5f7cc71cf7629817a18fc4
-
Filesize
435B
MD519a27351b13b551a41e93bd6a57ea8de
SHA1f5f51862b5de14714e6d815cdee7e6a1f2bc1208
SHA2561a777cdbcf83ab27cfe86df9993bb4e7bc37ed22a44c5c6311b3d2d72758b6cf
SHA512b27404ac93a25d7bdf9f30720ab77f36ba41d58155d8f541ddab2034a93ced93202d7b8bf20a7615bee70ef617ae13978f1ff9c13f92f636fce64868c895f282
-
Filesize
1.9MB
MD506fd2e4e815c5f57748835bace0a2b41
SHA1049e1690422249659e7b4e0ee9e118ad5db9e080
SHA256ed089d47b597d2cf4a712a0d3545dcd17a7ec52955525d9c337c6aa5a032ee40
SHA512343d7ce78f325bb5876e278a06cfb122cb14b6e46b2a6f0de7a874fa8fea9fa743e0447f6ceae6922ed8c5116248bde0129f53a7549a944599311a049b7806ff
-
Filesize
3.2MB
MD5e8aac7ae25fadc0cdac93ea19c6b4aeb
SHA11c78766f43e23add4768dfffe2624510ce71d50d
SHA2562dfaf798d43d3f7a873a3127678465d7b6fca11f68b6aa01c6ef34a7bfcdfaa9
SHA5122fe1ec405cd8a4a2bb0326d715f7a14134876e18e879f48129fd9751852c2866400cb5b0b6406b78648072e49cf00a73eeb3aba5849f2fab23d4443b292d8f91
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
95KB
MD55a94bf8916a11b5fe94aca44886c9393
SHA1820d9c5e3365e323d6f43d3cce26fd9d2ea48b93
SHA2560b1e46044b580121f30bedb2b5412d3170c6afaa7800d702ee71f7666904236d
SHA51279cba3dcb249d88a6a6cfb4efcb65cc42a240af4edb14bcc7546d9c701a7b642362f9fe0488691a8906607ecc76f7b5ee5a4282fa057053b258eea143ac90c20
-
Filesize
48KB
MD5765cf74fc709fb3450fa71aac44e7f53
SHA1b423271b4faac68f88fef15fa4697cf0149bad85
SHA256cc46ab0bf6b19a2601cd002b06769ad08baf4ed0b14e8728973f8af96bdee57e
SHA5120c347d9a2960a17f8ec9b78ede972bf3cf6567fd079a6aa5a6ac262ac227bfd36acc53a7a127fd7f387dec9f4509f4f3f754b10853a213e993ea1573e74ed7e6
-
Filesize
4KB
MD529818862640ac659ce520c9c64e63e9e
SHA1485e1e6cc552fa4f05fb767043b1e7c9eb80be64
SHA256e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb
SHA512ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057
-
Filesize
11KB
MD5bf712f32249029466fa86756f5546950
SHA175ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA2567851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA51213f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
Filesize
38KB
MD5dab018047c171165c18329d5c59b617e
SHA188848ac4aceb7358f13d225de6d4fd0a5696517a
SHA2561cf0d9e908c3134ffce859483504420578ee8ccda399c20ecc035d1e4da93734
SHA5121f6c50885290a3b983b7b8ac4bfec546d74acf2c50bfd0d245164a5ee149fa28a2871d545286108345c055c4f86f2b115509fcf74a6b60bc3f814c1c1635162d
-
Filesize
38KB
MD55f7b90c87ea0517771862fae5f11ce94
SHA1fc9f195e888d960139278c04a0e78996c6442d5b
SHA256f906101e512c3119e71b6949d68ac01c8fdb5ef06f4c73eaef9a3f0bd6021ce2
SHA512dc08461f1e823d898f5ba42c9d1a131f599adbcb0af28c5de950a01ec74015d3da933e675986b71dde09cc74e00689ebe5f5f6cff857d335322f18d3f385edf0
-
Filesize
3KB
MD55754c67775c3f4f50a4780b3bca026b1
SHA13e95c72c13d6175ef275280fe270d678acee46e9
SHA2562a5d67757f61ca00227e9b482a7b15365ba836c11f5b7d723b650e6d4108e739
SHA512df6744556a24d4f6b907fc6126035adca4d3ce8aba52b26112e59b24ebfc5c4e079ee8ed74df3f28fc62cc3e207041cf8fb6b6a84ec58125122c214924e0a97f
-
Filesize
9KB
MD54ccc4a742d4423f2f0ed744fd9c81f63
SHA1704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
-
Filesize
908KB
MD56d20c27bc3168af9c076b459f1da05dc
SHA1d49795bc5ec392f5da3a65958bc8bd2dbaaddcfe
SHA256da8894cbad7c440ad992416421611071d9b82cda3a3c8287f7c1d75c0386f468
SHA512e4233a72e59bd1f7ee0dc4559ef06b360025e52414c2d6f4ee317e5c193109c1e4be70fc89e74e4a6061035c7e18b97e61ab96716b4ab0ab997b178bcef9d7bb
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EYbkmfmiNjLT.exe.log
Filesize1KB
MD5122cf3c4f3452a55a92edee78316e071
SHA1f2caa36d483076c92d17224cf92e260516b3cbbf
SHA25642f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c
-
Filesize
23.7MB
MD5bd46a02ae178e2a010ac9376e4480f2f
SHA1ab5401d63d08c875e0fca989fc81cb4d7730d635
SHA256dac2e1b94c16640648cc503da7c76b23b816c58a646f97cd15427f74546d1ccf
SHA51217ff402ad77a52f37a82140f58c08fec88e6cb3c1e51752875b372681e797ab3853ea58ded0c0f2761f49785c760ccc6c3b439028d7ea9a2c874c372f03a015a
-
\??\Volume{8484aac9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{972017d5-42c4-4672-9ae9-56a6ac1fbcad}_OnDiskSnapshotProp
Filesize6KB
MD5817ebca354062a01b5b9757e48535742
SHA134e0fac410d2492d2fd37e540f344eaa15ea0441
SHA256c435351afb1a53eeb833090ef78ec3ce21380aa5091de4c6b3a5a8878c1fbf34
SHA512a352b1b7d64ec2a0f656edd5940710e9ede48c6ab931468e35251981c13217178937ade1aa7b300d2386708cc2ac831962a6d50cbcc509bc81270800d2b38428