f9e8de832dbf43733ea5f447aeb7ef232862e4a485ca86c5ce72307395b99ee0

Resubmissions

13/10/2024, 12:02

241013-n7wrfazfnm 6

13/10/2024, 11:47

241013-nxwzfszbrq 6

Analysis

max time kernel
299s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YoudaoDict_fanyiweb_navigation.msi
Size

187.0MB
MD5

70aeba0286a77763521f8c06a1cebf60
SHA1

24af28f2b995668258e108dd44bc4c9111192c13
SHA256

04c09c1d4c7674a6a70fcc6aa742aa300bd78f724d6de610d3809b444326b12f
SHA512

4f2b9d38e8abdcb4bcc75b6445519a8ebec0c6770b4f5c0c2c0e8890c88bce47bfcfa0fc22b523304b155782151d32e7501cbd2d36af7cd9f5492360e8bbaee0
SSDEEP

3145728:rObtNwBblcqir6N2pdI5OExQPPc0Bi8NKIM5ZTs5+IVzqYqBMeutEsSQHXLY+gQe:Shdueq5dxQncq2RBs5XzqABtEqTjtxO

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 17 IoCs

flow	pid	Process
29	3084	MsiExec.exe
31	3084	MsiExec.exe
33	3084	MsiExec.exe
38	3084	MsiExec.exe
55	3084	MsiExec.exe
56	3084	MsiExec.exe
61	3084	MsiExec.exe
66	3084	MsiExec.exe
67	3084	MsiExec.exe
68	3084	MsiExec.exe
69	3084	MsiExec.exe
71	3084	MsiExec.exe
72	3084	MsiExec.exe
73	3084	MsiExec.exe
74	3084	MsiExec.exe
75	3084	MsiExec.exe
76	3084	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5397DCAFEECE58AC9B09792F4A49B8D5	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5397DCAFEECE58AC9B09792F4A49B8D5	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	MsiExec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57e510.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE7C3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC69.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE6F6.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE88F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC3A.tmp	msiexec.exe
File created	C:\Windows\Installer\{5A38FD59-77DB-4C92-AF4C-E85131AB2E0E}\LeASHive.exe	msiexec.exe
File created	C:\Windows\Installer\e57e510.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE61A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE764.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5A38FD59-77DB-4C92-AF4C-E85131AB2E0E}	msiexec.exe
File opened for modification	C:\Windows\Installer\{5A38FD59-77DB-4C92-AF4C-E85131AB2E0E}\LeASHive.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF275.tmp	msiexec.exe

Loads dropped DLL 7 IoCs

pid	Process
4632	MsiExec.exe
4632	MsiExec.exe
4632	MsiExec.exe
4632	MsiExec.exe
4632	MsiExec.exe
4632	MsiExec.exe
3084	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2168	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3312	msiexec.exe
3312	msiexec.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3936	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2168	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2168	msiexec.exe
Token: SeSecurityPrivilege	3312	msiexec.exe
Token: SeCreateTokenPrivilege	2168	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2168	msiexec.exe
Token: SeLockMemoryPrivilege	2168	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2168	msiexec.exe
Token: SeMachineAccountPrivilege	2168	msiexec.exe
Token: SeTcbPrivilege	2168	msiexec.exe
Token: SeSecurityPrivilege	2168	msiexec.exe
Token: SeTakeOwnershipPrivilege	2168	msiexec.exe
Token: SeLoadDriverPrivilege	2168	msiexec.exe
Token: SeSystemProfilePrivilege	2168	msiexec.exe
Token: SeSystemtimePrivilege	2168	msiexec.exe
Token: SeProfSingleProcessPrivilege	2168	msiexec.exe
Token: SeIncBasePriorityPrivilege	2168	msiexec.exe
Token: SeCreatePagefilePrivilege	2168	msiexec.exe
Token: SeCreatePermanentPrivilege	2168	msiexec.exe
Token: SeBackupPrivilege	2168	msiexec.exe
Token: SeRestorePrivilege	2168	msiexec.exe
Token: SeShutdownPrivilege	2168	msiexec.exe
Token: SeDebugPrivilege	2168	msiexec.exe
Token: SeAuditPrivilege	2168	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2168	msiexec.exe
Token: SeChangeNotifyPrivilege	2168	msiexec.exe
Token: SeRemoteShutdownPrivilege	2168	msiexec.exe
Token: SeUndockPrivilege	2168	msiexec.exe
Token: SeSyncAgentPrivilege	2168	msiexec.exe
Token: SeEnableDelegationPrivilege	2168	msiexec.exe
Token: SeManageVolumePrivilege	2168	msiexec.exe
Token: SeImpersonatePrivilege	2168	msiexec.exe
Token: SeCreateGlobalPrivilege	2168	msiexec.exe
Token: SeBackupPrivilege	4400	vssvc.exe
Token: SeRestorePrivilege	4400	vssvc.exe
Token: SeAuditPrivilege	4400	vssvc.exe
Token: SeBackupPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeBackupPrivilege	996	srtasks.exe
Token: SeRestorePrivilege	996	srtasks.exe
Token: SeSecurityPrivilege	996	srtasks.exe
Token: SeTakeOwnershipPrivilege	996	srtasks.exe
Token: SeBackupPrivilege	996	srtasks.exe
Token: SeRestorePrivilege	996	srtasks.exe
Token: SeSecurityPrivilege	996	srtasks.exe
Token: SeTakeOwnershipPrivilege	996	srtasks.exe
Token: SeDebugPrivilege	3936	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2168	msiexec.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe
3936	taskmgr.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 996	3312	msiexec.exe	90
PID 3312 wrote to memory of 996	3312	msiexec.exe	90
PID 3312 wrote to memory of 4632	3312	msiexec.exe	92
PID 3312 wrote to memory of 4632	3312	msiexec.exe	92
PID 3312 wrote to memory of 4632	3312	msiexec.exe	92
PID 3312 wrote to memory of 3084	3312	msiexec.exe	93
PID 3312 wrote to memory of 3084	3312	msiexec.exe	93
PID 3312 wrote to memory of 3084	3312	msiexec.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2168

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:996
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A53BB18C02C2D421BC644B7CF300F93A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4632
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 705E7FD24D5F1CB1542F15B7D922B094 E Global\MSI0000
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3084

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Hive Server.lnk

Filesize
1KB

MD5
09a5835d124128ff1f64ac7c64615731

SHA1
7d743ad3def36a7dde4f768ce18411f929a8bf0d

SHA256
399803c8123a5c9e0301ff938027d14c811cb5f136a420cd9390d96a1f285f89

SHA512
e95636bac614e9af3059699964900f0ee851b62793af8ad7706e6b54bee936c1a233fec9fb234ed6f113038e44a7417c02451f5cf4fd5f80c92d463fa3acb556

Download Submit
C:\Users\Public\Documents\TT\LeASHive.exe

Filesize
3.9MB

MD5
8a4d8dcd50dedcd419ecef07c613e767

SHA1
1408e6269e68b7647cef134506137d266c3a91cc

SHA256
8d2482fd76b3380fdb40ef460a8e8ba274dc12eb1295b6662b01a1a1e1341ec9

SHA512
c9b88fe236432ec3b2bf07d3dd6e1e8daf5265d7e094798d8828e3a7d124af1ee24c0963fabfcc78333df6bbc3edbae16cabe6910b7ae99acac57ef577116978

Download Submit
C:\Windows\Installer\MSIE61A.tmp

Filesize
904KB

MD5
421643ee7bb89e6df092bc4b18a40ff8

SHA1
e801582a6dd358060a699c9c5cde31cd07ee49ab

SHA256
d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da

SHA512
d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023

Download Submit
C:\Windows\Installer\MSIEC69.tmp

Filesize
760KB

MD5
df6d353853f28e4c4c0464b83f5220f2

SHA1
d714c58314b018f6599c4ff0518d2867bb3eca44

SHA256
dc64604e2a5dd9f1c01fd583f847d871269d680f1241644db0828e3adaf7067b

SHA512
3cfd6150e69c3e1201c57a43ab31a8021703ebf03271d1f6eb9cd20b3283484364bad905041b4a1b5e7139e9ecbb60764be6cb4c975be73e3c9413d6cd6a22be

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
52003aee2813e47bbdc61be0c30c2dfa

SHA1
80cf45cb516ab0c2565299647a7f7bf2221ed578

SHA256
6e9548e5b5403d17bd3357a1f6627eac279ebd7b0775bfe03e372877050264ba

SHA512
04c3e045e0ab714ba9d5f7f1e654d998742655a9568215b9bba6731c2ce7162c1fddea3b7a90058489420c69a83990c18ead0370661f010f7622358103b244c0

Download Submit
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{54e4169d-3aad-4c02-b2f6-d3272c3b4a6b}_OnDiskSnapshotProp

Filesize
6KB

MD5
348fe636b84795c0c0e86d47a26847be

SHA1
3159588961b716257937fd556bb9eb27b1a7cdb1

SHA256
fbf185346c9d88a9ed07885e067da6079efe78e3bdbe46e8f6a51ba35843b776

SHA512
86e458c128320cfd6993650df91ab3a221a534fd002ae4aa2fd3c942b3053b2a32b0e744b7892015fd35466c197c02806bcce3b9c233cbdff7d099644423f509

Download Submit
memory/3936-81-0x0000028FA5A30000-0x0000028FA5A31000-memory.dmp

Filesize
4KB

Download
memory/3936-78-0x0000028FA5A30000-0x0000028FA5A31000-memory.dmp

Filesize
4KB

Download
memory/3936-71-0x0000028FA5A30000-0x0000028FA5A31000-memory.dmp

Filesize
4KB

Download
memory/3936-80-0x0000028FA5A30000-0x0000028FA5A31000-memory.dmp

Filesize
4KB

Download
memory/3936-79-0x0000028FA5A30000-0x0000028FA5A31000-memory.dmp

Filesize
4KB

Download
memory/3936-77-0x0000028FA5A30000-0x0000028FA5A31000-memory.dmp

Filesize
4KB

Download
memory/3936-75-0x0000028FA5A30000-0x0000028FA5A31000-memory.dmp

Filesize
4KB

Download
memory/3936-76-0x0000028FA5A30000-0x0000028FA5A31000-memory.dmp

Filesize
4KB

Download
memory/3936-70-0x0000028FA5A30000-0x0000028FA5A31000-memory.dmp

Filesize
4KB

Download
memory/3936-69-0x0000028FA5A30000-0x0000028FA5A31000-memory.dmp

Filesize
4KB

Download