f9e8de832dbf43733ea5f447aeb7ef232862e4a485ca86c5ce72307395b99ee0

Resubmissions

13/10/2024, 12:02

241013-n7wrfazfnm 6

13/10/2024, 11:47

241013-nxwzfszbrq 6

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YoudaoDict_fanyiweb_navigation.msi
Size

187.0MB
MD5

70aeba0286a77763521f8c06a1cebf60
SHA1

24af28f2b995668258e108dd44bc4c9111192c13
SHA256

04c09c1d4c7674a6a70fcc6aa742aa300bd78f724d6de610d3809b444326b12f
SHA512

4f2b9d38e8abdcb4bcc75b6445519a8ebec0c6770b4f5c0c2c0e8890c88bce47bfcfa0fc22b523304b155782151d32e7501cbd2d36af7cd9f5492360e8bbaee0
SSDEEP

3145728:rObtNwBblcqir6N2pdI5OExQPPc0Bi8NKIM5ZTs5+IVzqYqBMeutEsSQHXLY+gQe:Shdueq5dxQncq2RBs5XzqABtEqTjtxO

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
24	2964	MsiExec.exe
26	2964	MsiExec.exe
28	2964	MsiExec.exe
33	2964	MsiExec.exe
50	2964	MsiExec.exe
51	2964	MsiExec.exe
57	2964	MsiExec.exe
62	2964	MsiExec.exe
63	2964	MsiExec.exe
64	2964	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5397DCAFEECE58AC9B09792F4A49B8D5	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5397DCAFEECE58AC9B09792F4A49B8D5	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	MsiExec.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57a27a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a27a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF71.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA994.tmp	msiexec.exe
File created	C:\Windows\Installer\{5A38FD59-77DB-4C92-AF4C-E85131AB2E0E}\LeASHive.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA335.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA45F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA55B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA5C9.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5A38FD59-77DB-4C92-AF4C-E85131AB2E0E}	msiexec.exe
File opened for modification	C:\Windows\Installer\{5A38FD59-77DB-4C92-AF4C-E85131AB2E0E}\LeASHive.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4ED.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA964.tmp	msiexec.exe

Loads dropped DLL 7 IoCs

pid	Process
3152	MsiExec.exe
3152	MsiExec.exe
3152	MsiExec.exe
3152	MsiExec.exe
3152	MsiExec.exe
3152	MsiExec.exe
2964	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3736	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4168	msiexec.exe
4168	msiexec.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3736	msiexec.exe
Token: SeSecurityPrivilege	4168	msiexec.exe
Token: SeCreateTokenPrivilege	3736	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3736	msiexec.exe
Token: SeLockMemoryPrivilege	3736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3736	msiexec.exe
Token: SeMachineAccountPrivilege	3736	msiexec.exe
Token: SeTcbPrivilege	3736	msiexec.exe
Token: SeSecurityPrivilege	3736	msiexec.exe
Token: SeTakeOwnershipPrivilege	3736	msiexec.exe
Token: SeLoadDriverPrivilege	3736	msiexec.exe
Token: SeSystemProfilePrivilege	3736	msiexec.exe
Token: SeSystemtimePrivilege	3736	msiexec.exe
Token: SeProfSingleProcessPrivilege	3736	msiexec.exe
Token: SeIncBasePriorityPrivilege	3736	msiexec.exe
Token: SeCreatePagefilePrivilege	3736	msiexec.exe
Token: SeCreatePermanentPrivilege	3736	msiexec.exe
Token: SeBackupPrivilege	3736	msiexec.exe
Token: SeRestorePrivilege	3736	msiexec.exe
Token: SeShutdownPrivilege	3736	msiexec.exe
Token: SeDebugPrivilege	3736	msiexec.exe
Token: SeAuditPrivilege	3736	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3736	msiexec.exe
Token: SeChangeNotifyPrivilege	3736	msiexec.exe
Token: SeRemoteShutdownPrivilege	3736	msiexec.exe
Token: SeUndockPrivilege	3736	msiexec.exe
Token: SeSyncAgentPrivilege	3736	msiexec.exe
Token: SeEnableDelegationPrivilege	3736	msiexec.exe
Token: SeManageVolumePrivilege	3736	msiexec.exe
Token: SeImpersonatePrivilege	3736	msiexec.exe
Token: SeCreateGlobalPrivilege	3736	msiexec.exe
Token: SeBackupPrivilege	2804	vssvc.exe
Token: SeRestorePrivilege	2804	vssvc.exe
Token: SeAuditPrivilege	2804	vssvc.exe
Token: SeBackupPrivilege	4168	msiexec.exe
Token: SeRestorePrivilege	4168	msiexec.exe
Token: SeRestorePrivilege	4168	msiexec.exe
Token: SeTakeOwnershipPrivilege	4168	msiexec.exe
Token: SeRestorePrivilege	4168	msiexec.exe
Token: SeTakeOwnershipPrivilege	4168	msiexec.exe
Token: SeRestorePrivilege	4168	msiexec.exe
Token: SeTakeOwnershipPrivilege	4168	msiexec.exe
Token: SeRestorePrivilege	4168	msiexec.exe
Token: SeTakeOwnershipPrivilege	4168	msiexec.exe
Token: SeRestorePrivilege	4168	msiexec.exe
Token: SeTakeOwnershipPrivilege	4168	msiexec.exe
Token: SeRestorePrivilege	4168	msiexec.exe
Token: SeTakeOwnershipPrivilege	4168	msiexec.exe
Token: SeRestorePrivilege	4168	msiexec.exe
Token: SeTakeOwnershipPrivilege	4168	msiexec.exe
Token: SeRestorePrivilege	4168	msiexec.exe
Token: SeTakeOwnershipPrivilege	4168	msiexec.exe
Token: SeRestorePrivilege	4168	msiexec.exe
Token: SeTakeOwnershipPrivilege	4168	msiexec.exe
Token: SeBackupPrivilege	3996	srtasks.exe
Token: SeRestorePrivilege	3996	srtasks.exe
Token: SeSecurityPrivilege	3996	srtasks.exe
Token: SeTakeOwnershipPrivilege	3996	srtasks.exe
Token: SeBackupPrivilege	3996	srtasks.exe
Token: SeRestorePrivilege	3996	srtasks.exe
Token: SeSecurityPrivilege	3996	srtasks.exe
Token: SeTakeOwnershipPrivilege	3996	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3736	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4168 wrote to memory of 3996	4168	msiexec.exe	92
PID 4168 wrote to memory of 3996	4168	msiexec.exe	92
PID 4168 wrote to memory of 3152	4168	msiexec.exe	94
PID 4168 wrote to memory of 3152	4168	msiexec.exe	94
PID 4168 wrote to memory of 3152	4168	msiexec.exe	94
PID 4168 wrote to memory of 2964	4168	msiexec.exe	95
PID 4168 wrote to memory of 2964	4168	msiexec.exe	95
PID 4168 wrote to memory of 2964	4168	msiexec.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 15EF163783627B10E351153F1F9A8EC7
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3152
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 00C4640E81E5242F1ADCA7284DE7E2E3 E Global\MSI0000
  2⤵
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIA335.tmp

Filesize
904KB

MD5
421643ee7bb89e6df092bc4b18a40ff8

SHA1
e801582a6dd358060a699c9c5cde31cd07ee49ab

SHA256
d6b89fd5a95071e7b144d8bedcb09b694e9cd14bfbfafb782b17cf8413eac6da

SHA512
d59c4ec7690e535da84f94bef2be7f94d6bfd0b2908fa9a67d0897abe8a2825fd52354c495ea1a7f133f727c2ee356869cc80bacf5557864d535a72d8c396023

Download Submit
C:\Windows\Installer\MSIA994.tmp

Filesize
760KB

MD5
df6d353853f28e4c4c0464b83f5220f2

SHA1
d714c58314b018f6599c4ff0518d2867bb3eca44

SHA256
dc64604e2a5dd9f1c01fd583f847d871269d680f1241644db0828e3adaf7067b

SHA512
3cfd6150e69c3e1201c57a43ab31a8021703ebf03271d1f6eb9cd20b3283484364bad905041b4a1b5e7139e9ecbb60764be6cb4c975be73e3c9413d6cd6a22be

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
c1c40841e2cce21534eb8fe95fec80b5

SHA1
7eb3d80c59df55d0800d0d97cbf4c8a20b9a4c22

SHA256
e922552c41f2835996d7e81604fa904579682cd2cf953673f92c43a5f54197d5

SHA512
b0017df04b883fb38a83175243de82d9737fc22730f6d1f20a984ae9516d0cf00513773bdf967e91d7f180513925a3c5c92d674ed4d9894f6d888263b4856e31

Download Submit
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8fd24401-52a7-4fc7-9165-5e827485d11a}_OnDiskSnapshotProp

Filesize
6KB

MD5
a9604fb54af3b26d72876bca11dbf773

SHA1
49f8addc0fa9016a0336b8df69bcc31b2404e047

SHA256
0766c4b579fe9074cd841f18d1691568acbbd425615e5efa87d21c4a65547183

SHA512
33d3209f61a7e27c3c5f293f6c54639b26290a6d6295ac1bcb742c9724d01d6bbcb8c36ae22710cf7ecae9eb374b715d77e05c5198bb34286fc3abe09aad641b

Download Submit