Overview

overview

10

Static

static

1

kugou_yinyue-X64.msi

windows7-x64

8

kugou_yinyue-X64.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2024 06:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kugou_yinyue-X64.msi

  • Size

    115.7MB

  • MD5

    8264ac335dd2c9b6f3c22826833eef9a

  • SHA1

    6b45e44fb10381e96e5cba2004bfbc08a3eec3cd

  • SHA256

    4defef20d0c620fcc1743147f44a244fa7c61b484a5ca5cfb8f60e99e970a7a2

  • SHA512

    1a65be0f908edabe532232193cab034921065ff4fb898637b1c82a17d29874335758c93f779b7666384c0d6e6fe4eb46b5a6882986d6b742dd1a8be0e1df2fbb

  • SSDEEP

    3145728:rydOHVo966Gx85U9YwMWYA2/8JZVtG37GDOUaDZjfFSfho:0H1GxkcBrYt/8J8SarDZ7FSfu

Score
8/10
discoveryexecutionpersistenceprivilege_escalation

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 51 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\kugou_yinyue-X64.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2096
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 57B259D4E938DBC19927DCB2DB8C2D43 M Global\MSI0000
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DeployDeterminedRetailer'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1584
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe" x "C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE" -o"C:\Program Files\DeployDeterminedRetailer\" -pkYpyaRvRcFdTfVUfUNOC -y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1588
        • C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe
          "C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe" x "C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE" -o"C:\Program Files\DeployDeterminedRetailer\" -pkYpyaRvRcFdTfVUfUNOC -y
          4⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:3048
      • C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
        "C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe" -number 289 -file file3 -mode mode3
        3⤵
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2112
      • C:\Program Files\DeployDeterminedRetailer\kugou11131.exe
        "C:\Program Files\DeployDeterminedRetailer\kugou11131.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:2960
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2688 -s 580
      2⤵
        PID:2880
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2740
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000003AC"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2636

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f76c11f.rbs
      Filesize

      7KB

      MD5

      5b4c9421d3fd5cac63a0d801c7d1c80d

      SHA1

      419725c22a2b4594948f29d07d6dca4f76d8f797

      SHA256

      19c1bf4738ec664d17074de033ece34a351b674f7f9e55801a77c791a489d2e0

      SHA512

      e1a8632f8f1346985ebc009d6a09586992e09499de6d32d265c4b0acfa0e9b46405b3a61108d2dfa5a8ba0d63e19f2635e0ae17e7d7cf248448bdd51ce15ccdb

      Download Submit

    • C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE
      Filesize

      1.5MB

      MD5

      f97e41d5d36b59621dba93d7727cb67b

      SHA1

      b2e9e34874a9cb8c61fc276b9d77a0e1cb0532f0

      SHA256

      a85e5b6d77e5ddc9f00155f1cda319508c92c8e21c16bd99cfc87b15ae774174

      SHA512

      c8de402c10fb3505a7ef7b7ec8039f03b5810e6c38d7b2969865148f0a1ed21e798f386aae9ca2cb1655184accac39169d59cc7e6662ffa213c7a0edc4cd8c67

      Download Submit

    • C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe
      Filesize

      577KB

      MD5

      c31c4b04558396c6fabab64dcf366534

      SHA1

      fa836d92edc577d6a17ded47641ba1938589b09a

      SHA256

      9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

      SHA512

      814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

      Download Submit

    • C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
      Filesize

      2.1MB

      MD5

      13c482a12d740c8fc27b23038fa097d4

      SHA1

      4c0d85646dfa60d3dbe9bab472fe1ef3ae8da957

      SHA256

      f12ea05152c21c0de7b9f81b9e9004a40ee7f3c4cf7b63b7918d53c74a1219a6

      SHA512

      73a1df4797a092de6b5fbede88a96d593ba34198f32f44eb390e223ebd0df988e114a7caa19de723b15698fcf884943f004a2d35d4bbd3c2ae18155594e74bbf

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nse475.tmp\System.dll
      Filesize

      40KB

      MD5

      88513dbed3a5bba74d020b0d56ae587a

      SHA1

      f0f4f6f7e5e423ad1918ea553aa9e5c2ca75370a

      SHA256

      cbce0c9051e6f4724070186feb71255e01f606f6f0d2ca1d2fcbc8c942d8e11f

      SHA512

      6a61e4700c286202741cb344b4f6851573084b2dd78639f642252a9d5bcc35734fc7daa9d4e5d083577a0d4887d5a4a20ac04100b178205269fe13eb9d7393a7

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nse475.tmp\isx.dll
      Filesize

      1.4MB

      MD5

      c65109a207007208ef83b48de15d1145

      SHA1

      d76057c4e67f850c2100c31c1222618efeed146b

      SHA256

      4aaffbd45bc8d3498c76f78dba9b95f920367af37020e382099961437e89d071

      SHA512

      b2c34bfb1ff5b3272780e9d2f89ff09e2146daa783f3a860aa30cac06b28c6063f2349cc30dd20e154565ad1e6310cd45d33e683f336c8f4905ebd15e5543370

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nse475.tmp\kgskin.dll
      Filesize

      524KB

      MD5

      5a671b81a0d59cd5192b1861b65f2543

      SHA1

      f679af0550a31a5cfbaa1b055cfaf2396027e391

      SHA256

      5c7b02317096c5fe6fcfe173711e06aeb288c916e97a2abfe5939907744e0d97

      SHA512

      6d76a6ac670e147335760a03288c6fc7e99c18611edfa859f4e76027bd937ac0a650479bdd2d09f9b94bb56bc81e3d292a42769c763971ff9a24d9566d22b442

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nse475.tmp\svg.dll
      Filesize

      3.3MB

      MD5

      f7b407c2c1600587cb6e5679a93250fb

      SHA1

      00b0cbedff910b4016cb957d6043eadb99575dd0

      SHA256

      3ca02f89d98b7781c242b60029ddeb4f6b8610b624c0b70c6347a50b49f59024

      SHA512

      428ae534ea6af1986f596b4a38b45926d2fe19cab09544fcc601a0a615e1ac45129e4eb88ac58489694b6b0c1a22514003eac5fdd0a7497cc719c1e047ad6624

      Download Submit

    • memory/1584-19-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1584-18-0x000000001B6A0000-0x000000001B982000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/1956-13-0x0000000000610000-0x0000000000620000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2112-47-0x000000002B240000-0x000000002B26F000-memory.dmp

      Filesize

      188KB

      Download