Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 03:57
Static task
static1
Behavioral task
behavioral1
Sample
Fanyi.msi
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
Fanyi.msi
Resource
win10v2004-20241007-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
Fanyi.msi
-
Size
26.5MB
-
MD5
3d6804261513077c81543bfa24503bae
-
SHA1
a5b387c2402a77bf6ffd6835dbf79129a41a4ec6
-
SHA256
bdd5b875e9233fce93774ffcfc925daf2924eef9455d088d5dcddf41915d1112
-
SHA512
899b6e4ebe9ea71a37772149a78ed19b9e09d6b0b9f8287b85a484008d6e6ad0efa99eabf4c245958929a1f0b52672ffec05cb824578738fbb0107f312f531ec
-
SSDEEP
786432:FyPHKm4X1Ut5pZnm0p0syQvIwOpc1SYrBsff/p9QE:FEqm4X1U5pZm02syQt4iZr4n
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2124 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeShutdownPrivilege 2124 msiexec.exe Token: SeIncreaseQuotaPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 1352 msiexec.exe Token: SeTakeOwnershipPrivilege 1352 msiexec.exe Token: SeSecurityPrivilege 1352 msiexec.exe Token: SeCreateTokenPrivilege 2124 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2124 msiexec.exe Token: SeLockMemoryPrivilege 2124 msiexec.exe Token: SeIncreaseQuotaPrivilege 2124 msiexec.exe Token: SeMachineAccountPrivilege 2124 msiexec.exe Token: SeTcbPrivilege 2124 msiexec.exe Token: SeSecurityPrivilege 2124 msiexec.exe Token: SeTakeOwnershipPrivilege 2124 msiexec.exe Token: SeLoadDriverPrivilege 2124 msiexec.exe Token: SeSystemProfilePrivilege 2124 msiexec.exe Token: SeSystemtimePrivilege 2124 msiexec.exe Token: SeProfSingleProcessPrivilege 2124 msiexec.exe Token: SeIncBasePriorityPrivilege 2124 msiexec.exe Token: SeCreatePagefilePrivilege 2124 msiexec.exe Token: SeCreatePermanentPrivilege 2124 msiexec.exe Token: SeBackupPrivilege 2124 msiexec.exe Token: SeRestorePrivilege 2124 msiexec.exe Token: SeShutdownPrivilege 2124 msiexec.exe Token: SeDebugPrivilege 2124 msiexec.exe Token: SeAuditPrivilege 2124 msiexec.exe Token: SeSystemEnvironmentPrivilege 2124 msiexec.exe Token: SeChangeNotifyPrivilege 2124 msiexec.exe Token: SeRemoteShutdownPrivilege 2124 msiexec.exe Token: SeUndockPrivilege 2124 msiexec.exe Token: SeSyncAgentPrivilege 2124 msiexec.exe Token: SeEnableDelegationPrivilege 2124 msiexec.exe Token: SeManageVolumePrivilege 2124 msiexec.exe Token: SeImpersonatePrivilege 2124 msiexec.exe Token: SeCreateGlobalPrivilege 2124 msiexec.exe Token: SeBackupPrivilege 2900 vssvc.exe Token: SeRestorePrivilege 2900 vssvc.exe Token: SeAuditPrivilege 2900 vssvc.exe Token: SeBackupPrivilege 1352 msiexec.exe Token: SeRestorePrivilege 1352 msiexec.exe Token: SeRestorePrivilege 2276 msiexec.exe Token: SeTakeOwnershipPrivilege 2276 msiexec.exe Token: SeSecurityPrivilege 2276 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2124 msiexec.exe 2124 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1352 wrote to memory of 2692 1352 msiexec.exe 34 PID 1352 wrote to memory of 2692 1352 msiexec.exe 34 PID 1352 wrote to memory of 2692 1352 msiexec.exe 34 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Fanyi.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2124
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1352 -s 8282⤵PID:2692
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276