Analysis
-
max time kernel
141s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
25-08-2023 04:01
Behavioral task
behavioral1
Sample
WPS_Installer_.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
WPS_Installer_.exe
Resource
win10-20230703-en
General
-
Target
WPS_Installer_.exe
-
Size
4.1MB
-
MD5
6e2cde27cf0f6d43d92687a13aef3980
-
SHA1
c35a49b96c283ed47e1d80153b76dffc5d296286
-
SHA256
fd6eb81590d22d47002590865955daa2ed559be1e9805099c59f5cb74a788c58
-
SHA512
3a735cd61335547a11d6290ad34f3be7c012f6020dc991ccfd733e46e747ac36649a07b5cbfbf9fadf7d357adb93d2520de46fe3193e8df27645121011d55f22
-
SSDEEP
98304:QSBIC1oZLORr1CjckI7d3bajae4Q+65q49HwWkFoLE3L:5CfONJTOuFQq45WKL6
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2880-33-0x0000000010000000-0x0000000010199000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2880-33-0x0000000010000000-0x0000000010199000-memory.dmp family_gh0strat -
Executes dropped EXE 2 IoCs
Processes:
WPS_Installer.exedahai.exepid process 2972 WPS_Installer.exe 2880 dahai.exe -
Loads dropped DLL 2 IoCs
Processes:
WPS_Installer_.exepid process 2064 WPS_Installer_.exe 2064 WPS_Installer_.exe -
Processes:
resource yara_rule behavioral1/memory/2064-0-0x0000000000400000-0x000000000050A000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\dahaima\WPS_Installer.exe upx behavioral1/memory/2064-15-0x0000000003800000-0x0000000003DA3000-memory.dmp upx \Users\Admin\AppData\Local\Temp\dahaima\WPS_Installer.exe upx behavioral1/memory/2064-22-0x0000000000400000-0x000000000050A000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\dahaima\WPS_Installer.exe upx behavioral1/memory/2972-17-0x0000000000230000-0x00000000007D3000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\dahaima\WPS_Installer.exe upx behavioral1/memory/2972-31-0x0000000000230000-0x00000000007D3000-memory.dmp upx behavioral1/memory/2972-41-0x0000000000230000-0x00000000007D3000-memory.dmp upx behavioral1/memory/2972-42-0x0000000000230000-0x00000000007D3000-memory.dmp upx behavioral1/memory/2972-43-0x0000000000230000-0x00000000007D3000-memory.dmp upx behavioral1/memory/2972-50-0x0000000000230000-0x00000000007D3000-memory.dmp upx behavioral1/memory/2972-60-0x0000000000230000-0x00000000007D3000-memory.dmp upx behavioral1/memory/2972-61-0x0000000000230000-0x00000000007D3000-memory.dmp upx behavioral1/memory/2972-62-0x0000000000230000-0x00000000007D3000-memory.dmp upx behavioral1/memory/2972-63-0x0000000000230000-0x00000000007D3000-memory.dmp upx behavioral1/memory/2972-64-0x0000000000230000-0x00000000007D3000-memory.dmp upx behavioral1/memory/2972-65-0x0000000000230000-0x00000000007D3000-memory.dmp upx behavioral1/memory/2972-66-0x0000000000230000-0x00000000007D3000-memory.dmp upx behavioral1/memory/2972-67-0x0000000000230000-0x00000000007D3000-memory.dmp upx behavioral1/memory/2972-68-0x0000000000230000-0x00000000007D3000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
dahai.exedescription ioc process File opened (read-only) \??\S: dahai.exe File opened (read-only) \??\G: dahai.exe File opened (read-only) \??\N: dahai.exe File opened (read-only) \??\P: dahai.exe File opened (read-only) \??\J: dahai.exe File opened (read-only) \??\K: dahai.exe File opened (read-only) \??\T: dahai.exe File opened (read-only) \??\E: dahai.exe File opened (read-only) \??\H: dahai.exe File opened (read-only) \??\I: dahai.exe File opened (read-only) \??\R: dahai.exe File opened (read-only) \??\U: dahai.exe File opened (read-only) \??\W: dahai.exe File opened (read-only) \??\X: dahai.exe File opened (read-only) \??\Z: dahai.exe File opened (read-only) \??\B: dahai.exe File opened (read-only) \??\L: dahai.exe File opened (read-only) \??\O: dahai.exe File opened (read-only) \??\Y: dahai.exe File opened (read-only) \??\M: dahai.exe File opened (read-only) \??\Q: dahai.exe File opened (read-only) \??\V: dahai.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
WPS_Installer.exedescription ioc process File opened for modification \??\PhysicalDrive0 WPS_Installer.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/2064-22-0x0000000000400000-0x000000000050A000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
WPS_Installer_.exeWPS_Installer.exedahai.exepid process 2064 WPS_Installer_.exe 2064 WPS_Installer_.exe 2972 WPS_Installer.exe 2972 WPS_Installer.exe 2972 WPS_Installer.exe 2972 WPS_Installer.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe 2880 dahai.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dahai.exepid process 2880 dahai.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
WPS_Installer_.exedescription pid process target process PID 2064 wrote to memory of 2972 2064 WPS_Installer_.exe WPS_Installer.exe PID 2064 wrote to memory of 2972 2064 WPS_Installer_.exe WPS_Installer.exe PID 2064 wrote to memory of 2972 2064 WPS_Installer_.exe WPS_Installer.exe PID 2064 wrote to memory of 2972 2064 WPS_Installer_.exe WPS_Installer.exe PID 2064 wrote to memory of 2972 2064 WPS_Installer_.exe WPS_Installer.exe PID 2064 wrote to memory of 2972 2064 WPS_Installer_.exe WPS_Installer.exe PID 2064 wrote to memory of 2972 2064 WPS_Installer_.exe WPS_Installer.exe PID 2064 wrote to memory of 2880 2064 WPS_Installer_.exe dahai.exe PID 2064 wrote to memory of 2880 2064 WPS_Installer_.exe dahai.exe PID 2064 wrote to memory of 2880 2064 WPS_Installer_.exe dahai.exe PID 2064 wrote to memory of 2880 2064 WPS_Installer_.exe dahai.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WPS_Installer_.exe"C:\Users\Admin\AppData\Local\Temp\WPS_Installer_.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\dahaima\WPS_Installer.exe"C:\Users\Admin\AppData\Local\Temp\dahaima\WPS_Installer.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\dahaima\dahai.exe"C:\Users\Admin\AppData\Local\Temp\dahaima\dahai.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2880
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5b52ba2b99108c496389ae5bb81fa6537
SHA19073d8c4a1968be24357862015519f2afecd833a
SHA256c6ac7d9add40b913112b265d4f366d9ef80bbd711049db085fc750fcad4e14d8
SHA5126637506ee80d359e729e0011b97e8d827e14356393193247f502b7fcfbbca249dc045b8acfe4b31ce462468f421dc5d9a4e31183bedb66c45a9aa43c01f81397
-
Filesize
2.9MB
MD5b52ba2b99108c496389ae5bb81fa6537
SHA19073d8c4a1968be24357862015519f2afecd833a
SHA256c6ac7d9add40b913112b265d4f366d9ef80bbd711049db085fc750fcad4e14d8
SHA5126637506ee80d359e729e0011b97e8d827e14356393193247f502b7fcfbbca249dc045b8acfe4b31ce462468f421dc5d9a4e31183bedb66c45a9aa43c01f81397
-
Filesize
2.9MB
MD5b52ba2b99108c496389ae5bb81fa6537
SHA19073d8c4a1968be24357862015519f2afecd833a
SHA256c6ac7d9add40b913112b265d4f366d9ef80bbd711049db085fc750fcad4e14d8
SHA5126637506ee80d359e729e0011b97e8d827e14356393193247f502b7fcfbbca249dc045b8acfe4b31ce462468f421dc5d9a4e31183bedb66c45a9aa43c01f81397
-
Filesize
1.6MB
MD5174895d7e1a751397f161a785fb1b355
SHA127a56118d233adc9adcaaad95bedb0c8862c5277
SHA2562609445b23bf24267c6c5b597d78a8cfedecde62fb5c567436829ecbce95d743
SHA5122e9d5b7d247c9c2b3c38c4aecad08e217e2de7e3042c3eb67fb40e49c87c1709eeaec93119bbf4ea17464a75e8d1191795afbedc4f6bb62418a7619489df4d75
-
Filesize
2.9MB
MD5b52ba2b99108c496389ae5bb81fa6537
SHA19073d8c4a1968be24357862015519f2afecd833a
SHA256c6ac7d9add40b913112b265d4f366d9ef80bbd711049db085fc750fcad4e14d8
SHA5126637506ee80d359e729e0011b97e8d827e14356393193247f502b7fcfbbca249dc045b8acfe4b31ce462468f421dc5d9a4e31183bedb66c45a9aa43c01f81397
-
Filesize
1.6MB
MD5174895d7e1a751397f161a785fb1b355
SHA127a56118d233adc9adcaaad95bedb0c8862c5277
SHA2562609445b23bf24267c6c5b597d78a8cfedecde62fb5c567436829ecbce95d743
SHA5122e9d5b7d247c9c2b3c38c4aecad08e217e2de7e3042c3eb67fb40e49c87c1709eeaec93119bbf4ea17464a75e8d1191795afbedc4f6bb62418a7619489df4d75