Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-06-2024 14:58

General

  • Target

    finalshell_install.msi

  • Size

    114.0MB

  • MD5

    513c6f171a71ade9e117a08345cd589d

  • SHA1

    57a4a508e5d7d76aa1cfe883af4f0a1c3bdd47ca

  • SHA256

    9861a44622f62ea87dd8ce53ef752d5af92dc60f8e012f72f1873fd462b4e0e0

  • SHA512

    0287bc684c4947b79e4f80629bbe7fb5850bc2659f04d6dbfc15116bafa2d10eb362ace9cb581147b6f5ae09491f4ad63c3bf2f115f09ce9cba89209bfbfc1c9

  • SSDEEP

    1572864:OMNdS0K7cM0Smj/NP6r32RVzpMqHzjlZiuFp0SB3P/pL/lA5jY5/GA+Y13LJyPOZ:OMNdxoONP6r32HGOzJpLdA5+zrpm3r6

Malware Config

Signatures

  • Detect PurpleFox Rootkit 2 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 18 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
  • Program crash 1 IoCs
  • NSIS installer 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 26 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\finalshell_install.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3992
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 6CBE5EF477CFB9B004EAD60D7A0914B4 C
      2⤵
      • Loads dropped DLL
      PID:1612
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4392
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 1D6537D7ECC0F787185807ED7463F470
        2⤵
        • Loads dropped DLL
        PID:3004
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 1B93FE0B6FA40D3A230B78F1FB1277FD
        2⤵
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1044
        • C:\Program Files\Windows Defenderr\Phone.exe
          "C:\Program Files\Windows Defenderr\Phone.exe"
          3⤵
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          PID:1544
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1584
            4⤵
            • Program crash
            PID:4748
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4320,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4296 /prefetch:8
      1⤵
        PID:1764
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:436
      • C:\Windows\System32\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\WindowsProgram.msi"
        1⤵
        • Enumerates connected drives
        • Suspicious use of FindShellTrayWindow
        PID:1668
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:1120
        • C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe
          C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe
          1⤵
          • Executes dropped EXE
          PID:2700
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1544 -ip 1544
          1⤵
            PID:2160
          • C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe
            C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{CD564AD6-E593-4140-9ACC-58xv60w51204}\Phone.exe
            1⤵
            • Enumerates connected drives
            • Checks computer location settings
            • Executes dropped EXE
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1400
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\ProgramData\{6FDD4E84-A1CB-4a08-B7B1-E2xv8Ew59779}.cmd" "
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1616
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /fi "PID eq 1400"
                3⤵
                • Enumerates processes with tasklist
                PID:1548
              • C:\Windows\SysWOW64\findstr.exe
                findstr /i "1400"
                3⤵
                  PID:1224
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 20 127.0.0.1
                  3⤵
                  • Runs ping.exe
                  PID:4396
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c ipconfig /flushdns
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4700
                • C:\Windows\SysWOW64\ipconfig.exe
                  ipconfig /flushdns
                  3⤵
                  • Gathers network information
                  PID:336

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Execution

            Command and Scripting Interpreter

            1
            T1059

            Persistence

            Event Triggered Execution

            1
            T1546

            Installer Packages

            1
            T1546.016

            Privilege Escalation

            Event Triggered Execution

            1
            T1546

            Installer Packages

            1
            T1546.016

            Discovery

            Query Registry

            4
            T1012

            Peripheral Device Discovery

            2
            T1120

            System Information Discovery

            6
            T1082

            Process Discovery

            1
            T1057

            Remote System Discovery

            1
            T1018

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Config.Msi\e58cfdf.rbs
              Filesize

              40KB

              MD5

              f76c00f0810fe8beb1174f93ae33f3ab

              SHA1

              03b61a09b0cad7b8d5279889b99753a7eda4e359

              SHA256

              38e29e1644440a57f2bce462b25e4c73048b049f35578a316208ad94b2cf9463

              SHA512

              a746eb3371ba3c78d64440df5d7c538fa2dec12b0e4b953b4fd69e3ef937bb9fa1e176c63d20c85a467c48b9a03a12dd6c5ade8f750366594da5289481385f92

            • C:\Config.Msi\e58cfe4.rbs
              Filesize

              8KB

              MD5

              7baa1650709da878468a41a635501cd4

              SHA1

              3b427389639f7eabb82103982e93d897075a0023

              SHA256

              40ab9494aadec3f7396face8fce6b40a15bc3782b6e225fc6dc3497523d7fdd6

              SHA512

              848ef8e9cb449b9b766e4d92245bfe102916bc6815f33b436c324ac60020c2c3a5852a1e08c03df411e5df6cd6da7bc44ad16773fd9c2ac11d6aea302d9e134a

            • C:\Program Files\Windows Defenderr\1
              Filesize

              978KB

              MD5

              a8a5c802a0ba7779cd378a4ed88a1645

              SHA1

              c78967d9cf1fa6017757b93891b423854952b4ef

              SHA256

              b7247f59f232b373c2473f869c8269a7ef46ad29bbc64403a29c697313b6ae74

              SHA512

              329b43bbf38ac5b547c69f1301c8899ae24a044009051236df2678911cd636961731a4f274cd55381a86cab3dd74dabee2cb25d8968361991d516cdf7d945709

            • C:\Program Files\Windows Defenderr\2
              Filesize

              135KB

              MD5

              de5b9a4e125ac870b304a80fc829f888

              SHA1

              d82d45dbeb3c2d702b6bb6b4c28a95d357b86316

              SHA256

              992d22609eb21b384ac3965d18cca4fa620e2a743451db60d19794eafe553362

              SHA512

              471249934c2560ccd166ca559e9d73622a4653a7226a2e7ff3c0225dcd882d9d78e8676342938c6c6e56d6167a37d8e96423b2de6f6a5f9740424191481fb725

            • C:\ProgramData\{2897F7B3-5E34-4832-8211-B8xv1Aw56ECB}\{6D54FAA2-99A5-47e2-B101-E5xvCCw59D76}.exe
              Filesize

              1.0MB

              MD5

              d96a742899aeab9eaba691861908e316

              SHA1

              777f988457a9265431e8119bd2d579f264f565f5

              SHA256

              1d8b0d810d826574637041cc56c5532139eccff5064195bfea0d65ac0c3624d3

              SHA512

              cc3f75a0d2abe5860acefebda2d44dba7259d7f28e32dfd41d3d7361df7f4195deb49e8c7f7d74f09bffdd8a39fde5a0eeee222a92bdef3f773379284aadf582

            • C:\ProgramData\{6FDD4E84-A1CB-4a08-B7B1-E2xv8Ew59779}.cmd
              Filesize

              437B

              MD5

              2652de69af27cd85463fec04ef48eaba

              SHA1

              e04ad0123527b4733e26c8c46fba8ced09bc06f9

              SHA256

              45d30abfee01e6f3c4e10755dcff642103a26ea7b2d7381f0fbc90564e3f6c6a

              SHA512

              86d933bb4bf605ec2a7ee1a6ac9b396e792593de18ab212045e980ca80fe014615c9281a8df25208451d9efeeaec63a2bd16b9f4ee8100dbb74acc00c0feb7a2

            • C:\Users\Admin\AppData\Local\FinalShell\Finalshell\finalshell.exe
              Filesize

              101KB

              MD5

              c1c11656f36a5b2b7bf514a6cf4ddf54

              SHA1

              1b99cfe6a5c16c88b3a4efb3874127ea2bb0d420

              SHA256

              47600daab17337f9c268426027ffd9ed2cf1a1774ff84cb81e24ed61b7c7407b

              SHA512

              b546d7b59706b02cffd1ed3927981ff85e6f992afe0f69261780d6c40636b0ce3782954497dfeefea058d196a6e62e2f568da28a90961357b4fe39f3d52a0eae

            • C:\Users\Admin\AppData\Local\FinalShell\Finalshell\jre\legal\java.naming\COPYRIGHT
              Filesize

              35B

              MD5

              4586c3797f538d41b7b2e30e8afebbc9

              SHA1

              3419ebac878fa53a9f0ff1617045ddaafb43dce0

              SHA256

              7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

              SHA512

              f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

            • C:\Users\Admin\AppData\Local\FinalShell\Finalshell\jre\legal\java.naming\LICENSE
              Filesize

              33B

              MD5

              16989bab922811e28b64ac30449a5d05

              SHA1

              51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

              SHA256

              86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

              SHA512

              86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

            • C:\Users\Admin\AppData\Local\Temp\MSI27C.tmp
              Filesize

              587KB

              MD5

              c7fbd5ee98e32a77edf1156db3fca622

              SHA1

              3e534fc55882e9fb940c9ae81e6f8a92a07125a0

              SHA256

              e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

              SHA512

              8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

            • C:\Users\Admin\AppData\Local\Temp\WindowsProgram.msi
              Filesize

              1.2MB

              MD5

              7813c15b89e15b8af723338db9bd5936

              SHA1

              2308be3f8f1c3f46cd2eb14189c19c0e2deef8c5

              SHA256

              17fcf1aacf2981cff65f7d0f3f03029c15eebfd7f71790cdf0f03553895d4152

              SHA512

              ef1b63b1b8b670610bcc5b461457d5b58fca57577b7cf8442183c921ed516b7a87f48b4fde9d325dcc087cb090d7f8992f1eec2a68d1c06c263b6ea93470faeb

            • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
              Filesize

              23.7MB

              MD5

              1acf5f3d3b194d6dbfa1e44de089c0b4

              SHA1

              470f89dee065f0a213cd48675353c6be1a225c31

              SHA256

              b41a87e96e8ed44d2ff0d0f4cf90578b7716114e235cea730f9494622f09fea2

              SHA512

              95d85b621f6cd70900ad519521562c937e441a1e0b5213ff5d97566448780cfbc441af49891c0e241022eeebfb9c1beb7321d50bef628fab08528b2159954d02

            • \??\PIPE\srvsvc
              MD5

              d41d8cd98f00b204e9800998ecf8427e

              SHA1

              da39a3ee5e6b4b0d3255bfef95601890afd80709

              SHA256

              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

              SHA512

              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

            • \??\Volume{8a2ad7b7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8d315ea7-8fa7-4ae3-bfd6-b6dc71ed14aa}_OnDiskSnapshotProp
              Filesize

              6KB

              MD5

              2e2e5d4e468d0d85102740f0703c6bb6

              SHA1

              9818832fb444e1a85a3d18915649be6401b15dbe

              SHA256

              d780fa9f08a295ef1c0975fc42d6451b37320571cdea953564dc47979a1fb21a

              SHA512

              89d415ecc5d1daf1b0d613d81f47fdb8fc8530d00de9acf1efa30bded54562016a11f54974e5157704e493d6d552acb7e5d2d722ab91e5a3fc832f6cc44fdf37

            • memory/1400-405-0x0000000010290000-0x000000001044A000-memory.dmp
              Filesize

              1.7MB

            • memory/1400-403-0x0000000010290000-0x000000001044A000-memory.dmp
              Filesize

              1.7MB

            • memory/1544-376-0x0000000000F80000-0x000000000107E000-memory.dmp
              Filesize

              1016KB

            • memory/1544-391-0x0000000000F80000-0x000000000107E000-memory.dmp
              Filesize

              1016KB

            • memory/2700-390-0x0000000000DE0000-0x0000000000EDE000-memory.dmp
              Filesize

              1016KB