Overview

overview

10

Static

static

1

WPS Office...56.msi

windows7-x64

6

WPS Office...56.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WPS Office_104693057_401556.msi

  • Size

    13.0MB

  • MD5

    a8f0f41ccc09254856bc1bbd2151a15d

  • SHA1

    4926bf9e1ca27835ee5a077565979111614c3e25

  • SHA256

    745ae5ef809909bdda166d758a529907f4175f3131c451717ca22a536eec57a9

  • SHA512

    8371939ad373cb6b6a5bf2cc20158fd60e7ebf91bdc67e8326d63d12aac7efd2600296e52ef1b5ef7acaa8f061a343e3ad45b5f7c1f8ff72f2113ce1f0815524

  • SSDEEP

    393216:oGS3skS0F5Ky7pfJY/+LXwwhCtZRZ5bz/ueWr8bf:oG8S0F5N7pfJu2XwwhYZRDbz/uFUf

Score
10/10
gh0stratpurplefoxdiscoveryratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 10 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\WPS Office_104693057_401556.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4832
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3528
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding FA96CCB7D0F221C0429DAC1CFE876501 E Global\MSI0000
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Program Files\CommunicateSupervisorGentle\TAMBkPWjDlUR.exe
        "C:\Program Files\CommunicateSupervisorGentle\TAMBkPWjDlUR.exe" x "C:\Program Files\CommunicateSupervisorGentle\RklfmdhbCMtmUxRFJWah" -o"C:\Program Files\CommunicateSupervisorGentle\" -pvZPJIQIwTATDNSQOnwpY -y
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3980
      • C:\Program Files\CommunicateSupervisorGentle\QRdpObipxd29.exe
        "C:\Program Files\CommunicateSupervisorGentle\QRdpObipxd29.exe" -number 165 -file file3 -mode mode3 -flag flag3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:632
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:1312
  • C:\Program Files\CommunicateSupervisorGentle\QRdpObipxd29.exe
    "C:\Program Files\CommunicateSupervisorGentle\QRdpObipxd29.exe" -file file3 -mode mode3 -flag flag3 -number 200
    1⤵
    • Enumerates connected drives
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:3224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e578b97.rbs
    Filesize

    7KB

    MD5

    505117be514c689504a2e26625ca85b2

    SHA1

    993d486d140c6abefca065d1ba651b6660cb86b2

    SHA256

    61d03bfca83cd763fc7528fe28b5b6459d9eba04b049ef13733c61b7201feb8d

    SHA512

    b596e522b0c4fe062478393ffde9468d55e35dabb73b691f66dc96862d03dab5cc26850462daa0c264fe41f6dcd6adbc21daaeb5beebe7614df46e33b4338080

    Download Submit

  • C:\Program Files\CommunicateSupervisorGentle\QRdpObipxd29.exe
    Filesize

    2.0MB

    MD5

    b52576273e38bf9285ae6c4cc6c2949d

    SHA1

    e2a8bbe6420b53ddaa0b644e6d60e5643617c459

    SHA256

    34dce8d0cdb26cb18557dc37874f0eeb9d1125a76777fc4f794c9afcd061d17a

    SHA512

    3a0d4a7baf8647d603cb832694f6d58b116c49fefbcbc857d29831b8f47cefef6e60a12b795a3022a17110a8b1f5bbc146ae9745bcad280dfa91cf3d1ecdd1a2

    Download Submit

  • C:\Program Files\CommunicateSupervisorGentle\RklfmdhbCMtmUxRFJWah
    Filesize

    735KB

    MD5

    e930add428550f33a9dd8ec3c3e731a9

    SHA1

    82c3d0fcc3dbefc590a95497e69ee0713a9b65ac

    SHA256

    4a82706a491f1da255a6c331d10d3901cb495b0df90ba5f205280eb93745274e

    SHA512

    c9464ce4fd5000522e74ec87ff63713db7ed404c9dba15264a1501933a36fdb584613a9b69d882c0d0ac6f0f8acc9ef2540e1d086aa2dde0da70b9587be1e681

    Download Submit

  • C:\Program Files\CommunicateSupervisorGentle\TAMBkPWjDlUR.exe
    Filesize

    574KB

    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    Download Submit

  • C:\Windows\Installer\e578b96.msi
    Filesize

    13.0MB

    MD5

    a8f0f41ccc09254856bc1bbd2151a15d

    SHA1

    4926bf9e1ca27835ee5a077565979111614c3e25

    SHA256

    745ae5ef809909bdda166d758a529907f4175f3131c451717ca22a536eec57a9

    SHA512

    8371939ad373cb6b6a5bf2cc20158fd60e7ebf91bdc67e8326d63d12aac7efd2600296e52ef1b5ef7acaa8f061a343e3ad45b5f7c1f8ff72f2113ce1f0815524

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.7MB

    MD5

    af6694c035ba489beca8f84fb5c1066b

    SHA1

    8a7a9b8d3bf92fb83baf6f004e302f2af639c43f

    SHA256

    e6f29abfb7b1ccba6078e4f745d31225298e2d42ecf6c37e2ecf19667e142674

    SHA512

    f2070c5f3a9e5580b04cbd769a1448b23bd180374f9390d3c261c899cfd2f4621798ff0d4599ce3cd6da3164f2a4c7557b900044e88ab09c10bf078254b10194

    Download Submit

  • \??\Volume{f171a6e7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cc79a3c7-9d65-41d8-b369-eef87567179c}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    9f2a33f08575a6ed0a651f507252eff2

    SHA1

    3d8298c00592b659bade41bcd4273d7dc3b68958

    SHA256

    61e6d66b5a9cddc200ebcecce9007efa7fff72a8f30cfb59609a8e469fb92c45

    SHA512

    9da5b0fe621a469b201af27df377d602839b2825e9c6a20ba701b63b1c9a5d6816f5ebadd59e279414caf75e8d1cf3b7aeae136253d200d85754213ef7af31cf

    Download Submit

  • memory/632-33-0x00000000097D0000-0x00000000097EE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3224-39-0x0000000029EB0000-0x0000000029EDE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3224-40-0x000000002BAA0000-0x000000002BC5B000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3224-42-0x000000002BAA0000-0x000000002BC5B000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3224-43-0x000000002BAA0000-0x000000002BC5B000-memory.dmp

    Filesize

    1.7MB

    Download