Overview

overview

10

Static

static

1

Yiwaiwai B...64.msi

windows7-x64

6

Yiwaiwai B...64.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Yiwaiwai Build Version-Windows电脑版-x64.msi

  • Size

    84.4MB

  • MD5

    5a026114cd99d8de5a8316aa698f2fe6

  • SHA1

    7a518456e901cd4417ccebdcab519b51f1861e6c

  • SHA256

    c51f510516723dd1aa2b49fad8c2fe0c34de35cdb1870be2eb93ac4b2b24fd9d

  • SHA512

    91e3105c9ba72b6bc6a4ba29b9d961b90b0453977bb4a8eff71e6c9c6b92699e2b9510e79a9cdd1fb6f1e5cb7878477d71309f1fa33b095bb702f00935b2ecbd

  • SSDEEP

    1572864:snJk0D65s9Qj0GuXrrjk0f3oN4H/9dDdOFARIN3toxIt89hENhxcjtz/csBV2fx5:snJ1D65sG0GubE6KMfcAm5tJ1kF/cO2/

Score
10/10
gh0stratpurplefoxdiscoveryratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 10 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Yiwaiwai Build Version-Windows电脑版-x64.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4548
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3140
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:620
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 01991D1474D4D20D0314B02EF8823A25 E Global\MSI0000
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:3116
      • C:\Program Files\UpgradePlannerEfficient\KgdhdobEEcCn.exe
        "C:\Program Files\UpgradePlannerEfficient\KgdhdobEEcCn.exe" x "C:\Program Files\UpgradePlannerEfficient\ZpQugbuDgbtYRSDGfPfG" -o"C:\Program Files\UpgradePlannerEfficient\" -pSRAwpFnWOubEhKkPQytl -y
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:868
      • C:\Program Files\UpgradePlannerEfficient\ghohUvaqFA29.exe
        "C:\Program Files\UpgradePlannerEfficient\ghohUvaqFA29.exe" -number 252 -file file3 -mode mode3 -flag flag3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4872
      • C:\Program Files\UpgradePlannerEfficient\Yiwaiwai.exe
        "C:\Program Files\UpgradePlannerEfficient\Yiwaiwai.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2428
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:3204
  • C:\Program Files\UpgradePlannerEfficient\ghohUvaqFA29.exe
    "C:\Program Files\UpgradePlannerEfficient\ghohUvaqFA29.exe" -file file3 -mode mode3 -flag flag3 -number 200
    1⤵
    • Enumerates connected drives
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:4088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57e2b0.rbs
    Filesize

    8KB

    MD5

    8886b5be77b861288b580b4c1dc09453

    SHA1

    d2b1ef6f93a044f47a0bb8afe509acd3076801fb

    SHA256

    bd00b856559c13c9a139027181d1eeb2034c7d62f4a67140e2e64d4b414c5c30

    SHA512

    2e68458741a42498dce9273e49c55df1bfaf82a44dd79582316046457f2a1b85adc2aa08c64e7599341511dcbce2272d26ad0bb72085f930471e2013895a8089

    Download Submit

  • C:\Program Files\UpgradePlannerEfficient\KgdhdobEEcCn.exe
    Filesize

    574KB

    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    Download Submit

  • C:\Program Files\UpgradePlannerEfficient\ZpQugbuDgbtYRSDGfPfG
    Filesize

    735KB

    MD5

    fccf621df78f0e12959e3d3629f8a901

    SHA1

    4a465b223884ff9044ac00fd0c075957b4215296

    SHA256

    3457b6fde9692944d8d5c4bc7516488d40f87e657f4448e3cb790a86f21588fb

    SHA512

    a8cb739107cbeffea1fe5d6a6d4014509a6565f6565105ae56d2d8008280635510b6460ee71ad4cc87c042d24e0941cfae2885c7dbd3ed9f525c4976c9edc70a

    Download Submit

  • C:\Program Files\UpgradePlannerEfficient\ghohUvaqFA29.exe
    Filesize

    2.0MB

    MD5

    05c97fe9dbc9b542010809b9f65c2486

    SHA1

    b97db940e5bedc99b38b54a9bce0392beac67542

    SHA256

    0b1c41e44bd9203a40e795dd0dbf406022376af9722ba95e640c4957efac8c6d

    SHA512

    c45ec0dc69a6bffa745d14614f9b9a068e8a6d750d3509530e61f52cf01adc86860373912e7d1211641336917c6ad3d4fcc08cf6b2929716de9a7369ebb662a5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsgEDAD.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    20231d894bf014965d1aeccf79ab8ef3

    SHA1

    cdce15f0c10bc8a7ac72da25ee66e876bf9ea319

    SHA256

    6ab9ee3478f20c33ee37944720e2fab4fd21580d66e60de18a5d9b559d2589b0

    SHA512

    c84094ffb5072528cecce86ce43b0dc5599b344fcfabf14203dbeb8e08b4e522a69f2eb6e4bc379df98f1c2214c4322b32af25353ea320a18339bb924feaf51c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsgEDAD.tmp\NsProcess.dll
    Filesize

    4KB

    MD5

    faa7f034b38e729a983965c04cc70fc1

    SHA1

    df8bda55b498976ea47d25d8a77539b049dab55e

    SHA256

    579a034ff5ab9b732a318b1636c2902840f604e8e664f5b93c07a99253b3c9cf

    SHA512

    7868f9b437fcf829ad993ff57995f58836ad578458994361c72ae1bf1dfb74022f9f9e948b48afd3361ed3426c4f85b4bb0d595e38ee278fee5c4425c4491dbf

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.7MB

    MD5

    d33b71f6c41d8e46edf5844814b3174a

    SHA1

    7f2537fb9d757127ec1f0b0b75c4a71c951c19ba

    SHA256

    0e69a3f2e450fd587c922e21cdf2b9cb87cf24cce492b12b2b860999e6645cc1

    SHA512

    71409124c3ce18e4c81a196958422b6ed65d53e31961a419b4da1d4904dd18b39480c67883a2fc425db8f20eb266bfc6223f6bc5105e4a6efd696f3244c9a9e2

    Download Submit

  • \??\Volume{f1c9ec80-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1ca9a309-fb5e-46fa-a249-d10201458c21}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    1adafcae38727fac5e62106dd3825e68

    SHA1

    df169161b6f9e5c51d3903d715752ef63ae8f5e4

    SHA256

    6294652fe7302c967d9fa9f78c64fd16ccb8c988f238f90dddcb3428cc13982c

    SHA512

    2ba78059253f26b37dd5cfee8e198c4df21db9c3466742f9390fafceb77e910f555255b6808ce2f74718f9e3f9fb295d26a9488d6fd3d521aaf41f5dfb50e998

    Download Submit

  • memory/4088-51-0x000000002A7F0000-0x000000002A81E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4088-52-0x000000002C680000-0x000000002C83B000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4088-54-0x000000002C680000-0x000000002C83B000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4088-55-0x000000002C680000-0x000000002C83B000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4872-43-0x0000000000F90000-0x0000000000FAE000-memory.dmp

    Filesize

    120KB

    Download