Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 04:27

General

  • Target

    wpsupdate.msi

  • Size

    17.9MB

  • MD5

    151a066813a13375522df7282f2837d8

  • SHA1

    61ff6e9d0be8681c59e8296d4d8a2b3579044858

  • SHA256

    9a6bc8d7631fe970648bc6d30c99b8764fb9f1e51fca7220799b8d3e6cfa86ea

  • SHA512

    4e101083b6df77435a857bd9c5322c16e18742b82de82dc0282ff47d104acaf475f5619b4048c59d29fb3db0006d385786e5b82e67ce132c0e87d411fec8ba5d

  • SSDEEP

    393216:/Wp84flbAgjDPLgoZr3hfE3XG1Ccu3mBe2fJpAMdLSVQvzmFE1KYo0Nw5i4hH:/UflhTgo5hM3Y2mBvxoFzd5iYH

Malware Config

Signatures

  • Detect PurpleFox Rootkit 2 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 4 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 25 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2724
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2564
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1672
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 216C2C84EF05DA8B454428DD134EAC40 E Global\MSI0000
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Program Files\LaunchAdvisorUnique\jzafRqbTGRDF.exe
          "C:\Program Files\LaunchAdvisorUnique\jzafRqbTGRDF.exe" x "C:\Program Files\LaunchAdvisorUnique\sqFZEXePXWvsoVXJtAfH" -o"C:\Program Files\LaunchAdvisorUnique\" -pasvgcrJQGolJwtcpGtoH -y
          3⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2188
        • C:\Program Files\LaunchAdvisorUnique\qPptEPZEtb29.exe
          "C:\Program Files\LaunchAdvisorUnique\qPptEPZEtb29.exe" -number 268 -file file3 -mode mode3 -flag flag3
          3⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4404
        • C:\Program Files\LaunchAdvisorUnique\wpsupdate.exe
          "C:\Program Files\LaunchAdvisorUnique\wpsupdate.exe"
          3⤵
          • Writes to the Master Boot Record (MBR)
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3060
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:464
    • C:\Program Files\LaunchAdvisorUnique\qPptEPZEtb29.exe
      "C:\Program Files\LaunchAdvisorUnique\qPptEPZEtb29.exe" -file file3 -mode mode3 -flag flag3 -number 200
      1⤵
      • Enumerates connected drives
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:4828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57afb9.rbs

      Filesize

      7KB

      MD5

      7dab22ed48eb1dc86b106244ea5984cb

      SHA1

      d2444915ab13de25a49cc72c858f9f518859e213

      SHA256

      53a44bc6e72f515b7b0fc6e5f259bd347f6d2448737da80933a4fb4e6bda812b

      SHA512

      251a48de3761320b66e47534e9f3f1eb7cd13beb60506ca736a24145046e672505529def15ba76c568b321719daf9a2b1579e2b9e275f48863a420ce6e8fd39b

    • C:\Program Files\LaunchAdvisorUnique\jzafRqbTGRDF.exe

      Filesize

      574KB

      MD5

      42badc1d2f03a8b1e4875740d3d49336

      SHA1

      cee178da1fb05f99af7a3547093122893bd1eb46

      SHA256

      c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

      SHA512

      6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    • C:\Program Files\LaunchAdvisorUnique\qPptEPZEtb29.exe

      Filesize

      2.1MB

      MD5

      03362c3b0c370e2d69835e761c3e4e39

      SHA1

      50e80b7cd693b070238e4d9b9c6fe1c4aee72ebb

      SHA256

      eb63c7b4ce832c8bc998e153ed32ef86a767402c0f68ec7d4719ffd3c35ab1dc

      SHA512

      340fcf7b6b795f21fe5dd0f144ee4bde0aef49f51eb811a6d01bb4354d0d52d90ad0a691d6f0660d74ce1c269be64a315f31deffaad967de78c8c0c035085e86

    • C:\Program Files\LaunchAdvisorUnique\sqFZEXePXWvsoVXJtAfH

      Filesize

      745KB

      MD5

      1e97cf2c873236220e524271fa7c1937

      SHA1

      11318422806b64985ab81df5c0f561f12b53e240

      SHA256

      5252b5f301b1db5f73985a6134213a8353f561652001265432e7109cf87c466d

      SHA512

      fbda82c35c29c6b602ff03d39fd82a8521e2d738aa551e3128c1db76fed35ac5a9ee0b201513e8baadb31eafc0b89e7f27b32f1319cd2eb3e2de57b3e3d75f3c

    • C:\Program Files\LaunchAdvisorUnique\wpsupdate.exe

      Filesize

      6.0MB

      MD5

      57dadd6a929f64c2b1efe2d52c1c4985

      SHA1

      962cb227f81f885f23826c3e040aa9dbc97659cf

      SHA256

      996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5

      SHA512

      3f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf

    • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_09_11.log

      Filesize

      2KB

      MD5

      81ff6b8703a04606f3a5b3948f9c7158

      SHA1

      d83da365eae19fe75f6bbda3ac63111b1d2273d7

      SHA256

      9f71ac7bb93c7cf49439893fc6a0115a76a58f29377af0e4122a4f90169fb9cc

      SHA512

      d1ce4dfc4bf90ee9af1334256e1cac3dfac58558e67e94d374e347e73c2520e2d0c6903642f909ef14f42c24540abe2aca3a3f3955bc259044f48c43ab5900a2

    • C:\Windows\Installer\e57afb8.msi

      Filesize

      17.9MB

      MD5

      151a066813a13375522df7282f2837d8

      SHA1

      61ff6e9d0be8681c59e8296d4d8a2b3579044858

      SHA256

      9a6bc8d7631fe970648bc6d30c99b8764fb9f1e51fca7220799b8d3e6cfa86ea

      SHA512

      4e101083b6df77435a857bd9c5322c16e18742b82de82dc0282ff47d104acaf475f5619b4048c59d29fb3db0006d385786e5b82e67ce132c0e87d411fec8ba5d

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      23.7MB

      MD5

      be75974be3e0ebc061877b58c8c8b0c1

      SHA1

      cb83b0a494f04bcba23436d85c1fd70f8875d2d5

      SHA256

      2b5efac303741004ad6a3ca195f08a8ce7fdc524a27463164b515d8e6060d5cd

      SHA512

      293fe20b611c3679d6337e9726fdf187e8fe0820859def247f6f3c588cced80115fb53d9aab6570eee9639ae8ab92f1335bf9eee691fe4e1851057b548556e41

    • \??\Volume{f171a6e7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2456e141-804a-4898-aac1-384abc9a42f7}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      c601d37ef88666663cf7f77002be05e6

      SHA1

      59301e01a44e979b6df4655140b055bf33fada0c

      SHA256

      3d042302f6a50c97c1b4e5d999bcc2fb45758352f640d06b1f6a8b676df1e675

      SHA512

      f589f7ed82f4b1b58b383924556f9a7727d5fe314c258e3fce7d9fe55f4eefc3ac43cba0211bf3b931a88b04f8dfbfd2e0a12d780719f9675aaedca7fc40244d

    • memory/4828-38-0x000000002BEB0000-0x000000002C06B000-memory.dmp

      Filesize

      1.7MB

    • memory/4828-40-0x000000002BEB0000-0x000000002C06B000-memory.dmp

      Filesize

      1.7MB