Overview

overview

10

Static

static

1

wpsupdate.msi

windows7-x64

6

wpsupdate.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wpsupdate.msi

  • Size

    18.0MB

  • MD5

    a73709d320e1160a965987bd3298b0bc

  • SHA1

    2b1942cad548a048f62eb643573baf671696c5ea

  • SHA256

    d5d245b5e9d6b56778fcad5bd8154779074e891df0455ae8cc77e14595f0df8c

  • SHA512

    78844102b9d83f5f8f3dc3c1b83217bb0a6a69579168dca0e4740afd1f9f4e8864b9203570b031e9ce47a8f9a2a6db98b558634708fd828727365f0271a5f686

  • SSDEEP

    393216:0vd1NDtHWaIhF5AfrpW4+SRxqwIxgFU1elj6iY9Q4mG3WX0X9Jnbx:0fWaIFaFWdqjle1xB99kC/nbx

Score
10/10
gh0stratpurplefoxbootkitdiscoverypersistenceprivilege_escalationratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 2 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 8 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 28 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2896
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1088
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 79693286EF1079034A0B0FE01A226E43 E Global\MSI0000
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4324
      • C:\Program Files\OrganizeSupporterNimble\YElwbdcCOAiT.exe
        "C:\Program Files\OrganizeSupporterNimble\YElwbdcCOAiT.exe" x "C:\Program Files\OrganizeSupporterNimble\qRnXMHAQiKBugDENYhOR" -o"C:\Program Files\OrganizeSupporterNimble\" -ptLyXGitilIeFgXMurmJK -y
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:548
      • C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe
        "C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe" -number 143 -file file3 -mode mode3 -flag flag3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:4992
      • C:\Program Files\OrganizeSupporterNimble\wpsupdate.exe
        "C:\Program Files\OrganizeSupporterNimble\wpsupdate.exe"
        3⤵
        • Writes to the Master Boot Record (MBR)
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2836
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:1028
  • C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe
    "C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe" install
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:3552
  • C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe
    "C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe" start
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:5008
  • C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe
    "C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe"
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1876
    • C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe
      "C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe" -number 174 -file file3 -mode mode3 -flag flag3
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe
        "C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe" -number 362 -file file3 -mode mode3 -flag flag3
        3⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:3932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57ef24.rbs
    Filesize

    7KB

    MD5

    ee93b0f10e514ddf18f956c96282a844

    SHA1

    034bcb400ed73fb93268b17147dc43c71df6f081

    SHA256

    a297d0ca576cc5d765d3aad8e15da0f6c473d06b3a931d39b9e8c6e12eb55320

    SHA512

    446bc70b71e0c8fe803e8ab374e3c472598fd0879712f17b72e2f117d9bd3c6ff364d65a0dd44a829a552446ca86b379f9e00057674df8158fb9358977c0ec7d

    Download Submit

  • C:\Program Files\OrganizeSupporterNimble\TpuaDVwAtO28.exe
    Filesize

    3.1MB

    MD5

    cab83f4897ba305ccf1b3811d0d46b46

    SHA1

    f9b0a859ccfd545ca4794d2e37f0fe92e7469c88

    SHA256

    45265ec03d03272fbda8eca896bdc2f72f8ac0ab862d41f7a97cd823525c0a9c

    SHA512

    e018957a52075c203d48a59b2e049ed0d6980fefe467bd1b49bdd2a9b7aa5efb2d0d84a2b9e24f9b3ce680d424da137a2a7c3bc14f060960fba4cfbd900431ac

    Download Submit

  • C:\Program Files\OrganizeSupporterNimble\YElwbdcCOAiT.exe
    Filesize

    574KB

    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    Download Submit

  • C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.exe
    Filesize

    832KB

    MD5

    d305d506c0095df8af223ac7d91ca327

    SHA1

    679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

    SHA256

    923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

    SHA512

    94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

    Download Submit

  • C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.wrapper.log
    Filesize

    270B

    MD5

    4d6f01e2ea288711eb8fbd70614bf69f

    SHA1

    af366738217231369421e99122ddccf201e9342b

    SHA256

    77cd4049dffbbc0350e3e5d92fcd7cd83e402516c3c4632e3366846317d7cbab

    SHA512

    27d1c7283c313ba67de491728b59272079587683871ac6bc794ec84b3e452ac3a7d68b6c65b9f9cacaf6e6095d2e6ea5fbb2852a1ac4bfe4c70baf608f15e063

    Download Submit

  • C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.wrapper.log
    Filesize

    428B

    MD5

    5123dd13eda91dca61e8be0a5e539622

    SHA1

    032a9f333ce2c36126a1a41e266f423e21082383

    SHA256

    ce7b83bf87f48b1360a1b96958e1a6d6c0ccc0d2a356106eee51fde8d0ff7536

    SHA512

    ec037fb2f443d519a6308ef3c192448bbc6045f2f6b489131130c02fa50575e50a7d842921eff8b11159a80911264c1c16c3cb555beb7254ced8881188aeb5be

    Download Submit

  • C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.wrapper.log
    Filesize

    492B

    MD5

    a036ee62e7e4e2c95fcda776bb4b64d3

    SHA1

    3a2c65d0766c89e73961e7ec7e5e2d43344a56a1

    SHA256

    491af0319ceb983bb7976eb2cebb41c6e1b9878d56201f782e6ee8a82b37528e

    SHA512

    70684155787b4d62008cf0dea41e5adb4965d347a4509041cc2791524dacccf8fdb06c1166f8458dcd118dd236662b8bda58820c277c4564fa18aadf3fbd080d

    Download Submit

  • C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.wrapper.log
    Filesize

    783B

    MD5

    fcbad18c2b6a6ea6e8baf22050dcabe4

    SHA1

    4886b7f206a3f2f8f566939e72a447863295e79c

    SHA256

    21e0e73870ee8259c9ef702a2ef70e2e7f96d512373cf9a44e17c958a7f1e347

    SHA512

    8be5b8d2114feceb2fb4d42592b54b38d7f9200f908d450f271969899d3072286ed9c7e69b5284495a07e010dd4744bdbb70ed95584bb3d936f10ad41d8a3a33

    Download Submit

  • C:\Program Files\OrganizeSupporterNimble\YoctSidXXbav.xml
    Filesize

    445B

    MD5

    92abd924fa27bb08e129a8bb0ac23fee

    SHA1

    fdb569c5d01e64f7c5a786d57511c0853d196aa6

    SHA256

    7ccf598d801e67c722bcdb422c1abeb6278c0293964c13b49df9cf8ac240490c

    SHA512

    1ae6b8d8f61c8db656ad231d94a429bddb63aa5228fb0b1003b3dc878fd66a7ce90792cfab64f3cd24c9e3951d13174fa28a82c179c8123ab4c3e01c1cffe653

    Download Submit

  • C:\Program Files\OrganizeSupporterNimble\qRnXMHAQiKBugDENYhOR
    Filesize

    1.9MB

    MD5

    b40f2629f6045761ca8acf21ec4341e7

    SHA1

    082326d152d2d13a5981ad9f4c3cf7906ec842bc

    SHA256

    2699edad6ae5d99914c94f54075ff20ffce1a6f13e83d4f2e807f614466fd28f

    SHA512

    d70d54d21bd4eb69a9748ca48f246dac236d06996da792818d188ae3a55a2f060a6fbb4421e27fdcf8aa7fd37f60951ef073d79fee1be6bac90d7e4d89dcdacc

    Download Submit

  • C:\Program Files\OrganizeSupporterNimble\wpsupdate.exe
    Filesize

    6.0MB

    MD5

    57dadd6a929f64c2b1efe2d52c1c4985

    SHA1

    962cb227f81f885f23826c3e040aa9dbc97659cf

    SHA256

    996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5

    SHA512

    3f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\YoctSidXXbav.exe.log
    Filesize

    1KB

    MD5

    122cf3c4f3452a55a92edee78316e071

    SHA1

    f2caa36d483076c92d17224cf92e260516b3cbbf

    SHA256

    42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

    SHA512

    c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_09_20.log
    Filesize

    2KB

    MD5

    5644bc0ef264d8fa14559cbfbfe93059

    SHA1

    16df67e3511dab5cc1e88a91c74c9a863721afee

    SHA256

    70a5e0e35fdaf4781f43d8f9687f17a79d70d4d2735f64676146d4c345b1cce5

    SHA512

    db1740a3e1a7cf1ed26a2e35579df1522ed666c6587fdb1a9699ae0867dce2a54a56646b8b4b4b9a4afc957997fac01fb357d85ddd3a5e0de2e3f676beb5cb7f

    Download Submit

  • C:\Windows\Installer\e57ef23.msi
    Filesize

    18.0MB

    MD5

    a73709d320e1160a965987bd3298b0bc

    SHA1

    2b1942cad548a048f62eb643573baf671696c5ea

    SHA256

    d5d245b5e9d6b56778fcad5bd8154779074e891df0455ae8cc77e14595f0df8c

    SHA512

    78844102b9d83f5f8f3dc3c1b83217bb0a6a69579168dca0e4740afd1f9f4e8864b9203570b031e9ce47a8f9a2a6db98b558634708fd828727365f0271a5f686

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.7MB

    MD5

    2ce38c409c255e1823e9853060f7f9af

    SHA1

    43ded72581bee7edbd30dec8a2b63ef628914121

    SHA256

    ae479bb9172315391b03d66b61eef178be67577e911638c1dd784b4ec8a4455d

    SHA512

    edf454788993fda74d894f96e54f0054dce102f962901696ed2728bddd68dc88f26f99d3fd0c01bbedcf7884b946bc9e2dcc9eafdda9fc03e77931eb8295c192

    Download Submit

  • \??\Volume{848480a2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a7c4148d-de72-42ce-8f18-9f26652a054d}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    7431db0f897ce489ff5231727661f209

    SHA1

    e5c801ce7ef87d165133fb076d9bb049bf5846ef

    SHA256

    4c344824419628994ff51a7886b47eb7821f9cab2273da6cabcfd8624d26f11e

    SHA512

    48174cb2210330ab8180976defb1b747836db258b8114da755168f3c715b1b610e1f433a7a2963d572a2c260bece332d2ec6b5e5791668218b3cab0824b3a3fa

    Download Submit

  • memory/3552-46-0x0000000000330000-0x0000000000406000-memory.dmp

    Filesize

    856KB

    Download

  • memory/3932-73-0x000000002B660000-0x000000002B81B000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3932-75-0x000000002B660000-0x000000002B81B000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4992-30-0x0000000029D90000-0x0000000029DBA000-memory.dmp

    Filesize

    168KB

    Download