Overview

overview

10

Static

static

1

TwDush.msi

windows7-x64

6

TwDush.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-09-2024 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TwDush.msi

  • Size

    66.4MB

  • MD5

    9800a890a4819b574c5aa5ca9e063d96

  • SHA1

    ede8c738d4e58c770f0ba7792e330756aaf28c7f

  • SHA256

    ec40da7be23e50181fb692525cc62f6cd5f5caa74f653fabaf5d57df1201263b

  • SHA512

    ae52316d3f17cab0370ce6a772861ae5ca5a556f140955c93edf91852695964b57b108c1b85a342d2c52ae8090a6c3d97e7fe5a1c4bd87435135572ab5ca12cf

  • SSDEEP

    1572864:vXU1B6zASrGGq3ymZM4yLpQBoxFlfAwwsUZWOVH:vXU1B6ASrGGqCcM/DxFBDwhZzH

Score
10/10
gh0stratpurplefoxdiscoverypersistenceprivilege_escalationratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 8 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 13 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TwDush.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4100
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4124
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding BD8D66A1343BC3D5043AD56D60942914 E Global\MSI0000
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe
        "C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe" x "C:\Program Files\PlanAnalyzerOptimistic\VKWrWBaIcvTlXvwirqQe" -o"C:\Program Files\PlanAnalyzerOptimistic\" -pyjlAFQsGZRtyUdVIXREr -y
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2376
      • C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe
        "C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe" -number 132 -file file3 -mode mode3 -flag flag3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1540
      • C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe
        "C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe"
        3⤵
        • Executes dropped EXE
        PID:2700
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4716
  • C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe
    "C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe" install
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:4544
  • C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe
    "C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe" start
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:216
  • C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe
    "C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe"
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe
      "C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe" -number 157 -file file3 -mode mode3 -flag flag3
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe
        "C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe" -number 362 -file file3 -mode mode3 -flag flag3
        3⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57efcf.rbs
    Filesize

    7KB

    MD5

    099c071db3edb5faf1a59ee980f0dda7

    SHA1

    9d5e433d7f8e19f5e89533d3f3b441fe34607a70

    SHA256

    c8743a84123a62cb8025e11d7fc38a2857a84df1f22ccc7b03e984739a13c83f

    SHA512

    4a0221f3e3d2b533321297ab5455c2e9870f77dd7ffb17ae4f23d0c81b27d254245cf7e635276cb37448d9d8df8c2694f0b0ffd73c50546723c69eb6e0047115

    Download Submit

  • C:\Program Files\PlanAnalyzerOptimistic\MOELauncherSetup_V0TKW.exe
    Filesize

    35.6MB

    MD5

    f0b4afeb9a9582a84c04d33b4f9c93e5

    SHA1

    0b9229e8e3879fc4d1310ba493280894cac1f259

    SHA256

    d71c5c27f6e68be09e40921321a2c6d3b95f65787c33dcc2d66e6939a798a3c9

    SHA512

    d4c3593590a5574bbfc1270d3aca3b419ea5126735206b5e2104e42fda961844ba90073ebacd917b9b0152c103670d1a64b88c76b03b358feae73794418abe51

    Download Submit

  • C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe
    Filesize

    2.9MB

    MD5

    772375794abfe39763f2057e845ff14b

    SHA1

    08ada20435475025e8b22d4a7460725fdcb0c3d5

    SHA256

    c31afb76379f0adaaa98d52f7a6dca18cd9f374672e1e85c6c4f7214080e2248

    SHA512

    ab67f8af704b0bf8902120b23fd2d31a1b12f05dc64f17b0f5fafb1c96bbf93481d4e147967a891028c2f4f0c5dc0b1eb135c003a2bc33ca4e118c60b70a2ad2

    Download Submit

  • C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe
    Filesize

    48.3MB

    MD5

    1193d280fe00a77b753b8c196969fddf

    SHA1

    2ba757374129b149823d67a99e907989732c31dc

    SHA256

    56e4cbc58c71fbab44bef5bb191659e92fa6713b6e1834465464f4dea44498ad

    SHA512

    dd62534de37eae14cce7e83ccdf2e9f1fd6d87ea104c25bb107af4826a128ee40507958ce37c3df937ea238f1370a5e3f3cdcf701d015f6e2d31e45d4c0d1327

    Download Submit

  • C:\Program Files\PlanAnalyzerOptimistic\VKWrWBaIcvTlXvwirqQe
    Filesize

    1.7MB

    MD5

    2b86a11112da3cafddcd7ee308cea7c9

    SHA1

    994cce38475425226d857550c86f1651fcfdc2dc

    SHA256

    5f80ac378a228c920d0dd85c05c986c06ef3bc05b0b98a85df03428a00c6f9e3

    SHA512

    da141c69561b862dec313b23a636a34ce831c18973c71c1450372350b1aba9be8291b3ecaa909166bb25f4bfbbd0477c6ff2711bb7475ca8c333a9c677ad56a2

    Download Submit

  • C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe
    Filesize

    574KB

    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    Download Submit

  • C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe
    Filesize

    832KB

    MD5

    d305d506c0095df8af223ac7d91ca327

    SHA1

    679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

    SHA256

    923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

    SHA512

    94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

    Download Submit

  • C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.wrapper.log
    Filesize

    280B

    MD5

    60160b749aa585632ff06d795ece18c0

    SHA1

    ed3fe8c6513d72e9a14479f137edab589c8f2fcf

    SHA256

    1bbe2f85ecfa090d61e8a7ec42f9aefe4d60f83ff91ecd7f50318e68465e29e6

    SHA512

    a49f0d72a3179e2b69792eae902fbc25730ad0864079bd6dde5c15cf5950e0874acfce8ec8ff84b65f798d3002899cc35ecd8b7c8a2463a103a6db8396362667

    Download Submit

  • C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.wrapper.log
    Filesize

    507B

    MD5

    c5047c97118b26f7ea0770aafcebfc09

    SHA1

    337752c5d3d203b80f7948d2e17652d4240fdb0b

    SHA256

    158eeb17914adfda8d20ab5392ce07ecedaad5e56487a37d0f275c599e56b0ba

    SHA512

    1cc17a58d819155e3433c95ec305bef03d60075e2dab03fe590e8111039e9611557aee1f9d38b5b658b542c1608e545f8962ddd26eeeb7711a69f98cb06791c2

    Download Submit

  • C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.wrapper.log
    Filesize

    763B

    MD5

    90d5fb2300d837d4fd3b7364eb3b4684

    SHA1

    1ae5b6819178519fd1fb870cbdde82f324b4daff

    SHA256

    fc7a54c2d6a59554eb814a199af2a5bc28e76093a2b4db83abd85956d0753585

    SHA512

    3e64ddd8c455f35ee69c5bb90712b894d4b103166b2641ccc8289d541abfeee66cb18ddb060781a8378bd37ff44c2297b54bb8010b60dcef2ccdfd3228ba9552

    Download Submit

  • C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.xml
    Filesize

    454B

    MD5

    0bb0372549d39db06d87992e2692c3ab

    SHA1

    029139cb33bb4a91ce63860885e31e0539439418

    SHA256

    1ebfb436d54c049d89e23306341097350e477de8b955146c3d69448ef4992b67

    SHA512

    26d544bfe0b96b124ca36679f2c879b2db682a97c0ac4828cb101b9f292c90b34ef013a16e42f51319d2d15e3f81e408c6d4edfc9b24272397d2344b67a0b82b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tADwcTndbYNd.exe.log
    Filesize

    1KB

    MD5

    122cf3c4f3452a55a92edee78316e071

    SHA1

    f2caa36d483076c92d17224cf92e260516b3cbbf

    SHA256

    42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

    SHA512

    c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.7MB

    MD5

    fef412a9c2e4bc4a643d779212d1c3e8

    SHA1

    ef84bc2b04e757065ca80bd42911bdd802427ff2

    SHA256

    c2e5de65e95b62c1b636ab421af968771321552e102d3f329135c8669ab9263b

    SHA512

    7b094318f352ef71c838dcb5abaa031899d7f28c4132374c0e2e865215e0ebf0f3ed93cf80005f7819bd43750976869ea1d18774741f6b797726b3331cea66e9

    Download Submit

  • \??\Volume{8484aac9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c9c820d0-9219-4b73-9de4-aec652c0ea4d}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    0fd2c97a012a76ff7522cf301dcbdab6

    SHA1

    c36f2b03424cb8627754ce48a19501ffe5f6e4da

    SHA256

    a11384731f0e5100e9db288043647e2f04552e671a32470f9f0108ee64dfdf4e

    SHA512

    97e27ac56d20d86d2376a13f32ece94b66695c10a4a3fa02884d20122dc46c60b46c262b9b88e46abe23d80b0bef23fc53abab032596f436e1fe91bc884e1cc2

    Download Submit

  • memory/1540-27-0x000000002A010000-0x000000002A03A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/4544-45-0x0000000000480000-0x0000000000556000-memory.dmp

    Filesize

    856KB

    Download

  • memory/4964-72-0x000000002A6B0000-0x000000002A6F3000-memory.dmp

    Filesize

    268KB

    Download

  • memory/4964-73-0x000000002C2E0000-0x000000002C49B000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4964-75-0x000000002C2E0000-0x000000002C49B000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4964-76-0x000000002C2E0000-0x000000002C49B000-memory.dmp

    Filesize

    1.7MB

    Download