gh0strat | ec40da7be23e50181fb692525cc62f6cd5f5caa74f653fabaf5d57df1201263b

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TwDush.msi
Size

66.4MB
MD5

9800a890a4819b574c5aa5ca9e063d96
SHA1

ede8c738d4e58c770f0ba7792e330756aaf28c7f
SHA256

ec40da7be23e50181fb692525cc62f6cd5f5caa74f653fabaf5d57df1201263b
SHA512

ae52316d3f17cab0370ce6a772861ae5ca5a556f140955c93edf91852695964b57b108c1b85a342d2c52ae8090a6c3d97e7fe5a1c4bd87435135572ab5ca12cf
SSDEEP

1572864:vXU1B6zASrGGq3ymZM4yLpQBoxFlfAwwsUZWOVH:vXU1B6ASrGGqCcM/DxFBDwhZzH

Score

10^/10

gh0strat purplefox discovery persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/3588-72-0x000000002C070000-0x000000002C22B000-memory.dmp	purplefox_rootkit
behavioral2/memory/3588-74-0x000000002C070000-0x000000002C22B000-memory.dmp	purplefox_rootkit
behavioral2/memory/3588-75-0x000000002C070000-0x000000002C22B000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/3588-72-0x000000002C070000-0x000000002C22B000-memory.dmp	family_gh0strat
behavioral2/memory/3588-74-0x000000002C070000-0x000000002C22B000-memory.dmp	family_gh0strat
behavioral2/memory/3588-75-0x000000002C070000-0x000000002C22B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	PtsxcsyatT16.exe
File opened (read-only)	\??\B:	PtsxcsyatT16.exe
File opened (read-only)	\??\Q:	PtsxcsyatT16.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	PtsxcsyatT16.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	PtsxcsyatT16.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	PtsxcsyatT16.exe
File opened (read-only)	\??\S:	PtsxcsyatT16.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	PtsxcsyatT16.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	PtsxcsyatT16.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	PtsxcsyatT16.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	PtsxcsyatT16.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	PtsxcsyatT16.exe
File opened (read-only)	\??\W:	PtsxcsyatT16.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	PtsxcsyatT16.exe
File opened (read-only)	\??\N:	PtsxcsyatT16.exe
File opened (read-only)	\??\U:	PtsxcsyatT16.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	PtsxcsyatT16.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	PtsxcsyatT16.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	PtsxcsyatT16.exe
File opened (read-only)	\??\M:	PtsxcsyatT16.exe
File opened (read-only)	\??\O:	PtsxcsyatT16.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe	mvlKSjKRHbPQ.exe
File opened for modification	C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe	mvlKSjKRHbPQ.exe
File opened for modification	C:\Program Files\PlanAnalyzerOptimistic	PtsxcsyatT16.exe
File opened for modification	C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.wrapper.log	tADwcTndbYNd.exe
File created	C:\Program Files\PlanAnalyzerOptimistic\MOELauncherSetup_V0TKW.exe	msiexec.exe
File created	C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe	msiexec.exe
File created	C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe	mvlKSjKRHbPQ.exe
File opened for modification	C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.wrapper.log	tADwcTndbYNd.exe
File opened for modification	C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.xml	mvlKSjKRHbPQ.exe
File opened for modification	C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe	mvlKSjKRHbPQ.exe
File created	C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe	msiexec.exe
File created	C:\Program Files\PlanAnalyzerOptimistic\VKWrWBaIcvTlXvwirqQe	msiexec.exe
File created	C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.xml	mvlKSjKRHbPQ.exe
File opened for modification	C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.wrapper.log	tADwcTndbYNd.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e584a81.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e584a81.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8D04A5E8-036B-4B69-AB3F-ADD10738C73E}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C37.tmp	msiexec.exe
File created	C:\Windows\Installer\e584a83.msi	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
1332	mvlKSjKRHbPQ.exe
1232	PtsxcsyatT16.exe
4048	ToDesk.exe
4716	tADwcTndbYNd.exe
3176	tADwcTndbYNd.exe
3528	tADwcTndbYNd.exe
1952	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3392	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PtsxcsyatT16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PtsxcsyatT16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mvlKSjKRHbPQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PtsxcsyatT16.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e7a671f193ce7b7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e7a671f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e7a671f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de7a671f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e7a671f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PtsxcsyatT16.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PtsxcsyatT16.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	PtsxcsyatT16.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	PtsxcsyatT16.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	PtsxcsyatT16.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\ProductName = "PlanAnalyzerOptimistic"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\376C3C4D8C5B1874EB9AE27A958B6EEA\8E5A40D8B63096B4BAF3DA1D70837CE3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\PackageName = "TwDush.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E5A40D8B63096B4BAF3DA1D70837CE3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E5A40D8B63096B4BAF3DA1D70837CE3\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\376C3C4D8C5B1874EB9AE27A958B6EEA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\PackageCode = "B4C280FC3A938F442BA728B9CF74E9DC"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E5A40D8B63096B4BAF3DA1D70837CE3\Version = "134807556"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1580	msiexec.exe
1580	msiexec.exe
1232	PtsxcsyatT16.exe
1232	PtsxcsyatT16.exe
3528	tADwcTndbYNd.exe
3528	tADwcTndbYNd.exe
1952	PtsxcsyatT16.exe
1952	PtsxcsyatT16.exe
1952	PtsxcsyatT16.exe
1952	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe
3588	PtsxcsyatT16.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3392	msiexec.exe
Token: SeSecurityPrivilege	1580	msiexec.exe
Token: SeCreateTokenPrivilege	3392	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3392	msiexec.exe
Token: SeLockMemoryPrivilege	3392	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3392	msiexec.exe
Token: SeMachineAccountPrivilege	3392	msiexec.exe
Token: SeTcbPrivilege	3392	msiexec.exe
Token: SeSecurityPrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeLoadDriverPrivilege	3392	msiexec.exe
Token: SeSystemProfilePrivilege	3392	msiexec.exe
Token: SeSystemtimePrivilege	3392	msiexec.exe
Token: SeProfSingleProcessPrivilege	3392	msiexec.exe
Token: SeIncBasePriorityPrivilege	3392	msiexec.exe
Token: SeCreatePagefilePrivilege	3392	msiexec.exe
Token: SeCreatePermanentPrivilege	3392	msiexec.exe
Token: SeBackupPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeShutdownPrivilege	3392	msiexec.exe
Token: SeDebugPrivilege	3392	msiexec.exe
Token: SeAuditPrivilege	3392	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3392	msiexec.exe
Token: SeChangeNotifyPrivilege	3392	msiexec.exe
Token: SeRemoteShutdownPrivilege	3392	msiexec.exe
Token: SeUndockPrivilege	3392	msiexec.exe
Token: SeSyncAgentPrivilege	3392	msiexec.exe
Token: SeEnableDelegationPrivilege	3392	msiexec.exe
Token: SeManageVolumePrivilege	3392	msiexec.exe
Token: SeImpersonatePrivilege	3392	msiexec.exe
Token: SeCreateGlobalPrivilege	3392	msiexec.exe
Token: SeBackupPrivilege	2416	vssvc.exe
Token: SeRestorePrivilege	2416	vssvc.exe
Token: SeAuditPrivilege	2416	vssvc.exe
Token: SeBackupPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3392	msiexec.exe
3392	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 3272	1580	msiexec.exe	94
PID 1580 wrote to memory of 3272	1580	msiexec.exe	94
PID 1580 wrote to memory of 5072	1580	msiexec.exe	96
PID 1580 wrote to memory of 5072	1580	msiexec.exe	96
PID 1580 wrote to memory of 5072	1580	msiexec.exe	96
PID 5072 wrote to memory of 1332	5072	MsiExec.exe	97
PID 5072 wrote to memory of 1332	5072	MsiExec.exe	97
PID 5072 wrote to memory of 1332	5072	MsiExec.exe	97
PID 5072 wrote to memory of 1232	5072	MsiExec.exe	99
PID 5072 wrote to memory of 1232	5072	MsiExec.exe	99
PID 5072 wrote to memory of 1232	5072	MsiExec.exe	99
PID 5072 wrote to memory of 4048	5072	MsiExec.exe	100
PID 5072 wrote to memory of 4048	5072	MsiExec.exe	100
PID 3528 wrote to memory of 1952	3528	tADwcTndbYNd.exe	106
PID 3528 wrote to memory of 1952	3528	tADwcTndbYNd.exe	106
PID 3528 wrote to memory of 1952	3528	tADwcTndbYNd.exe	106
PID 1952 wrote to memory of 3588	1952	PtsxcsyatT16.exe	107
PID 1952 wrote to memory of 3588	1952	PtsxcsyatT16.exe	107
PID 1952 wrote to memory of 3588	1952	PtsxcsyatT16.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TwDush.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3392

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3272
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 44F08913C9A257A8C177324187AE24F1 E Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe
    "C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe" x "C:\Program Files\PlanAnalyzerOptimistic\VKWrWBaIcvTlXvwirqQe" -o"C:\Program Files\PlanAnalyzerOptimistic\" -pyjlAFQsGZRtyUdVIXREr -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1332
- - C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe
    "C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe" -number 132 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1232
- - C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe
    "C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe"
    3⤵
    - Executes dropped EXE
    PID:4048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe
"C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe" install
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4716

C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe
"C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:3176

C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe
"C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe
  "C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe" -number 157 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe
    "C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe" -number 362 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e584a82.rbs

Filesize
7KB

MD5
afa6523989a8a801ca6fd5302ffa0407

SHA1
09ba46ce83802d308fc2d2109298fc6346df5dde

SHA256
b17fb45e38ff8e4489c1b89909f0fd9002b901578e4be459c20321b96e261034

SHA512
795905ea74a2641dde2711b2c57085d122621019d8df605138e5ee871b0693e613353856d273fa7318b91351dc8051f29d93257ec1533100323a5c96c42b61de

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\MOELauncherSetup_V0TKW.exe

Filesize
35.6MB

MD5
f0b4afeb9a9582a84c04d33b4f9c93e5

SHA1
0b9229e8e3879fc4d1310ba493280894cac1f259

SHA256
d71c5c27f6e68be09e40921321a2c6d3b95f65787c33dcc2d66e6939a798a3c9

SHA512
d4c3593590a5574bbfc1270d3aca3b419ea5126735206b5e2104e42fda961844ba90073ebacd917b9b0152c103670d1a64b88c76b03b358feae73794418abe51

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\PtsxcsyatT16.exe

Filesize
2.9MB

MD5
772375794abfe39763f2057e845ff14b

SHA1
08ada20435475025e8b22d4a7460725fdcb0c3d5

SHA256
c31afb76379f0adaaa98d52f7a6dca18cd9f374672e1e85c6c4f7214080e2248

SHA512
ab67f8af704b0bf8902120b23fd2d31a1b12f05dc64f17b0f5fafb1c96bbf93481d4e147967a891028c2f4f0c5dc0b1eb135c003a2bc33ca4e118c60b70a2ad2

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\ToDesk.exe

Filesize
48.3MB

MD5
1193d280fe00a77b753b8c196969fddf

SHA1
2ba757374129b149823d67a99e907989732c31dc

SHA256
56e4cbc58c71fbab44bef5bb191659e92fa6713b6e1834465464f4dea44498ad

SHA512
dd62534de37eae14cce7e83ccdf2e9f1fd6d87ea104c25bb107af4826a128ee40507958ce37c3df937ea238f1370a5e3f3cdcf701d015f6e2d31e45d4c0d1327

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\VKWrWBaIcvTlXvwirqQe

Filesize
1.7MB

MD5
2b86a11112da3cafddcd7ee308cea7c9

SHA1
994cce38475425226d857550c86f1651fcfdc2dc

SHA256
5f80ac378a228c920d0dd85c05c986c06ef3bc05b0b98a85df03428a00c6f9e3

SHA512
da141c69561b862dec313b23a636a34ce831c18973c71c1450372350b1aba9be8291b3ecaa909166bb25f4bfbbd0477c6ff2711bb7475ca8c333a9c677ad56a2

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\mvlKSjKRHbPQ.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.wrapper.log

Filesize
280B

MD5
36d597f947c6de92911a8d3cc82c3c5d

SHA1
cca97d487243183e2b549edd8f6df4328b5b10c7

SHA256
3b523b8aecf0149a21aaadb48e4196e324ac97bdc9b9446521ccdd6127cd77d5

SHA512
5b0190a2436e81bd34b2613fda6c7af4602b175e88d822488e0ee96757cd66ede8664c41ca2446fc764f23e8e662ffd3c0143f2c3d439a15fb2f2c73178cbc0f

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.wrapper.log

Filesize
443B

MD5
f679215aa278b3424c9ec229c7e9509b

SHA1
bcf9afccdeb2369b0ad02120cf3ff2495b657754

SHA256
8395003de1bf6a4e16f7561e5ed07ee4ec5be4330731f8d8831a61b897802ff1

SHA512
520b7b306bde50e8498b35bf9bd3f9718d19d18b12b8fc25eeea9d69fdde8b09d6b46ae76e1c4c1dc929009df9ada529c529c4d93b7ac2c29bab3e1cea541665

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.wrapper.log

Filesize
507B

MD5
a91e13abf1dde3b0726be18ee0c75297

SHA1
bb9642a7163c99eb20fbba36722770dbcec7a4c2

SHA256
cca019b87d556c01ffd9b0c15afba02e49e721cf0815a4d8f2da35e327376e99

SHA512
8cc5252406142fb1282a1b07e26bc6022c479e1b15a58f82387c42e2bb9ee43a4fcf2322abb9a33f0674f95eeb2c88eaaaee8bd6b0b15737fbf996a486a82ab2

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.wrapper.log

Filesize
803B

MD5
20563c561baff5e4caa9a64fa8306658

SHA1
03380cd23e915630a72e1d4d76f49c870aa39709

SHA256
bce83661d974b309920af0e6aa24fb3fbe8fd0bcd8cb0975662c87ea5471e77e

SHA512
5b547edfc7e99611599ce9128d00468525b25816ecfdc8ccf14ce69758e26c3608f3359f42389d4e7ee708ff996469ab6dfabab7e4807f17c9fab8b1f082fb01

Download Submit
C:\Program Files\PlanAnalyzerOptimistic\tADwcTndbYNd.xml

Filesize
454B

MD5
0bb0372549d39db06d87992e2692c3ab

SHA1
029139cb33bb4a91ce63860885e31e0539439418

SHA256
1ebfb436d54c049d89e23306341097350e477de8b955146c3d69448ef4992b67

SHA512
26d544bfe0b96b124ca36679f2c879b2db682a97c0ac4828cb101b9f292c90b34ef013a16e42f51319d2d15e3f81e408c6d4edfc9b24272397d2344b67a0b82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tADwcTndbYNd.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
2a55f963c634d1bfc997b18af5abde10

SHA1
b2004137f43401f607d3fc3b55eaa085aa78ea0b

SHA256
14934dd66a0f882a22075c7fa9bdfecf6187a1dff65ab95319716388260772d3

SHA512
bb3db9dd2d6ba983f44f0288ac403af9eb2586aa438438ab0032a8d5b17aaf02f942c623cf92b3a58afcb36d83499f40fd6720d150d464a9e755592fac7ec867

Download Submit
\??\Volume{f171a6e7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f1115372-6059-4a69-b0d3-92926b2ecf60}_OnDiskSnapshotProp

Filesize
6KB

MD5
962a51f6b15117fbdc555505c530bc65

SHA1
e63c810241552010bc4c8fa7efaa1ac59e38d858

SHA256
e057842bf36817cf3cc5b1a900b5ed3a220cd9eada5b8f8ac51d1d90c4838601

SHA512
3bb9527be565ff2332c5c1f952d20049c1c56c7ce5be7fa7f7585abee4df30d7239f125acc1034fbb15d5d4ff42165754774e30a61b8350dc8a00d889b48a6a7

Download Submit
memory/1232-25-0x0000000009FD0000-0x0000000009FFA000-memory.dmp

Filesize
168KB

Download
memory/3588-71-0x000000002A440000-0x000000002A483000-memory.dmp

Filesize
268KB

Download
memory/3588-72-0x000000002C070000-0x000000002C22B000-memory.dmp

Filesize
1.7MB

Download
memory/3588-74-0x000000002C070000-0x000000002C22B000-memory.dmp

Filesize
1.7MB

Download
memory/3588-75-0x000000002C070000-0x000000002C22B000-memory.dmp

Filesize
1.7MB

Download
memory/4716-42-0x0000000000B20000-0x0000000000BF6000-memory.dmp

Filesize
856KB

Download