Overview

overview

10

Static

static

1

WPS-Office...33.msi

windows7-x64

6

WPS-Office...33.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2024 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WPS-Office_10469357_401533.msi

  • Size

    41.1MB

  • MD5

    27ba48360e40e33e30f22f9258ca8aec

  • SHA1

    f86f07a4fde054f77591c7c42a751f4fa566cdd5

  • SHA256

    593c2deaacb09860822ec349224494c5aa35ebac3ff8836b43f63ad41d168d60

  • SHA512

    0ba2009808c661cc9780bdf437f2ca47cfb99daa080f95428f3631752d2f49f6fce1ec747ef9228e49e3df00db61b67d4f52c4411d76cb6551fb6f50eaf90497

  • SSDEEP

    786432:bz9YO2wwhIk3QM8g4fzggu4Pm7WJn8tKFodQrzRIwio026V:Fa3Qg4fzgh4fn8tKFeQr9tiod6V

Score
10/10
gh0stratpurplefoxdiscoverypersistenceprivilege_escalationratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 7 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WPS-Office_10469357_401533.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2664
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3928
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B3CB3C7097237A4B2068D7CC8274608A E Global\MSI0000
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4048
      • C:\Program Files\SecureSponsorGenerous\hqUsxQVokjCH.exe
        "C:\Program Files\SecureSponsorGenerous\hqUsxQVokjCH.exe" x "C:\Program Files\SecureSponsorGenerous\OUvlZvvsRHvvVPzWjGvr" -o"C:\Program Files\SecureSponsorGenerous\" -pBtrCoSaelPTuXoCAcEwA -y
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2544
      • C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe
        "C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe" -number 242 -file file3 -mode mode3 -flag flag3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3652
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Program Files\SecureSponsorGenerous\xlsx.xlsx"
        3⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:1848
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4188
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8
    1⤵
      PID:1112
    • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe
      "C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe" install
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      PID:2608
    • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe
      "C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe" start
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      PID:1932
    • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe
      "C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe"
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe
        "C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe" -number 213 -file file3 -mode mode3 -flag flag3
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3732
        • C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe
          "C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe" -number 362 -file file3 -mode mode3 -flag flag3
          3⤵
          • Enumerates connected drives
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:1920

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e5894ab.rbs
      Filesize

      7KB

      MD5

      8f9d556dc6c13fecf0042791750d4504

      SHA1

      8d9965a4414318317de500110326aa2998a28545

      SHA256

      d57365d558c27d19bffe9e6b46fcdf649479e1bec7e201e24f31231fa1a48a39

      SHA512

      55cce8c7b21474c51c5e2ea724cd1eb6204d897b4a4a46068a439f6e9be61d36361c929235dc0f7684f147d98d041499265b954734cba56f1c727cc009907798

      Download Submit

    • C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe
      Filesize

      3.2MB

      MD5

      1c3d835b334c146196997f99df3c6f8e

      SHA1

      0027a83539881abaf1f5cb3a2cc0cd6ba528d000

      SHA256

      dcd7d379effc6f28e3fc43bdeebc3c39c933a93b09d9dc6691fb64392c432b3f

      SHA512

      f4da23997640cad08e9c3cc605472bb3b112e01406cc18789bd78d1f735790029cede3cd784d5d66882d571d6d515666a2017463ab5be454df50ddc4498d6042

      Download Submit

    • C:\Program Files\SecureSponsorGenerous\OUvlZvvsRHvvVPzWjGvr
      Filesize

      2.0MB

      MD5

      d076e5e2afedcdbd328b5a3f0222b408

      SHA1

      8d8407cf4006934271fbd1f0c251fb5e91786997

      SHA256

      7a275f7f2ccf99a65eb4bd5f8cbd944041473b6c804487daf03b720700b760ea

      SHA512

      1f58ffe864710bc35f790510284b39337e8caaf0cf434517afcf0e894dd99c737aba22da27ddd6ee93ce7791407c7338ad2433b4310815f3f644fc72a212b2d9

      Download Submit

    • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe
      Filesize

      832KB

      MD5

      d305d506c0095df8af223ac7d91ca327

      SHA1

      679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

      SHA256

      923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

      SHA512

      94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

      Download Submit

    • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.wrapper.log
      Filesize

      270B

      MD5

      1d338b3066fd6ea39c80a2e91fedfb9f

      SHA1

      40d57cd527751d1d3388aad289475b0692d54a7b

      SHA256

      da12f7f765cc808a448b4edb3b5d13575aab9ea0b0aa830bc5cd155c745b1f17

      SHA512

      883ccfe2cf5d3bac252af864b2fa4a6c3c8399d7e0aaa88faddf52235b2ae87ec9d8c74a1b0310b5206739d3d0e343fba045ecb7b7bfac2f7669c57a918dadc9

      Download Submit

    • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.wrapper.log
      Filesize

      428B

      MD5

      3e0b5614f34b58cc3d6ed56778e8f0d6

      SHA1

      b327156488ebbd7a4756a0785787e0b26964b443

      SHA256

      252165b90d3f1eb2d1539409ac0db208ad66602e6afaa4077e49cd5e5fc7018d

      SHA512

      703c27ecb63843cc360371e0fb49c504db2bb71b66be9b08428ab39b16bbc4a0d82af9b8b59b7feb04b22d4d80aca79aab00c42bc6b2421d0a2995a4db1b453e

      Download Submit

    • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.wrapper.log
      Filesize

      596B

      MD5

      f9f3d11fb398ced7219bc340a503d547

      SHA1

      941de7d1b67b0f8301cefc7cd4e9d9ea1488d447

      SHA256

      697069d1292b5a3d80048b131d6770b390447fa86a8d4a5de6df861911811502

      SHA512

      1eae6a36252982061277ac9e14ef9b33c1d745d0e7cf03043745685cac31ea44b6593c9def3ef9df616d8be6c23a6bf645b5863f62b5529b7a9f619c401efdf1

      Download Submit

    • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.wrapper.log
      Filesize

      741B

      MD5

      6b56fb4911a81c4a05cfafee15ef67e2

      SHA1

      7c238cb0697dec7344c0598beb9ee511e85058db

      SHA256

      581b316e1d9aa91629d82e506f60bccb534079a9522ad3145eeedc0b1e7a1223

      SHA512

      c69e92eaabed962e66dd75be75044883d91d297c507911f58305f646b310cac56fc87b76c42690fd8895bd876744af68f0a890a32555a437220f395ad6ae6bf1

      Download Submit

    • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.xml
      Filesize

      442B

      MD5

      5813fb505a190a74c67a360751f71fd8

      SHA1

      94aff8481367ecd341f6f6aaa99deb5cb1c6a929

      SHA256

      b05428a2721bad3623587ea39a27f2eec42df1483645a67d4432ddd29feaa885

      SHA512

      169d429ef514e0b722220ff0af3f00eb2ab30b5e7a4439835f45d9fa2a3d1852e6a80e73ac346a10d244498f2c52e8f745ed6c8458ba3bc3574f7ed1d39e7674

      Download Submit

    • C:\Program Files\SecureSponsorGenerous\hqUsxQVokjCH.exe
      Filesize

      574KB

      MD5

      42badc1d2f03a8b1e4875740d3d49336

      SHA1

      cee178da1fb05f99af7a3547093122893bd1eb46

      SHA256

      c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

      SHA512

      6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

      Download Submit

    • C:\Program Files\SecureSponsorGenerous\xlsx.xlsx
      Filesize

      8KB

      MD5

      5001ead50aa6c32c9d7e6c6dfb4033f0

      SHA1

      c273c9bc2a996bb9ab65f7d30ccbf38bb755ed57

      SHA256

      a3d37b43693ef32bfcd324bb4f2523c828648e012828504302f3f182c97c4cda

      SHA512

      28d970204f02d6bc270fae20cf0ba78a8086e6dd2552f10f6c30d72c324fa2ca5ca44b2aca3830064caa57abd7255edb1147ea2bf0d103b22b75094f20f6d0bb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bgHAdnVGRnVK.exe.log
      Filesize

      1KB

      MD5

      122cf3c4f3452a55a92edee78316e071

      SHA1

      f2caa36d483076c92d17224cf92e260516b3cbbf

      SHA256

      42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

      SHA512

      c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

      Download Submit

    • C:\Windows\Installer\e5894aa.msi
      Filesize

      41.1MB

      MD5

      27ba48360e40e33e30f22f9258ca8aec

      SHA1

      f86f07a4fde054f77591c7c42a751f4fa566cdd5

      SHA256

      593c2deaacb09860822ec349224494c5aa35ebac3ff8836b43f63ad41d168d60

      SHA512

      0ba2009808c661cc9780bdf437f2ca47cfb99daa080f95428f3631752d2f49f6fce1ec747ef9228e49e3df00db61b67d4f52c4411d76cb6551fb6f50eaf90497

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.7MB

      MD5

      d737436d211bea085affa63bdb80dd7e

      SHA1

      b7da3f211666ff5ad5ec213b2ebcdd33216c007f

      SHA256

      412fa287d6d696219ced7e2958b8fab16d6b4f52e6b04bfa45912d769baf3f0c

      SHA512

      c53c6cbd05a9ee011a36e53e88a243af65efae560512dbd1131e027ee36c38476c3268b7644b89e48432d44644a179aade32bf1b90c83a8944281a65828e067c

      Download Submit

    • \??\Volume{ff3ab8f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5acae3af-2097-4007-9ad1-6ede4c90e4d3}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      749046b6e78b1283253cdc64b56ff9ba

      SHA1

      115c8dfd436dc13cf312281d07aea3f10e708f42

      SHA256

      e8bf3c5359730dd397f03da67ae2bdfad2c79e8de011378b6a4359963d3802e9

      SHA512

      3aca02f4993002177e24563616db5487f6b53f9dacf92f66cbf2bba93fcb8fd4f2ee3716754c54f55cfd4161dd6cb2ba73c42c400f6869096bfb6ae9f78d26f6

      Download Submit

    • memory/1848-34-0x00007FF945C50000-0x00007FF945C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1848-41-0x00007FF945C50000-0x00007FF945C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1848-37-0x00007FF945C50000-0x00007FF945C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1848-47-0x00007FF943490000-0x00007FF9434A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1848-33-0x00007FF945C50000-0x00007FF945C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1848-32-0x00007FF945C50000-0x00007FF945C60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1848-45-0x00007FF943490000-0x00007FF9434A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1920-81-0x000000002A480000-0x000000002A4C3000-memory.dmp

      Filesize

      268KB

      Download

    • memory/1920-82-0x000000002C080000-0x000000002C23B000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1920-84-0x000000002C080000-0x000000002C23B000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/1920-85-0x000000002C080000-0x000000002C23B000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2608-54-0x0000000000F10000-0x0000000000FE6000-memory.dmp

      Filesize

      856KB

      Download