Overview

overview

10

Static

static

1

kuilian89.msi

windows7-x64

6

kuilian89.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2024 11:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kuilian89.msi

  • Size

    35.9MB

  • MD5

    6bd8fab2fd596986f7f55c0993ae1981

  • SHA1

    ab2963c0959aaa08ce98ae3e7990ecb5b4cbf313

  • SHA256

    59d6dc380808c3e46f3ec1d7b2aeae25a542e0082d0ff6efff12a6abd379b6c1

  • SHA512

    4fade01d209ffa312f55477eeaeaf0600b9fe43a3cf8af92fdfb0f3eedb2c7facfaf1e803c73b32c2f4346beb010124515388af4d08e7520495ff0d54a316685

  • SSDEEP

    786432:+0SBQMqgaahHtS6fKR0h5w1NMICKjpYpMUDRDbNm5IZYax4TzFVwEG7aPuDu9d:TSB/qgvg6CR04NMIC4ZUFDbNm5zjTJVD

Score
10/10
gh0stratpurplefoxdiscoveryexecutionpersistenceprivilege_escalationratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 4 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 54 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\kuilian89.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1900
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2644
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 63FC767E3A166208C7F97DE526C323AB E Global\MSI0000
        2⤵
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:404
        • C:\Program Files\SolveDefenderSerene\LaMhTUfHIdyc.exe
          "C:\Program Files\SolveDefenderSerene\LaMhTUfHIdyc.exe" x "C:\Program Files\SolveDefenderSerene\QnnRXazkZQiQCErBAOww" -o"C:\Program Files\SolveDefenderSerene\" -pPakXGajjGRCPvwIYdoub -y
          3⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5080
        • C:\Program Files\SolveDefenderSerene\ZNIpMGgmtO28.exe
          "C:\Program Files\SolveDefenderSerene\ZNIpMGgmtO28.exe" -number 145 -file file3 -mode mode3 -flag flag3
          3⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:1852
        • C:\Program Files\SolveDefenderSerene\letsvpn.exe
          "C:\Program Files\SolveDefenderSerene\letsvpn.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4040
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:1196
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3112
    • C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.exe
      "C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.exe" install
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      PID:1452
    • C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.exe
      "C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.exe" start
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      PID:840
    • C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.exe
      "C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.exe"
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4176
      • C:\Program Files\SolveDefenderSerene\ZNIpMGgmtO28.exe
        "C:\Program Files\SolveDefenderSerene\ZNIpMGgmtO28.exe" -number 185 -file file3 -mode mode3 -flag flag3
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:544
        • C:\Program Files\SolveDefenderSerene\ZNIpMGgmtO28.exe
          "C:\Program Files\SolveDefenderSerene\ZNIpMGgmtO28.exe" -number 362 -file file3 -mode mode3 -flag flag3
          3⤵
          • Enumerates connected drives
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:3804
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
      1⤵
        PID:1196

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e58a4b8.rbs
        Filesize

        7KB

        MD5

        a11fb379e15dcac230704725227a5904

        SHA1

        7513943a17431264a316815634c33f2120969c6d

        SHA256

        c500aa745ed84fc768e23cd13198bf43702c5d3a1cc7fa0d8b342ddecbb23d1e

        SHA512

        bb62908c7244d58b56c9fe54529350bc6d12f8065554efe106a214f3a6b59ec53ceb96ee2c9330ecb63db379053aa8f54198a0f13e3f1adb6c19ab256aac9bd3

        Download Submit

      • C:\Program Files\SolveDefenderSerene\LaMhTUfHIdyc.exe
        Filesize

        574KB

        MD5

        42badc1d2f03a8b1e4875740d3d49336

        SHA1

        cee178da1fb05f99af7a3547093122893bd1eb46

        SHA256

        c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

        SHA512

        6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

        Download Submit

      • C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.exe
        Filesize

        832KB

        MD5

        d305d506c0095df8af223ac7d91ca327

        SHA1

        679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

        SHA256

        923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

        SHA512

        94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

        Download Submit

      • C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.wrapper.log
        Filesize

        266B

        MD5

        57ba978d3409b4b8bd71bc528d5a9b08

        SHA1

        7b88d37022bf6defeb381271d1ee52e00ded21f4

        SHA256

        80f0ea0a14d8e95658cc98e0ad267bc7cb5c33306f10ce426db1b5728b6dc9d3

        SHA512

        a706272e0e6afaffcb2169f9f9484d61ee880ea204039a0f01b1a388e3eb14d2a071f3ba40eb7f5493cc0188af7161f3cfa5b86c369b081bf664c05ce605d73e

        Download Submit

      • C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.wrapper.log
        Filesize

        630B

        MD5

        50f9ab5d179552145f1416c66620991e

        SHA1

        9986332547b587b7706d76f6cec6a6abc295d41e

        SHA256

        13439245ecbc36b76b3193c819b9973628fb6b9f7455eb2217e2595f37ba6f29

        SHA512

        c3085ad91129d34f94e171d7318d7c10816437a20caae4eb3f6ec62368669e952be2db7b8de22c493da789535051026550c507369761f12169f9b8be77c31b66

        Download Submit

      • C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.wrapper.log
        Filesize

        918B

        MD5

        03e416c77557df264e15e86325606ea4

        SHA1

        2476dc65ce6a0f3aa75c809ca85bdd7ce722769d

        SHA256

        81e65d847dffffa0d42237a22be5cc69e76c26fb0eebe7c0fbc9a9f978444175

        SHA512

        921a14c53932e76783e690ffeb58e480a60474bd638bd3ef4b509013f4d8c9c12359ffee3e79d6011624bc0655bbb47a28e261099070181c1516a03b1986bb17

        Download Submit

      • C:\Program Files\SolveDefenderSerene\OIPvTHuFpRIC.xml
        Filesize

        437B

        MD5

        13f811fa7824298402ac719fce54ac07

        SHA1

        04cfbf952f24d6b5417f85880b0cfc9eebd10739

        SHA256

        17541b121e295261d2716e5061d72e66d710947ec4ac0405232a4b4acc310ee5

        SHA512

        c65c148aaf8111dcd698e497de7e4b29a4c8b54d635e150b165a1e608c3b58a0cff48b5a4e7081de25fb4e90aa88868a186c2b695af5645342f96010e9a28724

        Download Submit

      • C:\Program Files\SolveDefenderSerene\QnnRXazkZQiQCErBAOww
        Filesize

        1.9MB

        MD5

        f7423e2f19b6fc053365e2407323afdd

        SHA1

        c4eb99a5b00ed04aec04be5d63d5b969e19a47c7

        SHA256

        89daf936de489f902d1161197d4251266059887fd56db8dd26ef45d9a86e237c

        SHA512

        da09f8f06d03e0b215dbe195f11ad095f8000ecea2fb6bc53493b933befec4e680a3d5474eb3deed622e49492be35aecff1743394809ce4151a71402e4161289

        Download Submit

      • C:\Program Files\SolveDefenderSerene\ZNIpMGgmtO28.exe
        Filesize

        3.1MB

        MD5

        d7fdb97ae01bacc7eb06909f8a180947

        SHA1

        4408c678c1bcea5618c3260de4186d5ba9c2682e

        SHA256

        9da994b1517829109024345b820d1b546e74ad20921aacaec250096786047a53

        SHA512

        bfd1b948abc17ecd3e63679de69b14114f41baa7933d9254a02aacdbf1b01951f544a72771712e46470046c47ad9ee00d012e05c496e5b56a9a5cdcc1512895b

        Download Submit

      • C:\Program Files\SolveDefenderSerene\letsvpn.exe
        Filesize

        14.5MB

        MD5

        94f6bd702b7a2e17c45d16eaf7da0d64

        SHA1

        45f8c05851bcf16416e087253ce962b320e9db8a

        SHA256

        07f44325eab13b01d536a42e90a0247c6efecf23ccd4586309828aa814f5c776

        SHA512

        7ffc5183d3f1fb23e38c60d55724ab9e9e1e3832c9fb09296f0635f78d81477c6894c00a28e63096fa395e1c11cbeaa1f77f910f9ff9c1f1ecf0b857aa671b3d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OIPvTHuFpRIC.exe.log
        Filesize

        1KB

        MD5

        122cf3c4f3452a55a92edee78316e071

        SHA1

        f2caa36d483076c92d17224cf92e260516b3cbbf

        SHA256

        42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

        SHA512

        c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3xlybuc.xie.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nssB1D7.tmp\System.dll
        Filesize

        11KB

        MD5

        75ed96254fbf894e42058062b4b4f0d1

        SHA1

        996503f1383b49021eb3427bc28d13b5bbd11977

        SHA256

        a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

        SHA512

        58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nssB1D7.tmp\nsDialogs.dll
        Filesize

        9KB

        MD5

        ca95c9da8cef7062813b989ab9486201

        SHA1

        c555af25df3de51aa18d487d47408d5245dba2d1

        SHA256

        feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

        SHA512

        a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nssB1D7.tmp\nsExec.dll
        Filesize

        6KB

        MD5

        3d366250fcf8b755fce575c75f8c79e4

        SHA1

        2ebac7df78154738d41aac8e27d7a0e482845c57

        SHA256

        8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

        SHA512

        67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

        Download Submit

      • C:\Windows\Installer\e58a4b7.msi
        Filesize

        35.9MB

        MD5

        6bd8fab2fd596986f7f55c0993ae1981

        SHA1

        ab2963c0959aaa08ce98ae3e7990ecb5b4cbf313

        SHA256

        59d6dc380808c3e46f3ec1d7b2aeae25a542e0082d0ff6efff12a6abd379b6c1

        SHA512

        4fade01d209ffa312f55477eeaeaf0600b9fe43a3cf8af92fdfb0f3eedb2c7facfaf1e803c73b32c2f4346beb010124515388af4d08e7520495ff0d54a316685

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        24.1MB

        MD5

        7d3331ab6ecccd63cb1263ea174a35cb

        SHA1

        b28a7b3ad5afc8bff8c1216b7b13b928e113e691

        SHA256

        b361f75d4d8b07291647aa8ce16a91995b6ae67d28e86e5e30780b6ee05ed05b

        SHA512

        a4980b88d925ea00e833d99269f27c5f17cbe379d00bf160421ae81332288afbea88979c9104a03f23e00dfde8dd9bfdf0ca027470880edb518a5642293c407a

        Download Submit

      • \??\Volume{69d1985d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6242d9ca-ff80-405f-b8d2-930af5ba9ca5}_OnDiskSnapshotProp
        Filesize

        6KB

        MD5

        c8e6f64ae06bcd24ac3083a28a784538

        SHA1

        04e7374604ae941da11323c9a9c948adc5cb5624

        SHA256

        7ea66f30f1a52365bfff26f93620b202adbc4416736be78f47481b122ab21f0b

        SHA512

        ac3846cfb255c2d77cc45db35cf516bb4fddc941ed2245e618dfe997582310a992e8028e84876087636ada62d49a7046287fb3e705543e69196f1dd1ec89d750

        Download Submit

      • memory/1196-71-0x0000000005E00000-0x0000000005E1E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1196-53-0x0000000004E80000-0x0000000004EA2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1196-72-0x0000000005E50000-0x0000000005E9C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1196-51-0x0000000004F00000-0x0000000005528000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1196-54-0x0000000005720000-0x0000000005786000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1196-49-0x0000000004830000-0x0000000004866000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1196-55-0x0000000005800000-0x0000000005866000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1196-67-0x0000000005A10000-0x0000000005D64000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1452-50-0x0000000000E70000-0x0000000000F46000-memory.dmp

        Filesize

        856KB

        Download

      • memory/1852-46-0x0000000029D40000-0x0000000029D6A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/3804-107-0x000000002C150000-0x000000002C30A000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/3804-109-0x000000002C150000-0x000000002C30A000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/3804-113-0x000000002C150000-0x000000002C30A000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/3804-116-0x000000002C150000-0x000000002C30A000-memory.dmp

        Filesize

        1.7MB

        Download