Overview

overview

10

Static

static

1

WPSOffice1...33.msi

windows7-x64

6

WPSOffice1...33.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2024 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WPSOffice10469357401533.msi

  • Size

    41.1MB

  • MD5

    27ba48360e40e33e30f22f9258ca8aec

  • SHA1

    f86f07a4fde054f77591c7c42a751f4fa566cdd5

  • SHA256

    593c2deaacb09860822ec349224494c5aa35ebac3ff8836b43f63ad41d168d60

  • SHA512

    0ba2009808c661cc9780bdf437f2ca47cfb99daa080f95428f3631752d2f49f6fce1ec747ef9228e49e3df00db61b67d4f52c4411d76cb6551fb6f50eaf90497

  • SSDEEP

    786432:bz9YO2wwhIk3QM8g4fzggu4Pm7WJn8tKFodQrzRIwio026V:Fa3Qg4fzgh4fn8tKFeQr9tiod6V

Score
10/10
gh0stratpurplefoxdiscoverypersistenceprivilege_escalationratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 7 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WPSOffice10469357401533.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1196
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4360
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 8AEBD53AC61351990517FE6F6C308811 E Global\MSI0000
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2464
      • C:\Program Files\SecureSponsorGenerous\hqUsxQVokjCH.exe
        "C:\Program Files\SecureSponsorGenerous\hqUsxQVokjCH.exe" x "C:\Program Files\SecureSponsorGenerous\OUvlZvvsRHvvVPzWjGvr" -o"C:\Program Files\SecureSponsorGenerous\" -pBtrCoSaelPTuXoCAcEwA -y
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:436
      • C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe
        "C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe" -number 242 -file file3 -mode mode3 -flag flag3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3376
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Program Files\SecureSponsorGenerous\xlsx.xlsx"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:3280
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:3432
  • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe
    "C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe" install
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:3644
  • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe
    "C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe" start
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:744
  • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe
    "C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe"
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe
      "C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe" -number 213 -file file3 -mode mode3 -flag flag3
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe
        "C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe" -number 362 -file file3 -mode mode3 -flag flag3
        3⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1396

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57cbad.rbs
    Filesize

    7KB

    MD5

    1ab7f8e01351c6b50bbf66681d44f9f5

    SHA1

    f1c16381739dd969791e0548f8d5d638fbe4e75a

    SHA256

    e5cb3bde8940ed5898f774ee433c0fdc78789c987920f1a54bcee60c3a89c2b5

    SHA512

    61d78e4303f22e84e441813f54e4d53c54164ee6a5a5e547e06dbe79d9733a193ae6d9f2052eb9752c56f887d36d3b15ea8ff7e8114d380f356e066698033556

    Download Submit

  • C:\Program Files\SecureSponsorGenerous\EiAuPIYhFE4.exe
    Filesize

    3.2MB

    MD5

    1c3d835b334c146196997f99df3c6f8e

    SHA1

    0027a83539881abaf1f5cb3a2cc0cd6ba528d000

    SHA256

    dcd7d379effc6f28e3fc43bdeebc3c39c933a93b09d9dc6691fb64392c432b3f

    SHA512

    f4da23997640cad08e9c3cc605472bb3b112e01406cc18789bd78d1f735790029cede3cd784d5d66882d571d6d515666a2017463ab5be454df50ddc4498d6042

    Download Submit

  • C:\Program Files\SecureSponsorGenerous\OUvlZvvsRHvvVPzWjGvr
    Filesize

    2.0MB

    MD5

    d076e5e2afedcdbd328b5a3f0222b408

    SHA1

    8d8407cf4006934271fbd1f0c251fb5e91786997

    SHA256

    7a275f7f2ccf99a65eb4bd5f8cbd944041473b6c804487daf03b720700b760ea

    SHA512

    1f58ffe864710bc35f790510284b39337e8caaf0cf434517afcf0e894dd99c737aba22da27ddd6ee93ce7791407c7338ad2433b4310815f3f644fc72a212b2d9

    Download Submit

  • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.exe
    Filesize

    832KB

    MD5

    d305d506c0095df8af223ac7d91ca327

    SHA1

    679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

    SHA256

    923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

    SHA512

    94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

    Download Submit

  • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.wrapper.log
    Filesize

    270B

    MD5

    39f2cc40b8e68b5d1d25987d1c05f6db

    SHA1

    8d983dd3537c75c12e2e85d2d0585496072e70ed

    SHA256

    d4b449f5357268d6d9a8918d0240afa929e9be8a4424f5122cdde56ac417ba7f

    SHA512

    85ce9e6cce752ddfe178507491cdaffdb8f1b5d23ba453eed952572ce7873ed135a836c99789c3a7dded814ab7255e5e8ae3cfb3c8a844c3304ada64989a8f06

    Download Submit

  • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.wrapper.log
    Filesize

    492B

    MD5

    6796474416818784f0d2e048816e0292

    SHA1

    e075c1356cae4bed66ed64a823c39c263e2af7fd

    SHA256

    f9ecd6e6fbd80e9735864b28e13a473887bed6c19e2aa56dbead4dad12c4998a

    SHA512

    f25d34dd57041511e0f7b257ea21cb4b0611e32226a17b51cf6d6d789c6e8cb25408c9824fb3cf77da21460b1b6f24e427b6a097b56dde7de4e89f422561facc

    Download Submit

  • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.wrapper.log
    Filesize

    596B

    MD5

    36e23d070aef92216eaa1b671e9ec437

    SHA1

    f530fdef18386456241617c65138fcfa04bba8d8

    SHA256

    7dfe14c47403d9dc76c8e77701323b40db58c1e11f8c9347ac841fed91302da1

    SHA512

    e44b2e1fcf7c198d5072f929da15c214741f52dc3e4ec4e67d8206f8d86ed4711662bce4056d75d51605ad4d4f93b7af4a2d6e9f56522b09deb80a3078585a73

    Download Submit

  • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.wrapper.log
    Filesize

    741B

    MD5

    deb7cc8c2c3d4d688aa8e493d63400cc

    SHA1

    3c229632b6e875aab4abb8df2a9fc04283ee02a8

    SHA256

    1b7295c0b508c0f291cc449e0dfba532774e78976af0341d5c726bfdd44a7c45

    SHA512

    6a216d17cb9170aa0158ec0132144858ef3f73835529733a684a8a0fb32e762ed6450b7608ef2b056693f99bd809952845e2383679ba0b8c14955750c994d25c

    Download Submit

  • C:\Program Files\SecureSponsorGenerous\bgHAdnVGRnVK.xml
    Filesize

    442B

    MD5

    5813fb505a190a74c67a360751f71fd8

    SHA1

    94aff8481367ecd341f6f6aaa99deb5cb1c6a929

    SHA256

    b05428a2721bad3623587ea39a27f2eec42df1483645a67d4432ddd29feaa885

    SHA512

    169d429ef514e0b722220ff0af3f00eb2ab30b5e7a4439835f45d9fa2a3d1852e6a80e73ac346a10d244498f2c52e8f745ed6c8458ba3bc3574f7ed1d39e7674

    Download Submit

  • C:\Program Files\SecureSponsorGenerous\hqUsxQVokjCH.exe
    Filesize

    574KB

    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    Download Submit

  • C:\Program Files\SecureSponsorGenerous\xlsx.xlsx
    Filesize

    8KB

    MD5

    5001ead50aa6c32c9d7e6c6dfb4033f0

    SHA1

    c273c9bc2a996bb9ab65f7d30ccbf38bb755ed57

    SHA256

    a3d37b43693ef32bfcd324bb4f2523c828648e012828504302f3f182c97c4cda

    SHA512

    28d970204f02d6bc270fae20cf0ba78a8086e6dd2552f10f6c30d72c324fa2ca5ca44b2aca3830064caa57abd7255edb1147ea2bf0d103b22b75094f20f6d0bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bgHAdnVGRnVK.exe.log
    Filesize

    1KB

    MD5

    122cf3c4f3452a55a92edee78316e071

    SHA1

    f2caa36d483076c92d17224cf92e260516b3cbbf

    SHA256

    42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

    SHA512

    c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    284B

    MD5

    997d05eab6ed89ba59b6a5abe99bd188

    SHA1

    318895d1ce4adf5fc088c561aa2591b9598800e6

    SHA256

    695ea7671599fbffced9774f8b463538a7e6366b5bbf78e8bebf8c0cd41f524b

    SHA512

    9104049f5227cdedb6367792ac6ba7e8d891343ed25667183283348f02576d04faca8450a2d7842450599879707df6f9fd9b4c637677b5fc39aa2446c227e7d3

    Download Submit

  • C:\Windows\Installer\e57cbac.msi
    Filesize

    41.1MB

    MD5

    27ba48360e40e33e30f22f9258ca8aec

    SHA1

    f86f07a4fde054f77591c7c42a751f4fa566cdd5

    SHA256

    593c2deaacb09860822ec349224494c5aa35ebac3ff8836b43f63ad41d168d60

    SHA512

    0ba2009808c661cc9780bdf437f2ca47cfb99daa080f95428f3631752d2f49f6fce1ec747ef9228e49e3df00db61b67d4f52c4411d76cb6551fb6f50eaf90497

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.7MB

    MD5

    7f9f06dfaad9df43c665257e836e51bf

    SHA1

    df227c6e84d1ffcb98813afd16eb7c8bf6e4cf4e

    SHA256

    35445d068cfc489de31185bc487f2feacde0c40392b456c731922ed1de1bc1dc

    SHA512

    3ffb511fd425cfdc2fe6f1033602a25351bea71d661e93d27c2cd8e71c8f33384dc3c223dd5382330075ddee9fbdd4d2677afd064d6d7314889ec9b446fd4f74

    Download Submit

  • \??\Volume{848480a2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{37c7b5a4-33b7-4e80-9026-d4fad047aa50}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    f89895f9c5d50c2e9f7461efc05cc2ba

    SHA1

    d2ba76f4b646fcf74c566344bdd922302b674240

    SHA256

    76faacd42aa72c894d1031bc4f97efc7d0822cdd45c8061ce1c08f3e45f680a9

    SHA512

    864ecf07aabe77de4b2fe95e5513bfde65ec95afe3915b40ae76bdcfa4600fe591340d84805f32ed673986f16493566abc35af70d2c6949d14e1223dbc3b5743

    Download Submit

  • memory/1396-94-0x0000000029A10000-0x0000000029A53000-memory.dmp

    Filesize

    268KB

    Download

  • memory/1396-95-0x000000002B620000-0x000000002B7DB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1396-97-0x000000002B620000-0x000000002B7DB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1396-98-0x000000002B620000-0x000000002B7DB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3280-37-0x00007FFD54770000-0x00007FFD54780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3280-46-0x00007FFD525B0000-0x00007FFD525C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3280-44-0x00007FFD525B0000-0x00007FFD525C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3280-32-0x00007FFD54770000-0x00007FFD54780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3280-41-0x00007FFD54770000-0x00007FFD54780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3280-33-0x00007FFD54770000-0x00007FFD54780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3280-34-0x00007FFD54770000-0x00007FFD54780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3644-52-0x00000000005B0000-0x0000000000686000-memory.dmp

    Filesize

    856KB

    Download