Overview

overview

10

Static

static

1

wpsupdate.msi

windows7-x64

6

wpsupdate.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2024 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wpsupdate.msi

  • Size

    39.8MB

  • MD5

    0c200d7664b0e178560f7f974e6aff63

  • SHA1

    f3ed74c5aa91de36a4a978d949b8b76752c853b3

  • SHA256

    f6b23380267c21f4f82efee4573c1eae7d89c69ab293e10f58aa45478c1bf1b2

  • SHA512

    b26c8dada559121f48ac6f3f15511e26c465c60b9d7b9a9ead4b175e32f32e7a6adbb77ed8cca269a88081a043efc7413b7c1a008e39bf41a36b6a2cbf698920

  • SSDEEP

    786432:dHB67xVCEOhHxvCIEL2qf38CW9M4OGEuU/mH+ng2yI/9b+sKf:/KC9hm7/AXOBuU/mH+g/2y5

Score
10/10
gh0stratpurplefoxbootkitdiscoverypersistenceprivilege_escalationratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 4 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 8 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 28 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2056
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3260
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 3A303ECE5458A8DECF1C426CF109C49B E Global\MSI0000
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Program Files\IntegrateAdvisorVibrant\bYqyfBgulGkj.exe
        "C:\Program Files\IntegrateAdvisorVibrant\bYqyfBgulGkj.exe" x "C:\Program Files\IntegrateAdvisorVibrant\pQDfBqzqcAmCwxhiPfMj" -o"C:\Program Files\IntegrateAdvisorVibrant\" -pcwgpBxJASqrNthJgehkM -y
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3308
      • C:\Program Files\IntegrateAdvisorVibrant\TpuaDVwAtO16.exe
        "C:\Program Files\IntegrateAdvisorVibrant\TpuaDVwAtO16.exe" -number 262 -file file3 -mode mode3 -flag flag3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2804
      • C:\Program Files\IntegrateAdvisorVibrant\wpsupdate.exe
        "C:\Program Files\IntegrateAdvisorVibrant\wpsupdate.exe"
        3⤵
        • Writes to the Master Boot Record (MBR)
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2356
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4244
  • C:\Program Files\IntegrateAdvisorVibrant\qzeybRpnzInL.exe
    "C:\Program Files\IntegrateAdvisorVibrant\qzeybRpnzInL.exe" install
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:408
  • C:\Program Files\IntegrateAdvisorVibrant\qzeybRpnzInL.exe
    "C:\Program Files\IntegrateAdvisorVibrant\qzeybRpnzInL.exe" start
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:2036
  • C:\Program Files\IntegrateAdvisorVibrant\qzeybRpnzInL.exe
    "C:\Program Files\IntegrateAdvisorVibrant\qzeybRpnzInL.exe"
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Program Files\IntegrateAdvisorVibrant\TpuaDVwAtO16.exe
      "C:\Program Files\IntegrateAdvisorVibrant\TpuaDVwAtO16.exe" -number 166 -file file3 -mode mode3 -flag flag3
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4492
      • C:\Program Files\IntegrateAdvisorVibrant\TpuaDVwAtO16.exe
        "C:\Program Files\IntegrateAdvisorVibrant\TpuaDVwAtO16.exe" -number 362 -file file3 -mode mode3 -flag flag3
        3⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:1072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57c247.rbs
    Filesize

    7KB

    MD5

    52449e6f7b516a1d6d06fc612f5a137e

    SHA1

    85af59451e64754a056ac512ff1dcd38b54fa115

    SHA256

    ad5da80f8e8d22d0ff72e75e20f67e87122d82ecced1c4438616502473ddc684

    SHA512

    3fbcc70f695ce3597b3cf992e99e6c506f48a077862035d9504e51d1fc90fe3b79e5e0d4c203e4670a6448a1403a39488706a2db47f0da127944932e3a7ce1e0

    Download Submit

  • C:\Program Files\IntegrateAdvisorVibrant\MOELauncherSetup_V0TKW.exe
    Filesize

    35.6MB

    MD5

    f0b4afeb9a9582a84c04d33b4f9c93e5

    SHA1

    0b9229e8e3879fc4d1310ba493280894cac1f259

    SHA256

    d71c5c27f6e68be09e40921321a2c6d3b95f65787c33dcc2d66e6939a798a3c9

    SHA512

    d4c3593590a5574bbfc1270d3aca3b419ea5126735206b5e2104e42fda961844ba90073ebacd917b9b0152c103670d1a64b88c76b03b358feae73794418abe51

    Download Submit

  • C:\Program Files\IntegrateAdvisorVibrant\TpuaDVwAtO16.exe
    Filesize

    2.9MB

    MD5

    57d2f881bb7b9cf36a6c0ea46173c927

    SHA1

    2f12e389f828b77f93922b3643c2d8697bf64f0c

    SHA256

    4c9394ae6e91f94c57f904cd1ccd8df55566cff95b9a99fa7cd5ab9657e981a6

    SHA512

    84099bae1544e90418882d1da8d34f79c995623f8479558f621a89c7f04984f3ef99d56add81d9d240b3a3411ad671fc0bf9b24fb3cd8e030e36c12eb745e568

    Download Submit

  • C:\Program Files\IntegrateAdvisorVibrant\bYqyfBgulGkj.exe
    Filesize

    574KB

    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    Download Submit

  • C:\Program Files\IntegrateAdvisorVibrant\pQDfBqzqcAmCwxhiPfMj
    Filesize

    1.7MB

    MD5

    166813a640fbff9bc9c5a8829b77d604

    SHA1

    9a6439822765bb23d6b6b6926855f8cde67fa213

    SHA256

    6b2ca55715af12bca876efb3509ed93d79a220da577f72b7f0b03d413a41841b

    SHA512

    320eb8181155330c85782037f9530ae16c8a5b5e20cd8beab7b5c62ed9539350165bdfcad5f862256818d39cd9a6667326a2ecb5d01be0083b40ca98b69dfd75

    Download Submit

  • C:\Program Files\IntegrateAdvisorVibrant\qzeybRpnzInL.exe
    Filesize

    832KB

    MD5

    d305d506c0095df8af223ac7d91ca327

    SHA1

    679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

    SHA256

    923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

    SHA512

    94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

    Download Submit

  • C:\Program Files\IntegrateAdvisorVibrant\qzeybRpnzInL.wrapper.log
    Filesize

    270B

    MD5

    b75687522da44d3112ed9ed146ea5595

    SHA1

    f02413953491f5cedf65cc7ce0008814c290c4d5

    SHA256

    5f5d0493fada95d4d5251616a3187c3a21eb030aa46611364eb0c2680c7914f2

    SHA512

    d4d6f643eeff6412a9a09142e2889ccb0a79ca2d2701bd7ea9e7ef7e58dd15cd8ca4d2c4a135c2f72ad8f1c8e5a784fa001d2bf9525baeb6d0841b949dea3e68

    Download Submit

  • C:\Program Files\IntegrateAdvisorVibrant\qzeybRpnzInL.wrapper.log
    Filesize

    428B

    MD5

    1e60f1a56647a7ce9db74a43dabe0f29

    SHA1

    058ff0a4744a5331ffe1c28ee5935b68cb80df86

    SHA256

    d4921284305f89f8566cc5860ac404fd626f6887dbb55bd7f6e555d500171230

    SHA512

    86ebd83a9566bf5678b09b430497586a37d0071b414d50d31de203d02da08dba96ae922ebd82eb8fceb96d1b9e7587f355dd0a219c14e2f65da8c8c2fa3a1943

    Download Submit

  • C:\Program Files\IntegrateAdvisorVibrant\qzeybRpnzInL.wrapper.log
    Filesize

    596B

    MD5

    2ad6910c4aab1418fe0d0e578f5b0a8e

    SHA1

    22ac4d63adbec08db1291615741205b2a8c355a1

    SHA256

    a54aefb3d2f144440acfa110fa6ee61d964c5f3de23f4b3b0e677d5170575b4c

    SHA512

    66978d94e6b1b84b15a8c4447efa53cf7c91638a64db719f4fd7c9a73d20c3da761492a3abcfbbe6ac091d384ce6c86b430d858e71534735b7ae8511c9fcaec6

    Download Submit

  • C:\Program Files\IntegrateAdvisorVibrant\qzeybRpnzInL.wrapper.log
    Filesize

    744B

    MD5

    b8ce3aea7bf29ec87d129ba7dd8acb2f

    SHA1

    e467119bbb3c05a5f2b97d531a1f9d859ba569c9

    SHA256

    f3ae7b1541999e556eeea1a2fa62f4a4c2976be5eeb4f83909014537905e612b

    SHA512

    e0ac5c20dc9fa0a65ca8cc75e1a895c4ce920e23a62c30b354d2a25dd16be92a616237d036128b7cb0aa591978f6376b7efb83a0cba1561758094febe98349c3

    Download Submit

  • C:\Program Files\IntegrateAdvisorVibrant\qzeybRpnzInL.xml
    Filesize

    445B

    MD5

    d4bf6c3873594772779852f1ad463e73

    SHA1

    c45e3413d2216b90bc41a2b5f36132ca63c93b52

    SHA256

    811f4c379ff1b8690d4c3481ec57aebde7824b4f7341ffb0594d5b83e61599ed

    SHA512

    03d272eaf47313c2269fa7d739e37be9c138228dac5fe483b8f78955196aa838cb0d9b29a570b4d975b75ff206d8ecaf55b11b601ee8577661121dc0f0dd0b7e

    Download Submit

  • C:\Program Files\IntegrateAdvisorVibrant\wpsupdate.exe
    Filesize

    6.0MB

    MD5

    57dadd6a929f64c2b1efe2d52c1c4985

    SHA1

    962cb227f81f885f23826c3e040aa9dbc97659cf

    SHA256

    996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5

    SHA512

    3f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qzeybRpnzInL.exe.log
    Filesize

    1KB

    MD5

    122cf3c4f3452a55a92edee78316e071

    SHA1

    f2caa36d483076c92d17224cf92e260516b3cbbf

    SHA256

    42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

    SHA512

    c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\update\wpsupdate_2024_09_22.log
    Filesize

    2KB

    MD5

    07e00ac3e54ec72af09a5f5a43c74bdd

    SHA1

    208a27aacd24f65ef50c2e467ed14a2f589a1bce

    SHA256

    ab0c092946690008a476cf7378266d0d92f485c2e7fe1b94da968622cf89b651

    SHA512

    b5b832d7e412cdcf99e67ad9382901a3f6086765a3761b6cbf5a1295f70370ea62dafe563275ff59785059973b7a4b8880f13c3b24b753817bd7bcfcc9e812a2

    Download Submit

  • C:\Windows\Installer\e57c246.msi
    Filesize

    39.8MB

    MD5

    0c200d7664b0e178560f7f974e6aff63

    SHA1

    f3ed74c5aa91de36a4a978d949b8b76752c853b3

    SHA256

    f6b23380267c21f4f82efee4573c1eae7d89c69ab293e10f58aa45478c1bf1b2

    SHA512

    b26c8dada559121f48ac6f3f15511e26c465c60b9d7b9a9ead4b175e32f32e7a6adbb77ed8cca269a88081a043efc7413b7c1a008e39bf41a36b6a2cbf698920

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.7MB

    MD5

    0f0442e5295da68f0dfeba9a57f05959

    SHA1

    befdea2808439614f57d9a13498e915c501b3af9

    SHA256

    9b8870af52ed1600593c18c389641ee1419cdb76e7c9b4991f7d4721d70f3d08

    SHA512

    728d41f75dc52606de9d349d2885c8aad605bdd1ceb42041770257e309f866255a53051690052439d15d49b0ca5c88902db7e44c7ec0d46e2581f594ce5cc47b

    Download Submit

  • \??\Volume{f1c94fa5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{be6893fa-3c66-4240-995e-da5f26f079ed}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    6970c08edb122488c7e13f125493607f

    SHA1

    60cf2ce6614515123a06a716ad8b9013a7b1cef3

    SHA256

    44a1966491f9409969aff18959b7cfb848b3242111444726fe10353cc5d512eb

    SHA512

    bf8e6ca8d6c7c8c8f417b8c990f976c8c9930ccc3b15a5500d18741d7fcecd27eea7f5916e018ee0640d9da0d3e5d7ea3b962f35c721dd27fcfa7ae00e5e3bbf

    Download Submit

  • memory/408-47-0x00000000005C0000-0x0000000000696000-memory.dmp

    Filesize

    856KB

    Download

  • memory/1072-74-0x000000002BB00000-0x000000002BCBB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1072-76-0x000000002BB00000-0x000000002BCBB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1072-77-0x000000002BB00000-0x000000002BCBB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1072-79-0x000000002BB00000-0x000000002BCBB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2804-28-0x0000000029880000-0x00000000298AA000-memory.dmp

    Filesize

    168KB

    Download