Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/10/2024, 01:14

General

  • Target

    i4Tools_ns9.9.8.6.msi

  • Size

    232.3MB

  • MD5

    5cc9c7280b6ac33963bc8160d934541e

  • SHA1

    9f33f68852f3fc3e4028de14e54babe1860e9d9b

  • SHA256

    8ed36de47fb703e516f63d7db1708dbfac0bc3619024d7769796d7ebeddb3603

  • SHA512

    1548167410270a2a25bc75d2d3b2b1c9a3a8b18b56fe545614617c7290d5981d824b913e017a7d31f5ea5948af3a153238b55450b1c0132fb51a6cc491cd8160

  • SSDEEP

    6291456:5ME4FlRDcoxNkXSm6CxxRPo8BMvm1LpkABIU:5cFlRDRE/7Pf1Bl

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 8 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 10 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i4Tools_ns9.9.8.6.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1040
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3728
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2360
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding D5C773870B5B458378D1CF3D3B277750 E Global\MSI0000
      2⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Program Files\GuideDirectorMajestic\PRsFNBCyinrq.exe
        "C:\Program Files\GuideDirectorMajestic\PRsFNBCyinrq.exe" x "C:\Program Files\GuideDirectorMajestic\WMUoveSFZAOhfUNUDShs" -o"C:\Program Files\GuideDirectorMajestic\" -pUaLIpHJjhMODAzOiylZA -y
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2804
      • C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe
        "C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe" -number 101 -file file3 -mode mode3 -flag flag3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3976
      • C:\Program Files\GuideDirectorMajestic\i4Tools8Setupx64.exe
        "C:\Program Files\GuideDirectorMajestic\i4Tools8Setupx64.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1624
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:1248
  • C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe
    "C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe" install
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4648
  • C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe
    "C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe" start
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:5000
  • C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe
    "C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe"
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe
      "C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe" -number 235 -file file3 -mode mode3 -flag flag3
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4368
      • C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe
        "C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe" -number 362 -file file3 -mode mode3 -flag flag3
        3⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57e8ab.rbs

    Filesize

    7KB

    MD5

    2bc2bad928283eacce0c8a5ec4a75495

    SHA1

    7b3ea66ffd9dfde8b3cef7e4a1513693a61b8d61

    SHA256

    74e6018b1557db8fbf31e678250028090b339be103cc91e2b51251b30907e800

    SHA512

    96a4a2101ddca6d63202c148e0915eabd9fab94c7950159ea8e8298cce28fbd06224dc305415b936e1093b38265594c027c3d585cbcf9402c2e2beb32a5b50d4

  • C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe

    Filesize

    2.8MB

    MD5

    e274e2b9cafc75fc874aa56a40f2f20b

    SHA1

    be492f85fa47422e0dea88ef38e87670ca698fa4

    SHA256

    d464844275663ca56a44d42a9401af0193f94fc82b559e71d8333926fa304424

    SHA512

    11c482e066678791ba98a8ce1e016aab8ab6a15864d63137f439a445721e3a802095b42e0069677ee7b6892423a3f0bbbfe934ff177866924646053cd799463b

  • C:\Program Files\GuideDirectorMajestic\PRsFNBCyinrq.exe

    Filesize

    574KB

    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

  • C:\Program Files\GuideDirectorMajestic\WMUoveSFZAOhfUNUDShs

    Filesize

    1.6MB

    MD5

    c2cafebae1a025baabc17b4eeca638f6

    SHA1

    1fc8638271ea468e2b2fbe4f5a3502da1fe54207

    SHA256

    5a791f23acbb035e1d05a484eb9bd6d805a3f56464901595193f4f68e1173e47

    SHA512

    659834c96b72d76b4aa7d42463b56db7c9dde4e7c91fd5252f410b3ae01edd6479a6b9a606203f341f5a9acaefd73b65c34ab25c836bbec8dc8b8cb0b8156426

  • C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe

    Filesize

    832KB

    MD5

    d305d506c0095df8af223ac7d91ca327

    SHA1

    679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

    SHA256

    923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

    SHA512

    94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

  • C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.wrapper.log

    Filesize

    264B

    MD5

    19e3b0686a4715d437dcab4df5c1be25

    SHA1

    2df100e89102da8afa6f9547321b195f2f938378

    SHA256

    0c7a1415a7ae0605e58f133e665043711cf710f7b26dd394d6f4bf77a15c4b3d

    SHA512

    940909777d45bf1c7111d9fd92a2100a36901f3d6550e10ad3a2b9eb6c6b2afaedf502a4cb3e08279911d69fe444a1c547f7ea2a326a7b442e4f22884b61e092

  • C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.wrapper.log

    Filesize

    419B

    MD5

    9ee27c6013443759fe2c77492e0e6b35

    SHA1

    c6bb1871f79bae8430b4952d897af42ed6cfe554

    SHA256

    2cbf08b9c6da58d519bce9e244bf8e1a7d36c3450dcbd31b2ab353d903d1dd0c

    SHA512

    f2b58f31ba3b65965921dcda43762f371d5249ebde1788ef25bf52812b1150997e9ce8c7b3433f731f956be42e1396e44a86069cd873f46edefa66c6a2e94450

  • C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.wrapper.log

    Filesize

    483B

    MD5

    ce92307e2d93ef8c74ea098678cbfc73

    SHA1

    1e1bf11ff6067bf8409768f79302d79ff8959bd7

    SHA256

    562740415fc41f036a2289f68d4c0ba936c9767b43f2fa9953998846cd8f21b8

    SHA512

    2ca5970750e64203b52796530ec024b7a27b66c6fa00246843104b714a06887c494a30d4b9ded67304878cb5abd35ec5c6ba61ec7bfb0cea8adf93fdbc0a50ec

  • C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.wrapper.log

    Filesize

    771B

    MD5

    d9e28ee2c0c976cae926d8730d48d4af

    SHA1

    e0838ab3322ddb6daf7c614889f6a00b87fba16f

    SHA256

    19b3bc0d72cab5244e65d903bd21cf9ec5f3e46586bebea18e0dfc4a96d419a7

    SHA512

    2a1e47b1074d27f167b8b6b9f23c41095ded39631283c4db3a35dc69c9bd4805008034b66e3d3d70f68f0f78204e6b984e2549d7e30bf9473b86c9e30af0494e

  • C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.xml

    Filesize

    437B

    MD5

    ad094428e59889aa9e7fa085a65919d7

    SHA1

    e7bcbfe38ba1b1d6619500778fcd8a6b9aa33bce

    SHA256

    bf2e36666aef392d4b333fc82ac5fb1a5f5c24a05cd53043b63c19813f035dab

    SHA512

    b3bec6c438cc382fabccdff98f6922942557ba3d3327f4ea900c6f87436b721ba71185ad4c204b6b380b590f481eb69a8b9f2412d8a4d3d2f613d654828ca324

  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\oKzWEzpMpqXX.exe.log

    Filesize

    1KB

    MD5

    122cf3c4f3452a55a92edee78316e071

    SHA1

    f2caa36d483076c92d17224cf92e260516b3cbbf

    SHA256

    42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

    SHA512

    c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

    Filesize

    23.7MB

    MD5

    c9da72d19459b6089d2977d6e5adc2e1

    SHA1

    d14e8720750535a0fd6a38c88356d4d907aede8d

    SHA256

    1fc699e9da162c3512586beb03f54b53b85d82aaa73d075112cd25bed4658b29

    SHA512

    568118f8fda67cd4474ed71a635230ee322b89c5fcc90095890270d5045372233a9bc9ced71d22de517f16e16d7b898d393221adf2e325bb0f391a8ac39b73cd

  • \??\Volume{f1c9ec80-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{04083376-ae7e-4a00-b379-f462e9aae433}_OnDiskSnapshotProp

    Filesize

    6KB

    MD5

    3db43ae1283945907c2756c467c94e5e

    SHA1

    7753ef9493cf3601698a67cbac33d225d30a0eb5

    SHA256

    f59b9892c0f2b1310aa33fb55c98344fc61cad2cc9b18fe8bf530ca858a11526

    SHA512

    4e4f4e18fec60218931cfc8719c8c49d3a274ea410489e564cc6a68131addb1b90bc8f84c6875ade1fa49587c4efc3f7d02256facf07bad2b4c25b456f52047d

  • memory/3976-26-0x000000002A2E0000-0x000000002A307000-memory.dmp

    Filesize

    156KB

  • memory/4636-69-0x0000000029E70000-0x0000000029EAE000-memory.dmp

    Filesize

    248KB

  • memory/4636-70-0x000000002BA90000-0x000000002BC4B000-memory.dmp

    Filesize

    1.7MB

  • memory/4636-72-0x000000002BA90000-0x000000002BC4B000-memory.dmp

    Filesize

    1.7MB

  • memory/4636-73-0x000000002BA90000-0x000000002BC4B000-memory.dmp

    Filesize

    1.7MB

  • memory/4648-29-0x0000000000810000-0x00000000008E6000-memory.dmp

    Filesize

    856KB