Overview

overview

10

Static

static

1

WPS-Office...32.msi

windows7-x64

6

WPS-Office...32.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2024 06:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WPS-Office_10469357_401532.msi

  • Size

    34.7MB

  • MD5

    0648eae1b36fb6c8e1b9b5a5b28abe96

  • SHA1

    52a313b76e9ab28b360b406f2886c324cc931c43

  • SHA256

    60ab90f343c109734ee5d53b62397d754152c30e7bc2f9ab3114f45d59e4a252

  • SHA512

    63e30921921920cd4dba054e3d7c8ff1225f5ce2f2bc987f543bb3c5ea290b87acc0b13e86891c76f72a040a0c821c3da9264212294f66118cc49aa6776f8091

  • SSDEEP

    786432:qddVYfcDIfXi1q8W3TRThlXgBopO+ZgiM2yoLPsa2:qddVYfUspDrO+ZDM2vLPsa2

Score
10/10
gh0stratpurplefoxdiscoverypersistenceprivilege_escalationratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 7 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WPS-Office_10469357_401532.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2804
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4956
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 3EEFCBD60881DB0426F7F2B013D5D3A4 E Global\MSI0000
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Program Files\MaximizeBrokerVigorous\OmndZSkNaeRN.exe
        "C:\Program Files\MaximizeBrokerVigorous\OmndZSkNaeRN.exe" x "C:\Program Files\MaximizeBrokerVigorous\wEbXlSkLLbZQWTFxLvFe" -o"C:\Program Files\MaximizeBrokerVigorous\" -pgdmwOrRKmUZEIRCFdxWT -y
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3068
      • C:\Program Files\MaximizeBrokerVigorous\EiAuPIYhFE4.exe
        "C:\Program Files\MaximizeBrokerVigorous\EiAuPIYhFE4.exe" -number 102 -file file3 -mode mode3 -flag flag3
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2416
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Program Files\MaximizeBrokerVigorous\xlsx.xlsx"
        3⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:3968
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4908
  • C:\Program Files\MaximizeBrokerVigorous\FfXilmfGmXJX.exe
    "C:\Program Files\MaximizeBrokerVigorous\FfXilmfGmXJX.exe" install
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:1696
  • C:\Program Files\MaximizeBrokerVigorous\FfXilmfGmXJX.exe
    "C:\Program Files\MaximizeBrokerVigorous\FfXilmfGmXJX.exe" start
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    PID:2256
  • C:\Program Files\MaximizeBrokerVigorous\FfXilmfGmXJX.exe
    "C:\Program Files\MaximizeBrokerVigorous\FfXilmfGmXJX.exe"
    1⤵
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Program Files\MaximizeBrokerVigorous\EiAuPIYhFE4.exe
      "C:\Program Files\MaximizeBrokerVigorous\EiAuPIYhFE4.exe" -number 293 -file file3 -mode mode3 -flag flag3
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Program Files\MaximizeBrokerVigorous\EiAuPIYhFE4.exe
        "C:\Program Files\MaximizeBrokerVigorous\EiAuPIYhFE4.exe" -number 362 -file file3 -mode mode3 -flag flag3
        3⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57ed30.rbs
    Filesize

    7KB

    MD5

    4032f0d6de8188e157716c6b528e476d

    SHA1

    db5cf5e2b83bf8d166b78c09433a60ae93ca8600

    SHA256

    1b0d9b8043bd6d23059f4a9e8041986a343f0c21f0af3bc6db8a8f1785f19ce4

    SHA512

    f9750b02d413c7c71bc24729c1cefca22c9962a897ef4ee100ea90253691cb1ec0f22626fc2e855a0f271b283fa9cccb2296089f434b27750ae2f07452d7673c

    Download Submit

  • C:\Program Files\MaximizeBrokerVigorous\EiAuPIYhFE4.exe
    Filesize

    3.2MB

    MD5

    1c3d835b334c146196997f99df3c6f8e

    SHA1

    0027a83539881abaf1f5cb3a2cc0cd6ba528d000

    SHA256

    dcd7d379effc6f28e3fc43bdeebc3c39c933a93b09d9dc6691fb64392c432b3f

    SHA512

    f4da23997640cad08e9c3cc605472bb3b112e01406cc18789bd78d1f735790029cede3cd784d5d66882d571d6d515666a2017463ab5be454df50ddc4498d6042

    Download Submit

  • C:\Program Files\MaximizeBrokerVigorous\FfXilmfGmXJX.exe
    Filesize

    832KB

    MD5

    d305d506c0095df8af223ac7d91ca327

    SHA1

    679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

    SHA256

    923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

    SHA512

    94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

    Download Submit

  • C:\Program Files\MaximizeBrokerVigorous\FfXilmfGmXJX.wrapper.log
    Filesize

    280B

    MD5

    72f87b2b59e047bcacf547d02a5e9712

    SHA1

    d344e1b1da165177fec28cf5ffd81570ac72c44b

    SHA256

    bb6c14426f0496db1a7cbff9638de706d0f05c47d7103f5d450e91e938fea1d5

    SHA512

    d83fad347d6f1c1d2e87c1ff3e5c914923f11e10bedf7e7b1b6121122b9ee7a2dfae2f90715092cac91327e5bd875320ebaf8362e307623942bd09da73de94a1

    Download Submit

  • C:\Program Files\MaximizeBrokerVigorous\FfXilmfGmXJX.wrapper.log
    Filesize

    443B

    MD5

    91b13ca326cfbb5636b9867118ea8bbe

    SHA1

    e5ab6cf40838bc61c311288336d977632a886a87

    SHA256

    2ddd2108dfd7083dd26d01107ce1aa644cf0a95fa8e81a198f73b3a6c1e95545

    SHA512

    fb36fde4f2103d40f58302306825d20349796861ed577119f3a3924d544131c6ac6e925c97937ea0d86ff48d9a78207a502a8e6ed1c6d885bdd5db29a4d807a4

    Download Submit

  • C:\Program Files\MaximizeBrokerVigorous\FfXilmfGmXJX.wrapper.log
    Filesize

    616B

    MD5

    1e482af0179f8cfab5547ef6b8d08384

    SHA1

    37b11d65be06232ac42b9933d1a655f9d22c4d1d

    SHA256

    fe8c29bf6e8525091839a4de68112036a2de23f756a4e1a56cb22171d98f97da

    SHA512

    357a03d5b6d62d233c3e4ab9c9a9241c38cd430ef6fa9d91f0fe734555b51ffb5d792030d2baa9cae708d881c87a48d13968e37bacf1fcdd2546cf5195bf32ba

    Download Submit

  • C:\Program Files\MaximizeBrokerVigorous\FfXilmfGmXJX.wrapper.log
    Filesize

    762B

    MD5

    fe1ff2eedabbe24290e3c86cb35febe3

    SHA1

    3cfed9cc2037b8eccd6c4580eb358067a77cef07

    SHA256

    ab9f45a5815f6c5daa835e1babe53acb56125edeac4c5e6ee6b74e02340e7a1a

    SHA512

    76019be488ea79fc4efb9e1012bf7b446c3c028e8439ca5be54706537b884e8832ed30ab18435bb9edebbd706db6fd988ec75db335628040d152574f389dbfc0

    Download Submit

  • C:\Program Files\MaximizeBrokerVigorous\FfXilmfGmXJX.xml
    Filesize

    453B

    MD5

    9e32c947a56da4d7056bbacf3aa3ba8d

    SHA1

    8eef07ab99b83b0fc319d87981a624a20fea8748

    SHA256

    30aad03685b79ee46931d87e2975f225eeebbc4e08021f358dc99b460fb2821e

    SHA512

    32a2a8b2741ade6339d20627858205f5cf4c7d4dc18f6f8d501559d36c934fc949ec74f234aa80912225b3e5fb6785beabef61623a05e9e04ceb88eb15aed625

    Download Submit

  • C:\Program Files\MaximizeBrokerVigorous\OmndZSkNaeRN.exe
    Filesize

    574KB

    MD5

    42badc1d2f03a8b1e4875740d3d49336

    SHA1

    cee178da1fb05f99af7a3547093122893bd1eb46

    SHA256

    c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

    SHA512

    6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

    Download Submit

  • C:\Program Files\MaximizeBrokerVigorous\asktao_mini_1.77_360rg.exe
    Filesize

    33.4MB

    MD5

    20dd50eb0410ad3306914bf541ff277c

    SHA1

    4b1722a4545625f7c596d556f17c647b30e3b1e4

    SHA256

    bf74b4a95cd815afdfca7e52973063248ace2703a4c7d9d37b87462962f0dd9f

    SHA512

    d54a4f5427bd2480da37ad4e8e5ebea56c882a1179487064f1060092ea1135c55421daa8d8c36d4268f98a3e7fdf27b9258404bc4bae184bafaf317b4c7c4ac3

    Download Submit

  • C:\Program Files\MaximizeBrokerVigorous\wEbXlSkLLbZQWTFxLvFe
    Filesize

    2.0MB

    MD5

    98579ac04932f2d1b597812ddf61f40b

    SHA1

    521383df2f01fae8208a4a9705cc31c950d23c14

    SHA256

    368387ec1be286c1b4159478d46eb1d90653ce89834cf13de936394c30a43c22

    SHA512

    2753e8520440cbdf0c667b6afab5ebba6226250b4ca1dd303dd17ccdd72ca5b247ddac33d7834a7137b940e36f279198003f3e5a3b64f04aafc67782f6625191

    Download Submit

  • C:\Program Files\MaximizeBrokerVigorous\xlsx.xlsx
    Filesize

    8KB

    MD5

    5001ead50aa6c32c9d7e6c6dfb4033f0

    SHA1

    c273c9bc2a996bb9ab65f7d30ccbf38bb755ed57

    SHA256

    a3d37b43693ef32bfcd324bb4f2523c828648e012828504302f3f182c97c4cda

    SHA512

    28d970204f02d6bc270fae20cf0ba78a8086e6dd2552f10f6c30d72c324fa2ca5ca44b2aca3830064caa57abd7255edb1147ea2bf0d103b22b75094f20f6d0bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FfXilmfGmXJX.exe.log
    Filesize

    1KB

    MD5

    122cf3c4f3452a55a92edee78316e071

    SHA1

    f2caa36d483076c92d17224cf92e260516b3cbbf

    SHA256

    42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

    SHA512

    c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
    Filesize

    349B

    MD5

    41ccb73b10a90e09dda08871fb8c3f26

    SHA1

    1f9a95ef114ba52fac27ec24fa0b1cf8a0f76297

    SHA256

    307007e0871b5675fa2512864394a017b60abe0d82325888272ceee9d6ddb38e

    SHA512

    d8763137513b69d09399a0aa7c0f51e226e20f3e19996e7c728344a57421a5f7c9e2243586024addc81a3d7b01a249d8a9a3b5bf47a086cb7a87f18fa3b4f40c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    24B

    MD5

    4fcb2a3ee025e4a10d21e1b154873fe2

    SHA1

    57658e2fa594b7d0b99d02e041d0f3418e58856b

    SHA256

    90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

    SHA512

    4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
    Filesize

    890B

    MD5

    956f14e920a57966a9fdbb5334c0a37a

    SHA1

    c0a916e5edb6bf4c657bee005a7d206884d6722f

    SHA256

    b5c0671c9a2fc5cf2537838dfc419f6d4937beaef490c2caffc5be1099f18d19

    SHA512

    e6ca4b872968d44a45f542e50a54e11f3cebe3623f4b4709e4bb072e1a007df7187cb555dd47e17fcf2ac443f1d98bb7816834d27c37ef293c9d3c1d4399d981

    Download Submit

  • C:\Windows\Installer\e57ed2f.msi
    Filesize

    34.7MB

    MD5

    0648eae1b36fb6c8e1b9b5a5b28abe96

    SHA1

    52a313b76e9ab28b360b406f2886c324cc931c43

    SHA256

    60ab90f343c109734ee5d53b62397d754152c30e7bc2f9ab3114f45d59e4a252

    SHA512

    63e30921921920cd4dba054e3d7c8ff1225f5ce2f2bc987f543bb3c5ea290b87acc0b13e86891c76f72a040a0c821c3da9264212294f66118cc49aa6776f8091

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.7MB

    MD5

    43458d34e86828895f2aeec1c470885e

    SHA1

    0a6e07f9b447ed8ba9e5ab1d230f77d7ee3b0980

    SHA256

    9c2cc27d43b5f9936a097799cbe007454bb6d89d778ecc47f58fe5ae09479136

    SHA512

    06be4c02f27516bb7e5a122716a81fe14369108c08fd0f20bb2f759a2a7fa35fc07b0f449c3fe0c39f56638b4ce37adebf94d2757e18c4d2a6eec7d162e07c3a

    Download Submit

  • \??\Volume{f1c9ec80-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{242bc098-9897-4f0d-b564-dc34ebb7bd25}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    bae6888c87f10ae41e30ab7c4f6c2f0c

    SHA1

    01ecf451cdfed41664d8bdd256082ab310294544

    SHA256

    f16378538445c34b080618fbf9b5941b630fe3a91d8e84d67b62f888dd0eb690

    SHA512

    6c888cc047aa7170c7ff3799b82c0f4c20c12082e159861ddb1800c4266b7763319ae89b9e9428e9b3bf1239049eb7e10b4dd6325f72b77b1aa4807014107e75

    Download Submit

  • memory/1696-55-0x0000000000FA0000-0x0000000001076000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2504-85-0x000000002BD20000-0x000000002BEDB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2504-84-0x000000002A120000-0x000000002A163000-memory.dmp

    Filesize

    268KB

    Download

  • memory/2504-87-0x000000002BD20000-0x000000002BEDB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2504-98-0x000000002BD20000-0x000000002BEDB000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3968-32-0x00007FFA860B0000-0x00007FFA860C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3968-34-0x00007FFA860B0000-0x00007FFA860C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3968-47-0x00007FFA83930000-0x00007FFA83940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3968-40-0x00007FFA860B0000-0x00007FFA860C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3968-33-0x00007FFA860B0000-0x00007FFA860C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3968-44-0x00007FFA83930000-0x00007FFA83940000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3968-41-0x00007FFA860B0000-0x00007FFA860C0000-memory.dmp

    Filesize

    64KB

    Download