Analysis Overview
SHA256
24bde7a78c78a2827666ebe91dc6de540c233a6955620e625224cf66f61df7a4
Threat Level: Known bad
The file YoudaodbDictSetup.msi.v was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat family
Detect PurpleFox Rootkit
Gh0strat
PurpleFox
Purplefox family
Enumerates connected drives
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 21:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 21:13
Reported
2024-11-06 21:16
Platform
win7-20240903-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Jbrja.exe | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jbrja.exe | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI9A53.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f769666.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI96E3.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI97A0.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f769669.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI99F4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f769669.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f769666.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9751.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9908.tmp | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Installer\MSI99F4.tmp | N/A |
| N/A | N/A | C:\Windows\Installer\MSI9A53.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jbrja.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jbrja.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jbrja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jbrja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\MSI9A53.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\MSI99F4.tmp | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Jbrja.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Jbrja.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Jbrja.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Jbrja.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\YoudaodbDictSetup.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 86F17D56DC76389199BA860025A4B622
C:\Windows\Installer\MSI99F4.tmp
"C:\Windows\Installer\MSI99F4.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"
C:\Windows\Installer\MSI9A53.tmp
"C:\Windows\Installer\MSI9A53.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe
"C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"
C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"
C:\Windows\SysWOW64\Jbrja.exe
C:\Windows\SysWOW64\Jbrja.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\SOFTUP~1.EXE > nul
C:\Windows\SysWOW64\Jbrja.exe
C:\Windows\SysWOW64\Jbrja.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| HK | 206.119.82.22:1797 | tcp |
Files
C:\Windows\Installer\MSI96E3.tmp
| MD5 | c7fbd5ee98e32a77edf1156db3fca622 |
| SHA1 | 3e534fc55882e9fb940c9ae81e6f8a92a07125a0 |
| SHA256 | e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6 |
| SHA512 | 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a |
C:\Windows\Installer\MSI99F4.tmp
| MD5 | cac0eaeb267d81cf3fa968ee23a6af9d |
| SHA1 | cf6ae8e44fb4949d5f0b01b110eaba49d39270a2 |
| SHA256 | f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774 |
| SHA512 | 8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b |
C:\Config.Msi\f76966a.rbs
| MD5 | d475f5d62ca6b1826efa250a5037c7a8 |
| SHA1 | a10b74ea0c5f474222ea4e2c104420743154d3d1 |
| SHA256 | a0a1d3c2f2f6951e7de6e464c838d3b23e2f2a2f443540773916b300c299b554 |
| SHA512 | c8fb080e4072998028987d5fb11d34b7b8cf8d86a74ae4aa98c6fe883cd7c3a2de54e41df1b98759503327402327973bf3ace7bd3270e3a2a528ccd64aa01b1f |
memory/2168-32-0x0000000000120000-0x0000000000122000-memory.dmp
memory/2712-37-0x00000000000F0000-0x00000000000F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe
| MD5 | 73adeb9bab1bce06823a9d84dc091e5e |
| SHA1 | 4d2ebf91c3d4045b26d66211a23912aa70901eac |
| SHA256 | ebf6f8ba4660086b958d15758aa4ff8545c084fd0aba1ee6bd9286103a8b4517 |
| SHA512 | 3d6f3f6be0d245e96e3ed608c7487ceadc2a146475b791aa11a5ec87e7f5479de0124b8f36482cb0c755410347373fba44204d373124dbd9ffef268e7b537fd9 |
memory/2688-45-0x0000000000400000-0x000000000203F000-memory.dmp
memory/2688-46-0x0000000002780000-0x00000000043BF000-memory.dmp
memory/2688-47-0x0000000075320000-0x0000000075367000-memory.dmp
memory/2688-867-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-919-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-947-0x0000000002780000-0x00000000043BF000-memory.dmp
memory/2688-917-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-915-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-913-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-911-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-909-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-907-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-905-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-903-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-901-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-899-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-897-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-895-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-893-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-891-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-889-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-887-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-885-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-883-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-881-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-879-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-877-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-875-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-874-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-871-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-869-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-865-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-863-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-861-0x0000000004540000-0x0000000004651000-memory.dmp
memory/2688-860-0x0000000004540000-0x0000000004651000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsy9C70.tmp\SkinBtn.dll
| MD5 | 29818862640ac659ce520c9c64e63e9e |
| SHA1 | 485e1e6cc552fa4f05fb767043b1e7c9eb80be64 |
| SHA256 | e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb |
| SHA512 | ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057 |
C:\Users\Admin\AppData\Local\Temp\nsy9C70.tmp\slide6.bmp
| MD5 | 3d3ec6392cf9a8b408569a3dd4cd3ce8 |
| SHA1 | 95ff4346eb20d9239c37e6538bb8df8542d3300a |
| SHA256 | 818f2cdb763f5af1884485cffef51f192bc895132a4fdff5009935e8348f8371 |
| SHA512 | e017cfd88c50c496ac86084a43a80eb3f1ec61c6397a67da2978cbb1867a4b30f563f1b4f319d00742b84df486e841804b82949e3131c7d77b7f63975dece505 |
\Users\Admin\AppData\Local\Temp\nsy9C70.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
C:\Users\Admin\AppData\Local\Temp\nsy9C70.tmp\checkbox_null.bmp
| MD5 | 5754c67775c3f4f50a4780b3bca026b1 |
| SHA1 | 3e95c72c13d6175ef275280fe270d678acee46e9 |
| SHA256 | 2a5d67757f61ca00227e9b482a7b15365ba836c11f5b7d723b650e6d4108e739 |
| SHA512 | df6744556a24d4f6b907fc6126035adca4d3ce8aba52b26112e59b24ebfc5c4e079ee8ed74df3f28fc62cc3e207041cf8fb6b6a84ec58125122c214924e0a97f |
\Users\Admin\AppData\Local\Temp\nsy9C70.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
C:\Users\Admin\AppData\Local\Temp\nsy9C70.tmp\btn_agree.bmp
| MD5 | dab018047c171165c18329d5c59b617e |
| SHA1 | 88848ac4aceb7358f13d225de6d4fd0a5696517a |
| SHA256 | 1cf0d9e908c3134ffce859483504420578ee8ccda399c20ecc035d1e4da93734 |
| SHA512 | 1f6c50885290a3b983b7b8ac4bfec546d74acf2c50bfd0d245164a5ee149fa28a2871d545286108345c055c4f86f2b115509fcf74a6b60bc3f814c1c1635162d |
\Users\Admin\AppData\Local\Temp\nsy9C70.tmp\OP_WndProc.dll
| MD5 | 765cf74fc709fb3450fa71aac44e7f53 |
| SHA1 | b423271b4faac68f88fef15fa4697cf0149bad85 |
| SHA256 | cc46ab0bf6b19a2601cd002b06769ad08baf4ed0b14e8728973f8af96bdee57e |
| SHA512 | 0c347d9a2960a17f8ec9b78ede972bf3cf6567fd079a6aa5a6ac262ac227bfd36acc53a7a127fd7f387dec9f4509f4f3f754b10853a213e993ea1573e74ed7e6 |
C:\Users\Admin\AppData\Local\Temp\nsy9C70.tmp\btn_disagree.bmp
| MD5 | 5f7b90c87ea0517771862fae5f11ce94 |
| SHA1 | fc9f195e888d960139278c04a0e78996c6442d5b |
| SHA256 | f906101e512c3119e71b6949d68ac01c8fdb5ef06f4c73eaef9a3f0bd6021ce2 |
| SHA512 | dc08461f1e823d898f5ba42c9d1a131f599adbcb0af28c5de950a01ec74015d3da933e675986b71dde09cc74e00689ebe5f5f6cff857d335322f18d3f385edf0 |
\Users\Admin\AppData\Local\Temp\nsy9C70.tmp\LockedList.dll
| MD5 | 5a94bf8916a11b5fe94aca44886c9393 |
| SHA1 | 820d9c5e3365e323d6f43d3cce26fd9d2ea48b93 |
| SHA256 | 0b1e46044b580121f30bedb2b5412d3170c6afaa7800d702ee71f7666904236d |
| SHA512 | 79cba3dcb249d88a6a6cfb4efcb65cc42a240af4edb14bcc7546d9c701a7b642362f9fe0488691a8906607ecc76f7b5ee5a4282fa057053b258eea143ac90c20 |
memory/2688-17545-0x0000000000400000-0x000000000203F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 21:13
Reported
2024-11-06 21:16
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Jbrja.exe | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Jbrja.exe | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIAC6D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB29E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57a8c3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIADF7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAA3A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAD69.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{8B46C1CA-AF2A-458C-AFEC-8D8D0B3FD5F0} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB26E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57a8c3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAD0B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB0C7.tmp | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Installer\MSIB26E.tmp | N/A |
| N/A | N/A | C:\Windows\Installer\MSIB29E.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jbrja.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Jbrja.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jbrja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\MSIB29E.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Jbrja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\MSIB26E.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Jbrja.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Jbrja.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\YoudaodbDictSetup.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D69950BBDBE5A5EBB2043C01C72E2183
C:\Windows\Installer\MSIB26E.tmp
"C:\Windows\Installer\MSIB26E.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"
C:\Windows\Installer\MSIB29E.tmp
"C:\Windows\Installer\MSIB29E.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe
"C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"
C:\Windows\SysWOW64\Jbrja.exe
C:\Windows\SysWOW64\Jbrja.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\SOFTUP~1.EXE > nul
C:\Windows\SysWOW64\Jbrja.exe
C:\Windows\SysWOW64\Jbrja.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| HK | 206.119.82.22:1797 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
Files
C:\Windows\Installer\MSIAA3A.tmp
| MD5 | c7fbd5ee98e32a77edf1156db3fca622 |
| SHA1 | 3e534fc55882e9fb940c9ae81e6f8a92a07125a0 |
| SHA256 | e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6 |
| SHA512 | 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a |
C:\Config.Msi\e57a8c6.rbs
| MD5 | 6b4e2ae8c160b2a81fa8608c4b0c3299 |
| SHA1 | ba9f142c035fac06c671bcaca9330cb1743cdc30 |
| SHA256 | b2dd0f052b928e27090f3a7b004a375c5009e07f5308789bb1ab668e7c8f911e |
| SHA512 | 33ddf91e82e698066f2b326dd0321c0d3c199d80a4e07be9474a1d926feeeda6402eae331ae0baa5e222599073ac57f0cdea96e81c788e4d4d81e2186aae31c9 |
C:\Windows\Installer\MSIB26E.tmp
| MD5 | cac0eaeb267d81cf3fa968ee23a6af9d |
| SHA1 | cf6ae8e44fb4949d5f0b01b110eaba49d39270a2 |
| SHA256 | f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774 |
| SHA512 | 8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b |
C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe
| MD5 | 73adeb9bab1bce06823a9d84dc091e5e |
| SHA1 | 4d2ebf91c3d4045b26d66211a23912aa70901eac |
| SHA256 | ebf6f8ba4660086b958d15758aa4ff8545c084fd0aba1ee6bd9286103a8b4517 |
| SHA512 | 3d6f3f6be0d245e96e3ed608c7487ceadc2a146475b791aa11a5ec87e7f5479de0124b8f36482cb0c755410347373fba44204d373124dbd9ffef268e7b537fd9 |
memory/4444-45-0x0000000075F90000-0x00000000761A5000-memory.dmp
memory/4444-109-0x0000000000400000-0x000000000203F000-memory.dmp
memory/4444-3925-0x00000000756A0000-0x0000000075840000-memory.dmp
memory/4444-5934-0x0000000075AF0000-0x0000000075B6A000-memory.dmp
memory/4444-13119-0x0000000000400000-0x000000000203F000-memory.dmp
memory/4444-13121-0x0000000000400000-0x000000000203F000-memory.dmp
memory/4444-13124-0x0000000000400000-0x000000000203F000-memory.dmp
memory/4444-13122-0x0000000000400000-0x000000000203F000-memory.dmp
memory/4444-13120-0x0000000000400000-0x000000000203F000-memory.dmp
memory/4444-13125-0x0000000010000000-0x000000001019F000-memory.dmp
memory/15264-13137-0x0000000075F90000-0x00000000761A5000-memory.dmp
memory/4444-13136-0x0000000000400000-0x000000000203F000-memory.dmp
memory/15264-17011-0x00000000756A0000-0x0000000075840000-memory.dmp
memory/15264-19020-0x0000000075AF0000-0x0000000075B6A000-memory.dmp
memory/15264-26205-0x0000000000400000-0x000000000203F000-memory.dmp
memory/15264-26206-0x0000000000400000-0x000000000203F000-memory.dmp
memory/15264-26208-0x0000000000400000-0x000000000203F000-memory.dmp
memory/15264-26207-0x0000000000400000-0x000000000203F000-memory.dmp
memory/15264-26210-0x0000000000400000-0x000000000203F000-memory.dmp
memory/15264-26219-0x0000000000400000-0x000000000203F000-memory.dmp
memory/27788-26220-0x0000000075F90000-0x00000000761A5000-memory.dmp
memory/27788-30094-0x00000000756A0000-0x0000000075840000-memory.dmp
memory/27788-32103-0x0000000075AF0000-0x0000000075B6A000-memory.dmp
memory/27788-39288-0x0000000000400000-0x000000000203F000-memory.dmp
memory/27788-39290-0x0000000000400000-0x000000000203F000-memory.dmp
memory/27788-39289-0x0000000000400000-0x000000000203F000-memory.dmp
memory/27788-39291-0x0000000000400000-0x000000000203F000-memory.dmp
memory/27788-39293-0x0000000000400000-0x000000000203F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\SkinBtn.dll
| MD5 | 29818862640ac659ce520c9c64e63e9e |
| SHA1 | 485e1e6cc552fa4f05fb767043b1e7c9eb80be64 |
| SHA256 | e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb |
| SHA512 | ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057 |
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\slide6.bmp
| MD5 | 3d3ec6392cf9a8b408569a3dd4cd3ce8 |
| SHA1 | 95ff4346eb20d9239c37e6538bb8df8542d3300a |
| SHA256 | 818f2cdb763f5af1884485cffef51f192bc895132a4fdff5009935e8348f8371 |
| SHA512 | e017cfd88c50c496ac86084a43a80eb3f1ec61c6397a67da2978cbb1867a4b30f563f1b4f319d00742b84df486e841804b82949e3131c7d77b7f63975dece505 |
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\checkbox_null.bmp
| MD5 | 5754c67775c3f4f50a4780b3bca026b1 |
| SHA1 | 3e95c72c13d6175ef275280fe270d678acee46e9 |
| SHA256 | 2a5d67757f61ca00227e9b482a7b15365ba836c11f5b7d723b650e6d4108e739 |
| SHA512 | df6744556a24d4f6b907fc6126035adca4d3ce8aba52b26112e59b24ebfc5c4e079ee8ed74df3f28fc62cc3e207041cf8fb6b6a84ec58125122c214924e0a97f |
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\btn_disagree.bmp
| MD5 | 5f7b90c87ea0517771862fae5f11ce94 |
| SHA1 | fc9f195e888d960139278c04a0e78996c6442d5b |
| SHA256 | f906101e512c3119e71b6949d68ac01c8fdb5ef06f4c73eaef9a3f0bd6021ce2 |
| SHA512 | dc08461f1e823d898f5ba42c9d1a131f599adbcb0af28c5de950a01ec74015d3da933e675986b71dde09cc74e00689ebe5f5f6cff857d335322f18d3f385edf0 |
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\OP_WndProc.dll
| MD5 | 765cf74fc709fb3450fa71aac44e7f53 |
| SHA1 | b423271b4faac68f88fef15fa4697cf0149bad85 |
| SHA256 | cc46ab0bf6b19a2601cd002b06769ad08baf4ed0b14e8728973f8af96bdee57e |
| SHA512 | 0c347d9a2960a17f8ec9b78ede972bf3cf6567fd079a6aa5a6ac262ac227bfd36acc53a7a127fd7f387dec9f4509f4f3f754b10853a213e993ea1573e74ed7e6 |
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\LockedList.dll
| MD5 | 5a94bf8916a11b5fe94aca44886c9393 |
| SHA1 | 820d9c5e3365e323d6f43d3cce26fd9d2ea48b93 |
| SHA256 | 0b1e46044b580121f30bedb2b5412d3170c6afaa7800d702ee71f7666904236d |
| SHA512 | 79cba3dcb249d88a6a6cfb4efcb65cc42a240af4edb14bcc7546d9c701a7b642362f9fe0488691a8906607ecc76f7b5ee5a4282fa057053b258eea143ac90c20 |
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\btn_agree.bmp
| MD5 | dab018047c171165c18329d5c59b617e |
| SHA1 | 88848ac4aceb7358f13d225de6d4fd0a5696517a |
| SHA256 | 1cf0d9e908c3134ffce859483504420578ee8ccda399c20ecc035d1e4da93734 |
| SHA512 | 1f6c50885290a3b983b7b8ac4bfec546d74acf2c50bfd0d245164a5ee149fa28a2871d545286108345c055c4f86f2b115509fcf74a6b60bc3f814c1c1635162d |
C:\Users\Admin\AppData\Local\Temp\nswBCCA.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
memory/27788-39390-0x0000000010000000-0x000000001019F000-memory.dmp
memory/27788-39387-0x0000000000400000-0x000000000203F000-memory.dmp
memory/27788-39388-0x0000000000400000-0x000000000203F000-memory.dmp
memory/27788-39404-0x0000000000400000-0x000000000203F000-memory.dmp