Analysis Overview
SHA256
252115f874019044de7f7ebd36067537ab1e65b51ab771ec447b073fd9d6045d
Threat Level: Known bad
The file 252115f874019044de7f7ebd36067537ab1e65b51ab771ec447b073fd9d6045d.msi.vir was found to be: Known bad.
Malicious Activity Summary
Purplefox family
Gh0strat family
Gh0st RAT payload
Detect PurpleFox Rootkit
Gh0strat
PurpleFox
Enumerates connected drives
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Loads dropped DLL
Executes dropped EXE
Event Triggered Execution: Installer Packages
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 17:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 17:39
Reported
2024-11-09 17:42
Platform
win7-20240903-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Vnfvn.exe | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Vnfvn.exe | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\f776c2e.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7024.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI70F1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f776c2e.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f776c2b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6CB7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6D83.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6E20.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f776c2b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7160.tmp | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Installer\MSI70F1.tmp | N/A |
| N/A | N/A | C:\Windows\Installer\MSI7160.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\MSI7160.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\MSI70F1.tmp | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\252115f874019044de7f7ebd36067537ab1e65b51ab771ec447b073fd9d6045d.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 71815905A0BB71C0CF228E420E8651A8
C:\Windows\Installer\MSI70F1.tmp
"C:\Windows\Installer\MSI70F1.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"
C:\Windows\Installer\MSI7160.tmp
"C:\Windows\Installer\MSI7160.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe
"C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"
C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"
C:\Windows\SysWOW64\Vnfvn.exe
C:\Windows\SysWOW64\Vnfvn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\SOFTUP~1.EXE > nul
C:\Windows\SysWOW64\Vnfvn.exe
C:\Windows\SysWOW64\Vnfvn.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| HK | 206.119.82.22:1798 | tcp |
Files
C:\Windows\Installer\MSI6CB7.tmp
| MD5 | c7fbd5ee98e32a77edf1156db3fca622 |
| SHA1 | 3e534fc55882e9fb940c9ae81e6f8a92a07125a0 |
| SHA256 | e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6 |
| SHA512 | 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a |
C:\Config.Msi\f776c2f.rbs
| MD5 | e4675b8afdbe03a9886a35a1b39b431a |
| SHA1 | b8a2d084cac9485bb5c56fcf98794aa5b262c432 |
| SHA256 | d121e664bbff28e94f3ba70a1af259ac6e45d3e41ca5e42b42bdc9304c386f2d |
| SHA512 | 69851553fe244bbe14058641b2774c32837bd6cfa84f36eae729842df1bcfc3f0c7ea54c1f34677cd1c23c100f16fb0a8c2d0afeb45cea634400eb04df24928f |
C:\Windows\Installer\MSI70F1.tmp
| MD5 | cac0eaeb267d81cf3fa968ee23a6af9d |
| SHA1 | cf6ae8e44fb4949d5f0b01b110eaba49d39270a2 |
| SHA256 | f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774 |
| SHA512 | 8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b |
memory/2612-36-0x0000000000120000-0x0000000000122000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe
| MD5 | 27efe6811144928bfa97cd230d186b27 |
| SHA1 | 1fe73e16d011fcaf8846184da6a55f305f676438 |
| SHA256 | 1612b03971062edc8cc50072404c5734e6d3ce28a3e32d45418fce6bf6a071aa |
| SHA512 | 93d554c4d0b1e589c9c284f3954931232f34abf4da09c57b0c4f1f50cf618406a7d652c545800b346cee40099164f3397b8e7a075c9e3ff9e110331bf4d3f7e4 |
memory/804-45-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/804-46-0x00000000027E0000-0x0000000004376000-memory.dmp
memory/804-47-0x00000000766B0000-0x00000000766F7000-memory.dmp
memory/804-872-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-870-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-868-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-866-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-864-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-862-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-860-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-858-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-857-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-954-0x00000000027E0000-0x0000000004376000-memory.dmp
memory/804-916-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-914-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-912-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-910-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-908-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-906-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-904-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-902-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-900-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-898-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-896-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-894-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-892-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-890-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-888-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-886-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-884-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-882-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-881-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-878-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-876-0x00000000043A0000-0x00000000044B1000-memory.dmp
memory/804-874-0x00000000043A0000-0x00000000044B1000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsz738D.tmp\SkinBtn.dll
| MD5 | 29818862640ac659ce520c9c64e63e9e |
| SHA1 | 485e1e6cc552fa4f05fb767043b1e7c9eb80be64 |
| SHA256 | e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb |
| SHA512 | ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057 |
C:\Users\Admin\AppData\Local\Temp\nsz738D.tmp\slide6.bmp
| MD5 | 3d3ec6392cf9a8b408569a3dd4cd3ce8 |
| SHA1 | 95ff4346eb20d9239c37e6538bb8df8542d3300a |
| SHA256 | 818f2cdb763f5af1884485cffef51f192bc895132a4fdff5009935e8348f8371 |
| SHA512 | e017cfd88c50c496ac86084a43a80eb3f1ec61c6397a67da2978cbb1867a4b30f563f1b4f319d00742b84df486e841804b82949e3131c7d77b7f63975dece505 |
\Users\Admin\AppData\Local\Temp\nsz738D.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
C:\Users\Admin\AppData\Local\Temp\nsz738D.tmp\checkbox_null.bmp
| MD5 | 5754c67775c3f4f50a4780b3bca026b1 |
| SHA1 | 3e95c72c13d6175ef275280fe270d678acee46e9 |
| SHA256 | 2a5d67757f61ca00227e9b482a7b15365ba836c11f5b7d723b650e6d4108e739 |
| SHA512 | df6744556a24d4f6b907fc6126035adca4d3ce8aba52b26112e59b24ebfc5c4e079ee8ed74df3f28fc62cc3e207041cf8fb6b6a84ec58125122c214924e0a97f |
\Users\Admin\AppData\Local\Temp\nsz738D.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
C:\Users\Admin\AppData\Local\Temp\nsz738D.tmp\btn_disagree.bmp
| MD5 | 5f7b90c87ea0517771862fae5f11ce94 |
| SHA1 | fc9f195e888d960139278c04a0e78996c6442d5b |
| SHA256 | f906101e512c3119e71b6949d68ac01c8fdb5ef06f4c73eaef9a3f0bd6021ce2 |
| SHA512 | dc08461f1e823d898f5ba42c9d1a131f599adbcb0af28c5de950a01ec74015d3da933e675986b71dde09cc74e00689ebe5f5f6cff857d335322f18d3f385edf0 |
C:\Users\Admin\AppData\Local\Temp\nsz738D.tmp\btn_agree.bmp
| MD5 | dab018047c171165c18329d5c59b617e |
| SHA1 | 88848ac4aceb7358f13d225de6d4fd0a5696517a |
| SHA256 | 1cf0d9e908c3134ffce859483504420578ee8ccda399c20ecc035d1e4da93734 |
| SHA512 | 1f6c50885290a3b983b7b8ac4bfec546d74acf2c50bfd0d245164a5ee149fa28a2871d545286108345c055c4f86f2b115509fcf74a6b60bc3f814c1c1635162d |
\Users\Admin\AppData\Local\Temp\nsz738D.tmp\LockedList.dll
| MD5 | 5a94bf8916a11b5fe94aca44886c9393 |
| SHA1 | 820d9c5e3365e323d6f43d3cce26fd9d2ea48b93 |
| SHA256 | 0b1e46044b580121f30bedb2b5412d3170c6afaa7800d702ee71f7666904236d |
| SHA512 | 79cba3dcb249d88a6a6cfb4efcb65cc42a240af4edb14bcc7546d9c701a7b642362f9fe0488691a8906607ecc76f7b5ee5a4282fa057053b258eea143ac90c20 |
C:\Users\Admin\AppData\Local\Temp\nsz738D.tmp\OP_WndProc.dll
| MD5 | 765cf74fc709fb3450fa71aac44e7f53 |
| SHA1 | b423271b4faac68f88fef15fa4697cf0149bad85 |
| SHA256 | cc46ab0bf6b19a2601cd002b06769ad08baf4ed0b14e8728973f8af96bdee57e |
| SHA512 | 0c347d9a2960a17f8ec9b78ede972bf3cf6567fd079a6aa5a6ac262ac227bfd36acc53a7a127fd7f387dec9f4509f4f3f754b10853a213e993ea1573e74ed7e6 |
memory/804-17546-0x0000000000400000-0x0000000001F96000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 17:39
Reported
2024-11-09 17:42
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Vnfvn.exe | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Vnfvn.exe | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\e57b5b3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB9FB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBA2B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBE34.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBFBC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57b5b3.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBA99.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{4B2B1826-5935-494B-B7C1-90C074EA6814} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB9AC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBFFB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB6FC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Installer\MSIBFBC.tmp | N/A |
| N/A | N/A | C:\Windows\Installer\MSIBFFB.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\MSIBFBC.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Installer\MSIBFFB.tmp | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Vnfvn.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\252115f874019044de7f7ebd36067537ab1e65b51ab771ec447b073fd9d6045d.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F4A2B54190F5B448FD5F8515CA3092A7
C:\Windows\Installer\MSIBFBC.tmp
"C:\Windows\Installer\MSIBFBC.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"
C:\Windows\Installer\MSIBFFB.tmp
"C:\Windows\Installer\MSIBFFB.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe
"C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"
C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"
C:\Windows\SysWOW64\Vnfvn.exe
C:\Windows\SysWOW64\Vnfvn.exe -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\SOFTUP~1.EXE > nul
C:\Windows\SysWOW64\Vnfvn.exe
C:\Windows\SysWOW64\Vnfvn.exe -acsi
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| HK | 206.119.82.22:1798 | tcp | |
| US | 8.8.8.8:53 | 22.82.119.206.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Windows\Installer\MSIB6FC.tmp
| MD5 | c7fbd5ee98e32a77edf1156db3fca622 |
| SHA1 | 3e534fc55882e9fb940c9ae81e6f8a92a07125a0 |
| SHA256 | e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6 |
| SHA512 | 8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a |
C:\Config.Msi\e57b5b6.rbs
| MD5 | 273ee47518f7f6a8e92add0144e0e177 |
| SHA1 | 71322c14aae581b9c41263c9cb2fb0e0278cd2ee |
| SHA256 | ab278ad542d34eada1da87de24adcb6d7838a34ff84db2d88c143684306542fb |
| SHA512 | 55ae371fb8937614bf84aaf1bfbea1b9b2bc7363f3ffba189647b2f45b3e48db3b59c84dd2bbfc1e16b60196a2fc172a762698ea9ad2212f9a463a3146b87a90 |
C:\Windows\Installer\MSIBFBC.tmp
| MD5 | cac0eaeb267d81cf3fa968ee23a6af9d |
| SHA1 | cf6ae8e44fb4949d5f0b01b110eaba49d39270a2 |
| SHA256 | f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774 |
| SHA512 | 8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b |
C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe
| MD5 | 27efe6811144928bfa97cd230d186b27 |
| SHA1 | 1fe73e16d011fcaf8846184da6a55f305f676438 |
| SHA256 | 1612b03971062edc8cc50072404c5734e6d3ce28a3e32d45418fce6bf6a071aa |
| SHA512 | 93d554c4d0b1e589c9c284f3954931232f34abf4da09c57b0c4f1f50cf618406a7d652c545800b346cee40099164f3397b8e7a075c9e3ff9e110331bf4d3f7e4 |
memory/3584-47-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/3584-48-0x0000000075E20000-0x0000000076035000-memory.dmp
memory/3584-3925-0x0000000076940000-0x0000000076AE0000-memory.dmp
memory/3584-5934-0x00000000768B0000-0x000000007692A000-memory.dmp
memory/3584-13119-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/3584-13120-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/3584-13122-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/3584-13121-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/3584-13124-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/3584-13125-0x0000000010000000-0x000000001019F000-memory.dmp
memory/3104-13136-0x0000000075E20000-0x0000000076035000-memory.dmp
memory/3584-14425-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/3104-17011-0x0000000076940000-0x0000000076AE0000-memory.dmp
memory/3104-19020-0x00000000768B0000-0x000000007692A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsvC66F.tmp\SkinBtn.dll
| MD5 | 29818862640ac659ce520c9c64e63e9e |
| SHA1 | 485e1e6cc552fa4f05fb767043b1e7c9eb80be64 |
| SHA256 | e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb |
| SHA512 | ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057 |
C:\Users\Admin\AppData\Local\Temp\nsvC66F.tmp\slide6.bmp
| MD5 | 3d3ec6392cf9a8b408569a3dd4cd3ce8 |
| SHA1 | 95ff4346eb20d9239c37e6538bb8df8542d3300a |
| SHA256 | 818f2cdb763f5af1884485cffef51f192bc895132a4fdff5009935e8348f8371 |
| SHA512 | e017cfd88c50c496ac86084a43a80eb3f1ec61c6397a67da2978cbb1867a4b30f563f1b4f319d00742b84df486e841804b82949e3131c7d77b7f63975dece505 |
C:\Users\Admin\AppData\Local\Temp\nsvC66F.tmp\System.dll
| MD5 | bf712f32249029466fa86756f5546950 |
| SHA1 | 75ac4dc4808ac148ddd78f6b89a51afbd4091c2e |
| SHA256 | 7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af |
| SHA512 | 13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4 |
C:\Users\Admin\AppData\Local\Temp\nsvC66F.tmp\checkbox_null.bmp
| MD5 | 5754c67775c3f4f50a4780b3bca026b1 |
| SHA1 | 3e95c72c13d6175ef275280fe270d678acee46e9 |
| SHA256 | 2a5d67757f61ca00227e9b482a7b15365ba836c11f5b7d723b650e6d4108e739 |
| SHA512 | df6744556a24d4f6b907fc6126035adca4d3ce8aba52b26112e59b24ebfc5c4e079ee8ed74df3f28fc62cc3e207041cf8fb6b6a84ec58125122c214924e0a97f |
C:\Users\Admin\AppData\Local\Temp\nsvC66F.tmp\nsDialogs.dll
| MD5 | 4ccc4a742d4423f2f0ed744fd9c81f63 |
| SHA1 | 704f00a1acc327fd879cf75fc90d0b8f927c36bc |
| SHA256 | 416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6 |
| SHA512 | 790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb |
C:\Users\Admin\AppData\Local\Temp\nsvC66F.tmp\btn_disagree.bmp
| MD5 | 5f7b90c87ea0517771862fae5f11ce94 |
| SHA1 | fc9f195e888d960139278c04a0e78996c6442d5b |
| SHA256 | f906101e512c3119e71b6949d68ac01c8fdb5ef06f4c73eaef9a3f0bd6021ce2 |
| SHA512 | dc08461f1e823d898f5ba42c9d1a131f599adbcb0af28c5de950a01ec74015d3da933e675986b71dde09cc74e00689ebe5f5f6cff857d335322f18d3f385edf0 |
C:\Users\Admin\AppData\Local\Temp\nsvC66F.tmp\OP_WndProc.dll
| MD5 | 765cf74fc709fb3450fa71aac44e7f53 |
| SHA1 | b423271b4faac68f88fef15fa4697cf0149bad85 |
| SHA256 | cc46ab0bf6b19a2601cd002b06769ad08baf4ed0b14e8728973f8af96bdee57e |
| SHA512 | 0c347d9a2960a17f8ec9b78ede972bf3cf6567fd079a6aa5a6ac262ac227bfd36acc53a7a127fd7f387dec9f4509f4f3f754b10853a213e993ea1573e74ed7e6 |
C:\Users\Admin\AppData\Local\Temp\nsvC66F.tmp\LockedList.dll
| MD5 | 5a94bf8916a11b5fe94aca44886c9393 |
| SHA1 | 820d9c5e3365e323d6f43d3cce26fd9d2ea48b93 |
| SHA256 | 0b1e46044b580121f30bedb2b5412d3170c6afaa7800d702ee71f7666904236d |
| SHA512 | 79cba3dcb249d88a6a6cfb4efcb65cc42a240af4edb14bcc7546d9c701a7b642362f9fe0488691a8906607ecc76f7b5ee5a4282fa057053b258eea143ac90c20 |
C:\Users\Admin\AppData\Local\Temp\nsvC66F.tmp\btn_agree.bmp
| MD5 | dab018047c171165c18329d5c59b617e |
| SHA1 | 88848ac4aceb7358f13d225de6d4fd0a5696517a |
| SHA256 | 1cf0d9e908c3134ffce859483504420578ee8ccda399c20ecc035d1e4da93734 |
| SHA512 | 1f6c50885290a3b983b7b8ac4bfec546d74acf2c50bfd0d245164a5ee149fa28a2871d545286108345c055c4f86f2b115509fcf74a6b60bc3f814c1c1635162d |
memory/3104-26299-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/3104-26300-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/3104-26303-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/3104-26302-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/3104-26301-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/3104-26305-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/3104-26315-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/6288-26316-0x0000000075E20000-0x0000000076035000-memory.dmp
memory/6288-30190-0x0000000076940000-0x0000000076AE0000-memory.dmp
memory/6288-32199-0x00000000768B0000-0x000000007692A000-memory.dmp
memory/6288-39384-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/6288-39387-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/6288-39386-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/6288-39388-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/6288-39390-0x0000000000400000-0x0000000001F96000-memory.dmp
memory/6288-39406-0x0000000000400000-0x0000000001F96000-memory.dmp