Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
10-11-2024 10:54
General
-
Target
252115f874019044de7f7ebd36067537ab1e65b51ab771ec447b073fd9d6045d.msi
-
Size
135.9MB
-
MD5
9bb81bdc5e28a397f25617a22b9e157d
-
SHA1
e9e78c22ff047b35c2a6691295a9df62de203df0
-
SHA256
252115f874019044de7f7ebd36067537ab1e65b51ab771ec447b073fd9d6045d
-
SHA512
dc5678fd1441a5b65792f16ffc64694029f2b70dabcb4d54908121c2267d0f34b4de83d951a656267c80e288d9b0b0030d42572a7782d45762427be07c61483d
-
SSDEEP
3145728:9QlSw/0KksfWneWVr6/4J3DYgxqmz8CZCLLURIq3MmzJPeHeZ:GlSw/7ksOneWVm/CDYddLYIcMeZ
Malware Config
Signatures
-
Detect PurpleFox Rootkit 1 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 1 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Purplefox family
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs
-
Drops file in Windows directory 11 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 12 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious use of AdjustPrivilegeToken 57 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 39 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\252115f874019044de7f7ebd36067537ab1e65b51ab771ec447b073fd9d6045d.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C7C029A7D7310EADDF4E52B7A33418122⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Installer\MSIEBF9.tmp"C:\Windows\Installer\MSIEBF9.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\Installer\MSIEC3A.tmp"C:\Windows\Installer\MSIEC3A.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\SOFTUP~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\SysWOW64\Vnfvn.exeC:\Windows\SysWOW64\Vnfvn.exe -auto1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Vnfvn.exeC:\Windows\SysWOW64\Vnfvn.exe -acsi2⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
420KB
MD5fd6ffc21854389eef57b121920d7eb53
SHA18aac2bf77db334cd65d8d6c97367eb7ec86d0e5d
SHA2560fd912837817a118362aa21689ee9b3a009734bccde647071e9aaed430703e9f
SHA5129f2756c4bf8444ec5a5aa0076849cbaf082747677b5d4a53eda832c824c949b8b06429a7bd107a59e508de5406faabc386a3b7291509c43d2864197d272b9ec8
-
Filesize
27.6MB
MD527efe6811144928bfa97cd230d186b27
SHA11fe73e16d011fcaf8846184da6a55f305f676438
SHA2561612b03971062edc8cc50072404c5734e6d3ce28a3e32d45418fce6bf6a071aa
SHA51293d554c4d0b1e589c9c284f3954931232f34abf4da09c57b0c4f1f50cf618406a7d652c545800b346cee40099164f3397b8e7a075c9e3ff9e110331bf4d3f7e4
-
Filesize
48KB
MD5765cf74fc709fb3450fa71aac44e7f53
SHA1b423271b4faac68f88fef15fa4697cf0149bad85
SHA256cc46ab0bf6b19a2601cd002b06769ad08baf4ed0b14e8728973f8af96bdee57e
SHA5120c347d9a2960a17f8ec9b78ede972bf3cf6567fd079a6aa5a6ac262ac227bfd36acc53a7a127fd7f387dec9f4509f4f3f754b10853a213e993ea1573e74ed7e6
-
Filesize
38KB
MD5dab018047c171165c18329d5c59b617e
SHA188848ac4aceb7358f13d225de6d4fd0a5696517a
SHA2561cf0d9e908c3134ffce859483504420578ee8ccda399c20ecc035d1e4da93734
SHA5121f6c50885290a3b983b7b8ac4bfec546d74acf2c50bfd0d245164a5ee149fa28a2871d545286108345c055c4f86f2b115509fcf74a6b60bc3f814c1c1635162d
-
Filesize
38KB
MD55f7b90c87ea0517771862fae5f11ce94
SHA1fc9f195e888d960139278c04a0e78996c6442d5b
SHA256f906101e512c3119e71b6949d68ac01c8fdb5ef06f4c73eaef9a3f0bd6021ce2
SHA512dc08461f1e823d898f5ba42c9d1a131f599adbcb0af28c5de950a01ec74015d3da933e675986b71dde09cc74e00689ebe5f5f6cff857d335322f18d3f385edf0
-
Filesize
3KB
MD55754c67775c3f4f50a4780b3bca026b1
SHA13e95c72c13d6175ef275280fe270d678acee46e9
SHA2562a5d67757f61ca00227e9b482a7b15365ba836c11f5b7d723b650e6d4108e739
SHA512df6744556a24d4f6b907fc6126035adca4d3ce8aba52b26112e59b24ebfc5c4e079ee8ed74df3f28fc62cc3e207041cf8fb6b6a84ec58125122c214924e0a97f
-
Filesize
908KB
MD53d3ec6392cf9a8b408569a3dd4cd3ce8
SHA195ff4346eb20d9239c37e6538bb8df8542d3300a
SHA256818f2cdb763f5af1884485cffef51f192bc895132a4fdff5009935e8348f8371
SHA512e017cfd88c50c496ac86084a43a80eb3f1ec61c6397a67da2978cbb1867a4b30f563f1b4f319d00742b84df486e841804b82949e3131c7d77b7f63975dece505
-
Filesize
587KB
MD5c7fbd5ee98e32a77edf1156db3fca622
SHA13e534fc55882e9fb940c9ae81e6f8a92a07125a0
SHA256e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6
SHA5128691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a
-
Filesize
419KB
MD5cac0eaeb267d81cf3fa968ee23a6af9d
SHA1cf6ae8e44fb4949d5f0b01b110eaba49d39270a2
SHA256f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774
SHA5128edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b
-
Filesize
95KB
MD55a94bf8916a11b5fe94aca44886c9393
SHA1820d9c5e3365e323d6f43d3cce26fd9d2ea48b93
SHA2560b1e46044b580121f30bedb2b5412d3170c6afaa7800d702ee71f7666904236d
SHA51279cba3dcb249d88a6a6cfb4efcb65cc42a240af4edb14bcc7546d9c701a7b642362f9fe0488691a8906607ecc76f7b5ee5a4282fa057053b258eea143ac90c20
-
Filesize
4KB
MD529818862640ac659ce520c9c64e63e9e
SHA1485e1e6cc552fa4f05fb767043b1e7c9eb80be64
SHA256e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb
SHA512ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057
-
Filesize
11KB
MD5bf712f32249029466fa86756f5546950
SHA175ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA2567851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA51213f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
Filesize
9KB
MD54ccc4a742d4423f2f0ed744fd9c81f63
SHA1704f00a1acc327fd879cf75fc90d0b8f927c36bc
SHA256416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
SHA512790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
284KB
-
Filesize
27.6MB
-
Filesize
27.6MB
-
Filesize
27.6MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
27.6MB
-
Filesize
8KB
-
Filesize
8KB
