Overview

overview

10

Static

static

1

2345pic_x64.msi

windows7-x64

8

2345pic_x64.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2345pic_x64.msi

  • Size

    79.4MB

  • MD5

    fe984489b63aa7cd7aee6c48fe69e08d

  • SHA1

    b5cac8c66311b7601e0ef2a1d134bf06a8079497

  • SHA256

    092ff5eeddfd265d8f37c5a9afbf7c3018ba65fcd0dd59c0237f7e04d1915060

  • SHA512

    806872b46c843727d4a980e46fef0a662115a6429868e74c8889d9363323008797c5b11ad54bb524709cb26087a8bec42b0051f701af4766ee7227068a7a0e92

  • SSDEEP

    1572864:NmsJ8LVVmCjLbWQVZq/5u3dOdYMBWkAhIo/qQXAbJqWOm9uUQerttNG2MZ7dE:ojyCjLLZq/5ukpBVMWchl5erttNXMZ7S

Score
10/10
gh0stratpurplefoxdiscoveryexecutionpersistenceprivilege_escalationratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 4 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 56 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2345pic_x64.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2220
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4476
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1380
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 0E311BA5C80FBF9496B5BE399D19FB9C E Global\MSI0000
        2⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\EnableMagneticOverseer'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4332
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start "" "C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe" x "C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg" -o"C:\Program Files\EnableMagneticOverseer\" -phZJcWScQuNgsiGBeBDtN -y
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe
            "C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe" x "C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg" -o"C:\Program Files\EnableMagneticOverseer\" -phZJcWScQuNgsiGBeBDtN -y
            4⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1020
        • C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe
          "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe" -number 182 -file file3 -mode mode3 -flag flag3
          3⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2860
        • C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe
          "C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1860
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:3496
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.vbs"
      1⤵
      • Modifies data under HKEY_USERS
      PID:4392
    • C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe
      "C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe" install
      1⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      PID:2424
    • C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe
      "C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe" start
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      PID:2760
    • C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe
      "C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe"
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3448
      • C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe
        "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe" -number 250 -file file3 -mode mode3 -flag flag3
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2436
        • C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe
          "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe" -number 132 -file file3 -mode mode3 -flag flag3
          3⤵
          • Enumerates connected drives
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          PID:3504

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57d274.rbs
      Filesize

      7KB

      MD5

      c8dc4ab472defe7fc733961fb6f2cd02

      SHA1

      e0f6c22a6b68feb723561c3440a0d93a805dcf0e

      SHA256

      1fbcc1926a95f7fea21d7c344298da37c82d350c3e1bbe49da756b4fd6bca0bb

      SHA512

      ac4a99f2f05a24193b72bc01cac8006d630ca0eee7ab7935228fed907714bfefa14b682e3a6ff3b8fdf0a2994cc9cc8f0eae1d6eedabc058c1714e5256805b58

      Download Submit

    • C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe
      Filesize

      3.2MB

      MD5

      90a521d21169049fdf1a244fc2989377

      SHA1

      e9b0db47e89683444ba886fa8091167e160f6b30

      SHA256

      7dd65fb863051edda07d0f84c65c36cd7388aa28464eb3f6c541f73c9f195f41

      SHA512

      e20e25cf49489861dcb00cb4b38f9c96b26b016b55a9b92ab082ef422db98dad3936b6918b65f1874ba4fe1a0208e8bae701aaf3d7e3bdcca3f046eb0826f8dc

      Download Submit

    • C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.vbs
      Filesize

      2KB

      MD5

      1e0499cb02d625084bc87bdc378c766f

      SHA1

      4a28d0d6b3f69ab3254a08be8a102bf5690d661f

      SHA256

      0a3a48ab6d2e8cb621cef3949557ee289d566f788e99d1091fb1a4fa838273b7

      SHA512

      37b147378920a187bb9d18ef930d9e86d12b238657e794398f32065b77211c165a6c680421d44742508d3bdbd0143431b0c37cc05056e9ce5ad1fc54727ff370

      Download Submit

    • C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe
      Filesize

      832KB

      MD5

      d305d506c0095df8af223ac7d91ca327

      SHA1

      679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

      SHA256

      923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

      SHA512

      94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

      Download Submit

    • C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log
      Filesize

      266B

      MD5

      d18f87f7004e3ac55561aa704e26282c

      SHA1

      7fde867b93d5df3d213299288dbfb7b286afbec1

      SHA256

      b9d847d037dbedb3bbcacbc26eb9f74cc88bac0dd3b90dbb56d7a609113e65e9

      SHA512

      911373d38898f2e743bfc4ccb5e518e7dc5ef14d28fc537603efd1114103369a2978a2b000e8712e9c3b7908f0030f1f2172fd6da451fc00e89153d28eb43d05

      Download Submit

    • C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log
      Filesize

      422B

      MD5

      87b2d528ed00646fd75b4817f725032a

      SHA1

      e648eed484a5b1f25538144cda80d28fb6e3dea4

      SHA256

      8609d5b44d1cab003e0fc814b5cca783909f7121e2aa88ff873465ea68a52503

      SHA512

      a4fe9bfc4d4c1f093186df5bcaae6b369ebd8aefbc57518059f7a4bf9d2c06be72e9cd8883971a8be296b8b7b8d0bc804ec4967824054792dd157c42e30f402e

      Download Submit

    • C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log
      Filesize

      588B

      MD5

      757c15a14e12c68efbd01019dff55da0

      SHA1

      8e69abb44a442891fa6331643f180c5a95936c62

      SHA256

      1fc34ab60fe69645e7fba20ae74ef73c25de06df3cb766c491cd145f7f5c1310

      SHA512

      f39268a01c693c6bb5b348b69ed5c4c008877f7c0f0f6c9a9420aedf58c1577374bc69996d2fb2d0ee392587239e35aba66ace4067690bb81855d3875651eae2

      Download Submit

    • C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.xml
      Filesize

      437B

      MD5

      5bb0d373e349c5b338e75bb61087c8a7

      SHA1

      7f1ef7fdfd8be7d238dbda9a8742abd0e584e788

      SHA256

      82c7224a57ffe8384766daf2c00acb148d9ca79db5cb2bc222ec9f385bcd966c

      SHA512

      f887e41966eda84cafb7e003f946116be2d9dcc8fe1578050f296771ff8735fee06730de5cd1c7408148d91b61f5c87515c1b53440191e5a31f08317c6758a49

      Download Submit

    • C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg
      Filesize

      2.4MB

      MD5

      5ac34b87f21ae7fedf4dc629181decf0

      SHA1

      3890201e28d44a46b6e810b5bc5eddfec78d92b9

      SHA256

      ffc5b747ee4183aa7b298e7e296981d19321c208ae40b0052f1965033da5ebb4

      SHA512

      fbfee20bf2795f2e67ef24a1add342d61c131226ab74638447c5be70f4acd0ad9e51db1f58e69e4785446e2af71208a729636c0a79db1415712e67ebad8c2eda

      Download Submit

    • C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe
      Filesize

      577KB

      MD5

      c31c4b04558396c6fabab64dcf366534

      SHA1

      fa836d92edc577d6a17ded47641ba1938589b09a

      SHA256

      9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

      SHA512

      814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5t2erov1.mrf.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsbFCB1.tmp\FileInfo.dll
      Filesize

      624KB

      MD5

      cc7eab4f83339cca63f763114ca04c6c

      SHA1

      4da526e8b270dc16865813801dc5bcda8162c09d

      SHA256

      a1c9c3b3bc8e75aa91f639da10835210e81aeb7fb5db79ac0703e1594e516b5b

      SHA512

      d1df9bdb61dcc95e579adf4891c000feee83f9f4a3f82debca617fb62afff16707707681c2f2655aa02756873d5251db74d5b843ec56c3e12ab1120355360ef0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsbFCB1.tmp\RCWidgetPlugin.dll
      Filesize

      2.4MB

      MD5

      2f2ae26fd88c512ac0feb39fa42ee894

      SHA1

      ac50a5fd61933bdd2a54e6503e39438f05af3304

      SHA256

      9117cafe403e445a291141ee898845799a165c383d3dfcf76c1870f66782e6b1

      SHA512

      b919244cd08118a2258cb062e5ce3a4626d82ed0ca3600a018bdb97962b9f96d57d1a08d338fd41fbae4af72debf7840707f67d442e53ec8a15cb8002ee725e6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsbFCB1.tmp\System.dll
      Filesize

      27KB

      MD5

      a568feaa357f44dd50c5e447fa8ee1b2

      SHA1

      5c765fad342b756d5ea522087c6f7567b5f3ed57

      SHA256

      57947a15ad3215185c7e15a5f0da393570845a13ab7b184a07fcefbf97537e48

      SHA512

      7c8c36c0123de839e677beeba65c1af56c5e85d8f1ff2c94950aed33e026dff3fbda8c49859012862110117977c928b814c0d91c477583a2b8f83d73f3cdf174

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsbFCB1.tmp\libcurl_x86.dll
      Filesize

      2.1MB

      MD5

      a26e75c0407c87786eea42febdb32532

      SHA1

      27e52fdca023cb8f031cd55ac37965d93f7f7da7

      SHA256

      635f988beb849c6510f54f681387bf810c2266bd27834c5a9c160cbfe6df44d4

      SHA512

      fdd9760442579ad2a3df4f31464f9e66bc19a4390fa1c81afb516cce817097b5324024f712d9c1bf1a11ad30324f5a8aa83c72a732e1197e8804ab806d3859e6

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jnSNQNClfnFm.exe.log
      Filesize

      1KB

      MD5

      122cf3c4f3452a55a92edee78316e071

      SHA1

      f2caa36d483076c92d17224cf92e260516b3cbbf

      SHA256

      42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

      SHA512

      c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      df26b32c0d5372231cab50e082ea36d1

      SHA1

      5549f80198d7bcfa70e2dcc29b7c2ca74674b702

      SHA256

      372d3aebdbe30737198d4af177b4d30b3bb361717404c169135caf7ccfa1ccf8

      SHA512

      6a916066a5aa7aeac81cd221917005104303c0f8a62631b566c18e9b28145635551eae4b40e9b4ac19bba1a6b5c370dfdf61e7fa078a5d94e395a0f09ffdf4d6

      Download Submit

    • \??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{362a17aa-4295-4ed9-ab1b-84bf7668cf61}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      cecbe3a64cdd057f48d8cc93c89df349

      SHA1

      922538d893d4f608443b37badaab9883827d0772

      SHA256

      d7268ae513381e4fb0a20bf404683973d8db3319578cd5277a5677f80815d48f

      SHA512

      052912baec91f573a95814b5d49c82d7fb6e43947ec49253fccf1063e57966056550df283c50709c8fe8816be0fcfa731f33812e7dba13465d06c9d43cdc2b74

      Download Submit

    • memory/2424-68-0x0000000000FE0000-0x00000000010B6000-memory.dmp

      Filesize

      856KB

      Download

    • memory/2860-39-0x000000002A090000-0x000000002A0BF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3504-111-0x000000002B8E0000-0x000000002BA9D000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3504-110-0x0000000029CC0000-0x0000000029D0D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/3504-113-0x000000002B8E0000-0x000000002BA9D000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3504-114-0x000000002B8E0000-0x000000002BA9D000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3504-115-0x000000002B8E0000-0x000000002BA9D000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/4332-18-0x0000016AAEAD0000-0x0000016AAEAF2000-memory.dmp

      Filesize

      136KB

      Download