gh0strat | b1b4a6322037cf898fff9a6d49dcceca4109fa56f8a48b237ec4ebe117d2b58a

Analysis

max time kernel
148s
max time network
161s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
16-11-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1b4a6322037cf898fff9a6d49dcceca4109fa56f8a48b237ec4ebe117d2b58a.msi
Size

265.5MB
MD5

ba1524657e23f77a7c91c2e89817dc03
SHA1

5759d61e85d0a6e528f4f0cde621e02d692f8151
SHA256

b1b4a6322037cf898fff9a6d49dcceca4109fa56f8a48b237ec4ebe117d2b58a
SHA512

d096b401ac8cdd86f6b55b44a2946d95bd81be15233952401265201bcd48e0af9f2fe0679964a0862d1046f08f8458dcc24e96f008e9d75675a9f2e059082234
SSDEEP

3145728:CPZHar69MPLkp0/LtpZ+WE5KPLo4xpksqqtPTel5W4XfWymu5nR/8ZM3GZV/ArfC:qZ6r69MYpet/+ZQLoeBJilujY7Ws0qH

Score

10^/10

gh0strat purplefox discovery persistence privilege_escalation rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 2 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2288-69-0x0000000010000000-0x0000000010199000-memory.dmp	purplefox_rootkit
behavioral1/memory/2288-75-0x0000000000400000-0x0000000001400000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral1/memory/2288-69-0x0000000010000000-0x0000000010199000-memory.dmp	family_gh0strat
behavioral1/memory/2288-75-0x0000000000400000-0x0000000001400000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2288-67-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral1/memory/2288-75-0x0000000000400000-0x0000000001400000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\aisizhushou-\aisizhushou-\dzaisizs.exe	msiexec.exe
File created	C:\Program Files (x86)\aisizhushou-\aisizhushou-\i4Tools_v7.98.79_Setup.exe	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f771c18.msi	msiexec.exe
File created	C:\Windows\Installer\f771c19.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f771c19.ipi	msiexec.exe
File created	C:\Windows\Installer\f771c1b.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f771c18.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E4A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F35.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2001.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2233.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2288	dzaisizs.exe

Loads dropped DLL 10 IoCs

pid	Process
2252	MsiExec.exe
2252	MsiExec.exe
2252	MsiExec.exe
2252	MsiExec.exe
2252	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
1976	MsiExec.exe
2252	MsiExec.exe
2252	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2336	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dzaisizs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList\PackageName = "b1b4a6322037cf898fff9a6d49dcceca4109fa56f8a48b237ec4ebe117d2b58a.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\ProductName = "aisizhushou-"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\PackageCode = "95641163BFAAC2E49B6EE9D7E385965F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\470E4FB4BAE8D444894A278DEDA96B53	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\Language = "2052"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\470E4FB4BAE8D444894A278DEDA96B53\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\35A369A6BA02B8F4EB1FE568BE878C7E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\35A369A6BA02B8F4EB1FE568BE878C7E\470E4FB4BAE8D444894A278DEDA96B53	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\Assignment = "1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1492	msiexec.exe
1492	msiexec.exe
2288	dzaisizs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2336	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2336	msiexec.exe
Token: SeRestorePrivilege	1492	msiexec.exe
Token: SeTakeOwnershipPrivilege	1492	msiexec.exe
Token: SeSecurityPrivilege	1492	msiexec.exe
Token: SeCreateTokenPrivilege	2336	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2336	msiexec.exe
Token: SeLockMemoryPrivilege	2336	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2336	msiexec.exe
Token: SeMachineAccountPrivilege	2336	msiexec.exe
Token: SeTcbPrivilege	2336	msiexec.exe
Token: SeSecurityPrivilege	2336	msiexec.exe
Token: SeTakeOwnershipPrivilege	2336	msiexec.exe
Token: SeLoadDriverPrivilege	2336	msiexec.exe
Token: SeSystemProfilePrivilege	2336	msiexec.exe
Token: SeSystemtimePrivilege	2336	msiexec.exe
Token: SeProfSingleProcessPrivilege	2336	msiexec.exe
Token: SeIncBasePriorityPrivilege	2336	msiexec.exe
Token: SeCreatePagefilePrivilege	2336	msiexec.exe
Token: SeCreatePermanentPrivilege	2336	msiexec.exe
Token: SeBackupPrivilege	2336	msiexec.exe
Token: SeRestorePrivilege	2336	msiexec.exe
Token: SeShutdownPrivilege	2336	msiexec.exe
Token: SeDebugPrivilege	2336	msiexec.exe
Token: SeAuditPrivilege	2336	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2336	msiexec.exe
Token: SeChangeNotifyPrivilege	2336	msiexec.exe
Token: SeRemoteShutdownPrivilege	2336	msiexec.exe
Token: SeUndockPrivilege	2336	msiexec.exe
Token: SeSyncAgentPrivilege	2336	msiexec.exe
Token: SeEnableDelegationPrivilege	2336	msiexec.exe
Token: SeManageVolumePrivilege	2336	msiexec.exe
Token: SeImpersonatePrivilege	2336	msiexec.exe
Token: SeCreateGlobalPrivilege	2336	msiexec.exe
Token: SeCreateTokenPrivilege	2336	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2336	msiexec.exe
Token: SeLockMemoryPrivilege	2336	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2336	msiexec.exe
Token: SeMachineAccountPrivilege	2336	msiexec.exe
Token: SeTcbPrivilege	2336	msiexec.exe
Token: SeSecurityPrivilege	2336	msiexec.exe
Token: SeTakeOwnershipPrivilege	2336	msiexec.exe
Token: SeLoadDriverPrivilege	2336	msiexec.exe
Token: SeSystemProfilePrivilege	2336	msiexec.exe
Token: SeSystemtimePrivilege	2336	msiexec.exe
Token: SeProfSingleProcessPrivilege	2336	msiexec.exe
Token: SeIncBasePriorityPrivilege	2336	msiexec.exe
Token: SeCreatePagefilePrivilege	2336	msiexec.exe
Token: SeCreatePermanentPrivilege	2336	msiexec.exe
Token: SeBackupPrivilege	2336	msiexec.exe
Token: SeRestorePrivilege	2336	msiexec.exe
Token: SeShutdownPrivilege	2336	msiexec.exe
Token: SeDebugPrivilege	2336	msiexec.exe
Token: SeAuditPrivilege	2336	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2336	msiexec.exe
Token: SeChangeNotifyPrivilege	2336	msiexec.exe
Token: SeRemoteShutdownPrivilege	2336	msiexec.exe
Token: SeUndockPrivilege	2336	msiexec.exe
Token: SeSyncAgentPrivilege	2336	msiexec.exe
Token: SeEnableDelegationPrivilege	2336	msiexec.exe
Token: SeManageVolumePrivilege	2336	msiexec.exe
Token: SeImpersonatePrivilege	2336	msiexec.exe
Token: SeCreateGlobalPrivilege	2336	msiexec.exe
Token: SeCreateTokenPrivilege	2336	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2336	msiexec.exe
2336	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2288	dzaisizs.exe
2288	dzaisizs.exe
2288	dzaisizs.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 2252	1492	msiexec.exe	32
PID 1492 wrote to memory of 2252	1492	msiexec.exe	32
PID 1492 wrote to memory of 2252	1492	msiexec.exe	32
PID 1492 wrote to memory of 2252	1492	msiexec.exe	32
PID 1492 wrote to memory of 2252	1492	msiexec.exe	32
PID 1492 wrote to memory of 2252	1492	msiexec.exe	32
PID 1492 wrote to memory of 2252	1492	msiexec.exe	32
PID 1492 wrote to memory of 1976	1492	msiexec.exe	36
PID 1492 wrote to memory of 1976	1492	msiexec.exe	36
PID 1492 wrote to memory of 1976	1492	msiexec.exe	36
PID 1492 wrote to memory of 1976	1492	msiexec.exe	36
PID 1492 wrote to memory of 1976	1492	msiexec.exe	36
PID 1492 wrote to memory of 1976	1492	msiexec.exe	36
PID 1492 wrote to memory of 1976	1492	msiexec.exe	36
PID 2252 wrote to memory of 2288	2252	MsiExec.exe	38
PID 2252 wrote to memory of 2288	2252	MsiExec.exe	38
PID 2252 wrote to memory of 2288	2252	MsiExec.exe	38
PID 2252 wrote to memory of 2288	2252	MsiExec.exe	38
PID 2252 wrote to memory of 2288	2252	MsiExec.exe	38
PID 2252 wrote to memory of 2288	2252	MsiExec.exe	38
PID 2252 wrote to memory of 2288	2252	MsiExec.exe	38

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b1b4a6322037cf898fff9a6d49dcceca4109fa56f8a48b237ec4ebe117d2b58a.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2336

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5CD7C4A0C7DFC1B1F5A5C27F81432905 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Program Files (x86)\aisizhushou-\aisizhushou-\dzaisizs.exe
    "C:\Program Files (x86)\aisizhushou-\aisizhushou-\dzaisizs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2288
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1A753460E74E98851D0632E24BA1B57
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2960

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000384" "00000000000004A0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f771c1a.rbs

Filesize
8KB

MD5
f7fe0bb484e754fee5ad004258cee9f1

SHA1
99bcd9a386e775fb73c6e9d3bc45ffb3518ba180

SHA256
e779030a1b287f0279ba2ff834d9d6ad4ce40e5dc0baa3468a9280aedfff37bb

SHA512
0c8c7c0e7521b247adb6852a9c7be41c0894c18cecfefc8af44647cd1e187808db66bbbfe9624d3074e617157e8dfde6ef44162a1028dd1a9f1637714024435b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE080.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE1F9.tmp

Filesize
287KB

MD5
30ee500e69f06a463f668522fc789945

SHA1
c67a201b59ca2388e8ef060de287a678f1fae705

SHA256
849131d9b648070461d0fa90cbf094e3c149643ceab43d0c834b82f48a2ef277

SHA512
87a0b5aa28a426a156041f050ac9abce2d25efc70570a829fce3831827dc2a426ca5a85acf672519c3c88b463dcdfa9f20ccef46f0eb07e8d04c4e0d9673246d

Download Submit
memory/2288-67-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2288-69-0x0000000010000000-0x0000000010199000-memory.dmp

Filesize
1.6MB

Download
memory/2288-75-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download