Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 03:57

General

  • Target

    Fanyi.msi

  • Size

    26.5MB

  • MD5

    3d6804261513077c81543bfa24503bae

  • SHA1

    a5b387c2402a77bf6ffd6835dbf79129a41a4ec6

  • SHA256

    bdd5b875e9233fce93774ffcfc925daf2924eef9455d088d5dcddf41915d1112

  • SHA512

    899b6e4ebe9ea71a37772149a78ed19b9e09d6b0b9f8287b85a484008d6e6ad0efa99eabf4c245958929a1f0b52672ffec05cb824578738fbb0107f312f531ec

  • SSDEEP

    786432:FyPHKm4X1Ut5pZnm0p0syQvIwOpc1SYrBsff/p9QE:FEqm4X1U5pZm02syQt4iZr4n

Malware Config

Signatures

  • Detect PurpleFox Rootkit 4 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Purplefox family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 8 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 56 IoCs
  • Modifies registry class 22 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Fanyi.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1560
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:5048
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 5804F76620F5D960600CE394027C5685 E Global\MSI0000
        2⤵
        • Drops file in Program Files directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:3708
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\EnsureOptimizedConsultant','C:\Program Files','C:\Program Files'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2140
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe" x "C:\Program Files\EnsureOptimizedConsultant\aVtIJLgGgcGxLFnglYFRNfQHCAjTzJ" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"77889mQ.lKbWjlL+;EHv" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe" x "C:\Program Files\EnsureOptimizedConsultant\VOCcbQbkNjexsfDtMfOljQvmAGbPQx" -x!1_mAaRrGrorewO.exe -x!sss -x!1_gmFEzzgRgEXnNiUbsEYUyCvvFbviXj.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"56555&-YUD]NF+xlU&V!" -y
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1300
          • C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe
            "C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe" x "C:\Program Files\EnsureOptimizedConsultant\aVtIJLgGgcGxLFnglYFRNfQHCAjTzJ" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"77889mQ.lKbWjlL+;EHv" -y
            4⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3516
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.1 -n 2
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3352
          • C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe
            "C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe" x "C:\Program Files\EnsureOptimizedConsultant\VOCcbQbkNjexsfDtMfOljQvmAGbPQx" -x!1_mAaRrGrorewO.exe -x!sss -x!1_gmFEzzgRgEXnNiUbsEYUyCvvFbviXj.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"56555&-YUD]NF+xlU&V!" -y
            4⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1180
        • C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
          "C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 180 -file file3 -mode mode3
          3⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1276
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4448
    • C:\Windows\System32\WScript.exe
      C:\Windows\System32\WScript.exe "C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs"
      1⤵
      • Modifies data under HKEY_USERS
      PID:4656
    • C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe
      "C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe" install
      1⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      PID:5076
    • C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe
      "C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe" start
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      PID:2672
    • C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe
      "C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe"
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
        "C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 109 -file file3 -mode mode3
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
          "C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 62 -file file3 -mode mode3
          3⤵
          • Enumerates connected drives
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          PID:4936

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57b73b.rbs

      Filesize

      7KB

      MD5

      efd30e2462127d66ea098c6d5df8c7d9

      SHA1

      47429d5c3328f07bf0e208b46084ab88580e46f3

      SHA256

      730adbbaa7dde3a16be5dcab96562119ac84dbc5332091e6a842c9ede57e3ab1

      SHA512

      0685fc25797c515efbf0848dda9d8090e52b26795dc89af05533299dcebbe8802d359fa95e1bf6ee7bdedd746d447c49b70bd4f96ef49ac0473c3cf1dd735f3c

    • C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe

      Filesize

      2.8MB

      MD5

      0e76fd2dd06b069ed52c2f632ea0a532

      SHA1

      1f7abe1527bd0670346354a71c0d3e25a0c45d09

      SHA256

      262314d5d3d5be46b9c5cf1cbf59945529ae6a0baa0fc17ac81f5b9213488bc9

      SHA512

      db7684bbcc29d839e9b9c5ac15221f694d1554973e02182a0bbc22a60287d8b6be83ccfe4e66be62def34eb3a3412bd1632c043984850121751d89d91e8503aa

    • C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe

      Filesize

      832KB

      MD5

      d305d506c0095df8af223ac7d91ca327

      SHA1

      679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

      SHA256

      923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

      SHA512

      94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

    • C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log

      Filesize

      288B

      MD5

      4b98fe94da93c769d70877f256a9852b

      SHA1

      4bf1229354f443a35162eda5c97541bdfb18a226

      SHA256

      d303ee161850f87b2cb855dc2591fd282a3a8fa577b2ea9a63315eed84435a8d

      SHA512

      6f6d8d2de4affe66af22862ebd2942d79dd0bcd770bcd75ec935e5f0604d96c5cb0c16ca321c7dcf6fcb822973cc58f8fd0bac8d149ece31d01658e1be9a8d42

    • C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log

      Filesize

      455B

      MD5

      c9b8b28e713ac8357694e0b76e7ee78d

      SHA1

      ff1275e6b40cc3d4ccda77573ad41c969e3aaaf6

      SHA256

      19ea7df6e03fbab4e4314ca37351eadde94971e307e6856b96a4f96d568aa17f

      SHA512

      a44ece08d88a7853c8967ef53c8278c08916daf148c99369819fef494fc71fb5874bd62ed944d9509717bdb7b409aaa4d2233f16cd6d29d0eb643e85582e4b2e

    • C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log

      Filesize

      632B

      MD5

      67a6c8438f0388678973083f0ec5645b

      SHA1

      0690456abbb77669fa513d111000327aaa54f5bd

      SHA256

      2d5da88a96de55bcd213a971110d002667f56f5d77b9892a82ffbac92db0c8bc

      SHA512

      a7b7695618df6b35e4a9d7fcf742205636a9a51022d2d07e5629637355926c12905e2b16fb02038809c522195b6e551223a1adc71b5fa5ecdd34010d51570850

    • C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log

      Filesize

      770B

      MD5

      4db9712873117b640e4482da72e75ee2

      SHA1

      2d55346aef9a813d352da26131a78055bcc00ddb

      SHA256

      bed9fb42dad84221e03b2757c23cccb5fcd24533d7207479d44a603f3a22eea3

      SHA512

      d104c6ed609391c6005827db90fc5d955ee1513246ad4e962e8d84cd8a9c1d54ce6417a62c13a058264ef49a4126a7983b1bb9e821d156b386e7c36e2ab91709

    • C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml

      Filesize

      447B

      MD5

      3b942a37e0de1ccf15af63724e09c55f

      SHA1

      cc3ca1a1998c48cf3c9425c12e703accc7187cc4

      SHA256

      c616cfdab5db1b5d31f8a551f5fbf4ee99a1896733e07ca62b3c45e5263c4a9d

      SHA512

      2a5670891b34de3a72d36e8b184072b808c587109871f8ed89f661da1447478db07010866072306545d7f7c20c3b6a30d217e94a84694aa5babbd4ac6bdacfd4

    • C:\Program Files\EnsureOptimizedConsultant\VOCcbQbkNjexsfDtMfOljQvmAGbPQx

      Filesize

      2.2MB

      MD5

      ce383e5084ed5e632f4daa4d67419699

      SHA1

      d7c33fe3e8b5924abe5b171e1a04fb6c057828ec

      SHA256

      7e99e636ee0d1dd375e3a9708ed9abf4e24c065fc666f29cea73b210e5a4d3c7

      SHA512

      e19dc8c9b1abd5578d386c4bb7609336f71211bdbf809e9f4826f77d09a7a4b7a55d50a887b3a818f5b9fbe0a33df6aabf0892ac4b609bd035055af680a6baec

    • C:\Program Files\EnsureOptimizedConsultant\aVtIJLgGgcGxLFnglYFRNfQHCAjTzJ

      Filesize

      2.2MB

      MD5

      3f13e97feef00523f66fa7712c761086

      SHA1

      8f423c0ca6b6ccef72a72e663784c479e4e0c6d8

      SHA256

      76e46c8dd318c90073888022563019f0027a33258c4656bd65321847d8ce758c

      SHA512

      8e4ca0967df09f0d136974987e7044b0b81802d53f50c9aa91acd752ac9832ffb4dcb32e6e21b4371e836bd6efb2d12796c518a7d1b2a26c8a25738c98b97e3c

    • C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs

      Filesize

      2KB

      MD5

      52009f48e9e0b20f57bad46cbcb394cf

      SHA1

      add56fb60a485bd2e8e51e92dad44c06f6404858

      SHA256

      8640976c703cb5f3177959424c3d3049fab696a8fe1f637539fc0e96bbb712c9

      SHA512

      2c602469c0db4a52e452e764aa2bd4f502d18d2b76ed6e28850aa61d021f34080653407b8e3c26e6b310f3cbed378ed320d31a2037aca434339278618b2209e4

    • C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe

      Filesize

      577KB

      MD5

      c31c4b04558396c6fabab64dcf366534

      SHA1

      fa836d92edc577d6a17ded47641ba1938589b09a

      SHA256

      9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

      SHA512

      814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v2aj2cll.i2b.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Windows\Installer\e57b73a.msi

      Filesize

      26.5MB

      MD5

      3d6804261513077c81543bfa24503bae

      SHA1

      a5b387c2402a77bf6ffd6835dbf79129a41a4ec6

      SHA256

      bdd5b875e9233fce93774ffcfc925daf2924eef9455d088d5dcddf41915d1112

      SHA512

      899b6e4ebe9ea71a37772149a78ed19b9e09d6b0b9f8287b85a484008d6e6ad0efa99eabf4c245958929a1f0b52672ffec05cb824578738fbb0107f312f531ec

    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SvwYSxmZIFRH.exe.log

      Filesize

      1KB

      MD5

      122cf3c4f3452a55a92edee78316e071

      SHA1

      f2caa36d483076c92d17224cf92e260516b3cbbf

      SHA256

      42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

      SHA512

      c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      24.1MB

      MD5

      213e760dea6108c3a3e886bf4e805390

      SHA1

      ed367b0f24f2fb1b8888bbb74d9c8a7f144ea73e

      SHA256

      ac17cbd1cf55df00c80a26ca231992fa643111c826ad050f4c4d3451bf4a00b3

      SHA512

      73f6014d95b6edd27791fed177d3080e9c974965c098d47d97d906d20b4ed39d80f90d4ddf0297e7bf6d5aa53618de132d5fb88a43b427b4c53825c4ccfc936c

    • \??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1d6b2313-e2f3-4345-9c62-8561546a7f51}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      b823cdbb35892b48fffa46c25cfba8ff

      SHA1

      af25ab834d76a224e4fd2b75930c9b065b683be1

      SHA256

      481f04b93c31be2b079b1965f02dd648a0998c08c5ebdf1d86315ac2ee6d8d7b

      SHA512

      4c91ce6d36732ba5e137d1dac01f57079874eb29f52874a05c0f4fea39130c1371eb7b74b6c5400e3acb2ce0e73a887a1b9d897a60f41aff707bbdcf68cace26

    • memory/1276-63-0x0000000009F20000-0x0000000009F4F000-memory.dmp

      Filesize

      188KB

    • memory/2140-22-0x000001CBF0280000-0x000001CBF02A2000-memory.dmp

      Filesize

      136KB

    • memory/4936-98-0x0000000029D40000-0x0000000029D8D000-memory.dmp

      Filesize

      308KB

    • memory/4936-99-0x000000002B970000-0x000000002BB2D000-memory.dmp

      Filesize

      1.7MB

    • memory/4936-101-0x000000002B970000-0x000000002BB2D000-memory.dmp

      Filesize

      1.7MB

    • memory/4936-102-0x000000002B970000-0x000000002BB2D000-memory.dmp

      Filesize

      1.7MB

    • memory/4936-103-0x000000002B970000-0x000000002BB2D000-memory.dmp

      Filesize

      1.7MB

    • memory/5076-68-0x0000000000FE0000-0x00000000010B6000-memory.dmp

      Filesize

      856KB