purplefox | 6c77bf7ca5b7bb5ce7e926e8981600f7c9fda533bbbf5df1a544c37d892948bd

Analysis

max time kernel
121s
max time network
134s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vvmchet-windovv.msi
Size

313.0MB
MD5

b433ac6a628665157c009834c3c41634
SHA1

567f922c4595d535e96b21741156f29ebb61341f
SHA256

6c77bf7ca5b7bb5ce7e926e8981600f7c9fda533bbbf5df1a544c37d892948bd
SHA512

06dff3810cf41bc72187aee8c0ca817a0590f5bec523db0adda2e64c3e45dc754762576b37b41c21d4b7e37da36aa75969d561809c2e233bff8adb3f299519bd
SSDEEP

6291456:68BnEZsQe41dIIdVAUnRYJHqxVHerMSlcF8aLPIY7hcU6T8V7:0M4zIWVAVkKraLIYr6AV7

Score

10^/10

purplefox discovery persistence privilege_escalation rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 2 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/files/0x000500000001945c-73.dat	purplefox_rootkit
behavioral1/memory/2192-82-0x0000000000230000-0x000000000050D000-memory.dmp	purplefox_rootkit

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

down.exe

description	pid	Process	procid_target
PID 2756 set thread context of 2192	2756	down.exe	40

Drops file in Program Files directory 2 IoCs

Processes:

msiexec.exe

description	ioc	Process
File created	C:\Program Files (x86)\WeChatSetup\WeChatSetup\WeChatSetup\WeChatSetup.exe	msiexec.exe
File created	C:\Program Files (x86)\WeChatSetup\WeChatSetup\WeChatSetup\setup_gf-1.6.6.10622.exe	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76f01a.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76f019.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE8D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF24B.tmp	msiexec.exe
File created	C:\Windows\Installer\f76f01a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4AC.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76f019.msi	msiexec.exe

Executes dropped EXE 3 IoCs

Processes:

down.exedown.exeWeChatSetup.exe

pid	Process
2756	down.exe
792	down.exe
696	WeChatSetup.exe

Loads dropped DLL 34 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exedown.exedown.exeWerFault.exeWeChatSetup.exe

pid	Process
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
1760	MsiExec.exe
1792	MsiExec.exe
1792	MsiExec.exe
1792	MsiExec.exe
2756	down.exe
2756	down.exe
2756	down.exe
2756	down.exe
2756	down.exe
792	down.exe
792	down.exe
792	down.exe
792	down.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
2708	MsiExec.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

Processes:

msiexec.exe

pid	Process
1508	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MsiExec.exeMsiExec.exeWeChatSetup.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeChatSetup.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

msiexec.exeMsiExec.exeWeChatSetup.exe

pid	Process
2796	msiexec.exe
2796	msiexec.exe
1792	MsiExec.exe
1792	MsiExec.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe
696	WeChatSetup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	Process
Token: SeShutdownPrivilege	1508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1508	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeSecurityPrivilege	2796	msiexec.exe
Token: SeCreateTokenPrivilege	1508	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1508	msiexec.exe
Token: SeLockMemoryPrivilege	1508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1508	msiexec.exe
Token: SeMachineAccountPrivilege	1508	msiexec.exe
Token: SeTcbPrivilege	1508	msiexec.exe
Token: SeSecurityPrivilege	1508	msiexec.exe
Token: SeTakeOwnershipPrivilege	1508	msiexec.exe
Token: SeLoadDriverPrivilege	1508	msiexec.exe
Token: SeSystemProfilePrivilege	1508	msiexec.exe
Token: SeSystemtimePrivilege	1508	msiexec.exe
Token: SeProfSingleProcessPrivilege	1508	msiexec.exe
Token: SeIncBasePriorityPrivilege	1508	msiexec.exe
Token: SeCreatePagefilePrivilege	1508	msiexec.exe
Token: SeCreatePermanentPrivilege	1508	msiexec.exe
Token: SeBackupPrivilege	1508	msiexec.exe
Token: SeRestorePrivilege	1508	msiexec.exe
Token: SeShutdownPrivilege	1508	msiexec.exe
Token: SeDebugPrivilege	1508	msiexec.exe
Token: SeAuditPrivilege	1508	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1508	msiexec.exe
Token: SeChangeNotifyPrivilege	1508	msiexec.exe
Token: SeRemoteShutdownPrivilege	1508	msiexec.exe
Token: SeUndockPrivilege	1508	msiexec.exe
Token: SeSyncAgentPrivilege	1508	msiexec.exe
Token: SeEnableDelegationPrivilege	1508	msiexec.exe
Token: SeManageVolumePrivilege	1508	msiexec.exe
Token: SeImpersonatePrivilege	1508	msiexec.exe
Token: SeCreateGlobalPrivilege	1508	msiexec.exe
Token: SeCreateTokenPrivilege	1508	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1508	msiexec.exe
Token: SeLockMemoryPrivilege	1508	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1508	msiexec.exe
Token: SeMachineAccountPrivilege	1508	msiexec.exe
Token: SeTcbPrivilege	1508	msiexec.exe
Token: SeSecurityPrivilege	1508	msiexec.exe
Token: SeTakeOwnershipPrivilege	1508	msiexec.exe
Token: SeLoadDriverPrivilege	1508	msiexec.exe
Token: SeSystemProfilePrivilege	1508	msiexec.exe
Token: SeSystemtimePrivilege	1508	msiexec.exe
Token: SeProfSingleProcessPrivilege	1508	msiexec.exe
Token: SeIncBasePriorityPrivilege	1508	msiexec.exe
Token: SeCreatePagefilePrivilege	1508	msiexec.exe
Token: SeCreatePermanentPrivilege	1508	msiexec.exe
Token: SeBackupPrivilege	1508	msiexec.exe
Token: SeRestorePrivilege	1508	msiexec.exe
Token: SeShutdownPrivilege	1508	msiexec.exe
Token: SeDebugPrivilege	1508	msiexec.exe
Token: SeAuditPrivilege	1508	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1508	msiexec.exe
Token: SeChangeNotifyPrivilege	1508	msiexec.exe
Token: SeRemoteShutdownPrivilege	1508	msiexec.exe
Token: SeUndockPrivilege	1508	msiexec.exe
Token: SeSyncAgentPrivilege	1508	msiexec.exe
Token: SeEnableDelegationPrivilege	1508	msiexec.exe
Token: SeManageVolumePrivilege	1508	msiexec.exe
Token: SeImpersonatePrivilege	1508	msiexec.exe
Token: SeCreateGlobalPrivilege	1508	msiexec.exe
Token: SeCreateTokenPrivilege	1508	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
1508	msiexec.exe
1508	msiexec.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

msiexec.exeMsiExec.exedown.exedown.exe

description	pid	Process	procid_target
PID 2796 wrote to memory of 2708	2796	msiexec.exe	31
PID 2796 wrote to memory of 2708	2796	msiexec.exe	31
PID 2796 wrote to memory of 2708	2796	msiexec.exe	31
PID 2796 wrote to memory of 2708	2796	msiexec.exe	31
PID 2796 wrote to memory of 2708	2796	msiexec.exe	31
PID 2796 wrote to memory of 2708	2796	msiexec.exe	31
PID 2796 wrote to memory of 2708	2796	msiexec.exe	31
PID 2796 wrote to memory of 1760	2796	msiexec.exe	36
PID 2796 wrote to memory of 1760	2796	msiexec.exe	36
PID 2796 wrote to memory of 1760	2796	msiexec.exe	36
PID 2796 wrote to memory of 1760	2796	msiexec.exe	36
PID 2796 wrote to memory of 1760	2796	msiexec.exe	36
PID 2796 wrote to memory of 1760	2796	msiexec.exe	36
PID 2796 wrote to memory of 1760	2796	msiexec.exe	36
PID 2796 wrote to memory of 1792	2796	msiexec.exe	37
PID 2796 wrote to memory of 1792	2796	msiexec.exe	37
PID 2796 wrote to memory of 1792	2796	msiexec.exe	37
PID 2796 wrote to memory of 1792	2796	msiexec.exe	37
PID 2796 wrote to memory of 1792	2796	msiexec.exe	37
PID 1792 wrote to memory of 2756	1792	MsiExec.exe	38
PID 1792 wrote to memory of 2756	1792	MsiExec.exe	38
PID 1792 wrote to memory of 2756	1792	MsiExec.exe	38
PID 2756 wrote to memory of 792	2756	down.exe	39
PID 2756 wrote to memory of 792	2756	down.exe	39
PID 2756 wrote to memory of 792	2756	down.exe	39
PID 2756 wrote to memory of 2192	2756	down.exe	40
PID 2756 wrote to memory of 2192	2756	down.exe	40
PID 2756 wrote to memory of 2192	2756	down.exe	40
PID 2756 wrote to memory of 2192	2756	down.exe	40
PID 792 wrote to memory of 1700	792	down.exe	41
PID 792 wrote to memory of 1700	792	down.exe	41
PID 792 wrote to memory of 1700	792	down.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\vvmchet-windovv.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1508

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 71A8B18C2905DF868EDCD727F87419CC C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1295186B232CEE94E19D5C7F4FCB717
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1760
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 96A7D00F1FF024335110998856DDA484
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\9EB5C47D-9C58-457A-AAD2-0000B6A2B1D7\down.exe
    C:\Users\Admin\9EB5C47D-9C58-457A-AAD2-0000B6A2B1D7\\down.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\9EB5C47D-9C58-457A-AAD2-0000B6A2B1D7\down.exe
      C:\Users\Admin\9EB5C47D-9C58-457A-AAD2-0000B6A2B1D7\down.exe /aut
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:792
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 792 -s 96
        5⤵
        Loads dropped DLL
        
        PID:1700
  - - C:\Windows\system32\colorcpl.exe
      colorcpl.exe
      4⤵
      PID:2192

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2696

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000494" "000000000000048C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2176

C:\Program Files (x86)\WeChatSetup\WeChatSetup\WeChatSetup\WeChatSetup.exe
"C:\Program Files (x86)\WeChatSetup\WeChatSetup\WeChatSetup\WeChatSetup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76f01b.rbs

Filesize
27KB

MD5
2559bb137dad3a24fa5ae6e328e7348e

SHA1
a08c66a8c711c45090c3387c74e83835def4332e

SHA256
d97dcf7fb6dd4f950f9baf05a8e2e1a79ccd8b8651513341307400bbb97eaece

SHA512
df2dfa9f28900ac140380ccf24c9938dedce8e377fe269f9dffea6286c3ff0c6690918ae109750bc831b630236be47723a752bf3bea50499f77eae0cf1aac0ec

Download Submit
C:\Users\Admin\9EB5C47D-9C58-457A-AAD2-0000B6A2B1D7\MSVCP140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Users\Admin\9EB5C47D-9C58-457A-AAD2-0000B6A2B1D7\VCRUNTIME140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\9EB5C47D-9C58-457A-AAD2-0000B6A2B1D7\VCRUNTIME140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\9EB5C47D-9C58-457A-AAD2-0000B6A2B1D7\aut.png

Filesize
1.3MB

MD5
51698f9d781f9ba83b9d1896f047b666

SHA1
5e28f766d10af39ec28f46f20a8d047474135923

SHA256
300776a76cf4faaa2ef0d0928adf0bb9621ae486e316f81af8d71719d9f413cb

SHA512
cee9cb3c89b0a7defdc5cc61acc479f94a3e29556c9fec5ede12997cee8b67e780af443fae1f81399274e0602ac9102521e6389422ec9ede49e23647a256e952

Download Submit
C:\Users\Admin\9EB5C47D-9C58-457A-AAD2-0000B6A2B1D7\view.png

Filesize
2.5MB

MD5
16feaeba569c71a83a099bcdbc3da361

SHA1
907314e8b8a9b8a61e7eea9af1c466a0e60abb97

SHA256
ddf4875f5190ee8f64bf0851675df3ce6c5fb4580422187d704823f762fd733a

SHA512
318259c5b317972f1a17cf4717d3d332fd380cecb393312a04f4829b18b90362ec097b13fd3901788440d800dc7f26d30777ed5f418572aa2d39534478cd00c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI93B7.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSIFE8D.tmp

Filesize
25KB

MD5
81902d13c01fd8a187f3a7f2b72d5dd0

SHA1
0ac01518c5588eb2788730c78f0c581f79cf2ed4

SHA256
eef31e9195cfacde7b4e7eb7384c8178d8811063b375fd4a28ae897cc180c6a6

SHA512
04d6e2e937328477803084e0ef9da2c3636cdc9d34af74e2d1871d7190be21cbb2771ae835175e104e24eccba52add1ba6f58407bfd522ef82b81d76e977f24c

Download Submit
C:\users\public\documents\all.zip

Filesize
2.5MB

MD5
30bcd4bbebd8869e3c9d45ab6ccc569b

SHA1
61d6f3c40bf0e79c9014fcd56b9fa15f815ff0b2

SHA256
603842b9178b255b621e0b0983d6223c94594732544396c3db695c9e26628ed2

SHA512
660213e9178b4856e7c985e8f4e73f20d7de5bd5480ae0c587ffb8cc6172e1ea7e325b8844816f91a235e5ad83cd501d6bc9b0d76d1e9f8352d0b8856d126765

Download Submit
\Users\Admin\9EB5C47D-9C58-457A-AAD2-0000B6A2B1D7\down.exe

Filesize
1.2MB

MD5
524b5640571507a6440ad71d9ba74742

SHA1
ac4e6c573b079abdd824b87d61f2c39d81c43afb

SHA256
e0a6674160fb7d16d76a75c8cc17e867c28cd0767d696a814c1d1b70740392f4

SHA512
4e21c02fb6323821c76c9bfab550f30864e594b96040be9139e87cfc53e38f3a8ffbea98e06757db22492d8a68f5d7f6c8aec74d41e449c3dab73add3184b251

Download Submit
\Users\Admin\AppData\Local\Temp\nst93B9.tmp\FindProcDLL.dll

Filesize
492KB

MD5
633625aa3be670a515fa87ff3a566d90

SHA1
de035c083125aef5df0a55c153ef6cc4dd4c15b4

SHA256
bda8e0ddb672ea3558ad68634c49da06cd72f93d7fca642ca41df00e26512df1

SHA512
3c687ddf0e4e93a6787a23a93e2011df42898f6d21101c848a1b7c7bd2eddd5d49fdd0748e47e6235e7808596d00a1ecf79b5c975d050dd8d00a95f515a444a9

Download Submit
\Users\Admin\AppData\Local\Temp\nst93B9.tmp\System.dll

Filesize
11KB

MD5
ca332bb753b0775d5e806e236ddcec55

SHA1
f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f

SHA256
df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d

SHA512
2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

Download Submit
\Users\Admin\AppData\Local\Temp\nst93B9.tmp\WeChatInstallDll.dll

Filesize
3.6MB

MD5
866e9f64fd4728713e26be6efe9cbe66

SHA1
b101fe142eac64faf5505706d98b8b9bfa6d4f14

SHA256
0639f2dcd62ff118f25dcb50eb1ceb4bda12ba5bef1c6e5b57a5b764142d5f77

SHA512
135efc4992be5fde78d3423cf6eaa955e2940307cb27958f74e65a32e9b0642c398c530cdc3c4d877db04eeb021261ca477088cb6fc24189552db659258d27fc

Download Submit
\Users\Admin\AppData\Local\Temp\nst93B9.tmp\nsInstallAssist.dll

Filesize
192KB

MD5
28b411f3793dbcb81d6f3d3b0527cdba

SHA1
7614310be1231850e811a818f58ee8b54ae9ceaf

SHA256
0281e384c94cad29fd8279c1855f671c2dd1f7772cf5645f573dd1df2b3bd127

SHA512
e5c9f21e9838eca54a8ededb1bf279453e116b6cde629a75ad057b6438deec6bcacf6e27a81c8aa0fc732f26dc28cee7a006ba6d68c08846b92937e388349d78

Download Submit
memory/696-118-0x0000000006D80000-0x0000000006E2B000-memory.dmp

Filesize
684KB

Download
memory/696-119-0x0000000006D80000-0x0000000006E2B000-memory.dmp

Filesize
684KB

Download
memory/696-140-0x0000000006D80000-0x0000000006E2B000-memory.dmp

Filesize
684KB

Download
memory/696-147-0x0000000006D80000-0x0000000006E2B000-memory.dmp

Filesize
684KB

Download
memory/696-154-0x0000000006D80000-0x0000000006E2B000-memory.dmp

Filesize
684KB

Download
memory/696-167-0x0000000006D80000-0x0000000006DB2000-memory.dmp

Filesize
200KB

Download
memory/1792-50-0x0000000002580000-0x0000000003580000-memory.dmp

Filesize
16.0MB

Download
memory/2192-82-0x0000000000230000-0x000000000050D000-memory.dmp

Filesize
2.9MB

Download
memory/2192-79-0x0000000000230000-0x000000000050D000-memory.dmp

Filesize
2.9MB

Download
memory/2708-99-0x0000000000360000-0x0000000000362000-memory.dmp

Filesize
8KB

Download