purplefox | 1f8bd3be8998046f4d49d6a7a2f8e13980de241fdb0c4c8b3c2de467fb425461

Analysis

max time kernel
91s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f8bd3be8998046f4d49d6a7a2f8e13980de241fdb0c4c8b3c2de467fb425461.msi
Size

88.1MB
MD5

9b6d3f468e121e147da06c5fa36c48a4
SHA1

72f49dd62358b63bcec6b7f8d6ddb297890ae9de
SHA256

1f8bd3be8998046f4d49d6a7a2f8e13980de241fdb0c4c8b3c2de467fb425461
SHA512

4faa2ecab2359a7eda3124fdebb0b567ff236333cb7d7f98dd0bd23077249ca17aea01eed0827b89740e7f8764e9eb02b99001ac2d498c8072ebc14a130eb81a
SSDEEP

1572864:NB9nyr53s/zJIWTcBlboCqFM1YZO4gOwexegi0vq3ZCUiLe2GK8uq8iZFnH:Nnnyr5c5cPM1M1GOcAgi0vqpCZLeVKUb

Score

10^/10

purplefox discovery persistence privilege_escalation rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/files/0x0007000000023c97-79.dat	purplefox_rootkit
behavioral2/memory/4348-85-0x000002A255D50000-0x000002A25602D000-memory.dmp	purplefox_rootkit
behavioral2/memory/4348-86-0x000002A255D50000-0x000002A25602D000-memory.dmp	purplefox_rootkit

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\Mylnk\\down.lnk"	{08546478-4617-4f64-9C60-C92C137BA983}.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdeta_Service = "C:\\Users\\Admin\\C81E917F-6650-42C6-9B7E-0000077849AE\\down.exe"	{418804CB-A512-466a-A250-3976DC967973}.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	colorcpl.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	colorcpl.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	colorcpl.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	colorcpl.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	colorcpl.exe
File opened (read-only)	\??\Q:	colorcpl.exe
File opened (read-only)	\??\W:	colorcpl.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	colorcpl.exe
File opened (read-only)	\??\N:	colorcpl.exe
File opened (read-only)	\??\O:	colorcpl.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	colorcpl.exe
File opened (read-only)	\??\T:	colorcpl.exe
File opened (read-only)	\??\K:	colorcpl.exe
File opened (read-only)	\??\L:	colorcpl.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	colorcpl.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	colorcpl.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	colorcpl.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	colorcpl.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	colorcpl.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	colorcpl.exe
File opened (read-only)	\??\Y:	colorcpl.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	colorcpl.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 672 set thread context of 4348	672	down.exe	112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LineInstaller\LineInstaller\LineInstaller\1000417_baidusem_bianfengguandan.exe	msiexec.exe
File created	C:\Program Files (x86)\LineInstaller\LineInstaller\LineInstaller\LineInst.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57f879.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4F12484A-4ABC-4123-9154-7CE914A61D47}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFCC1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f879.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF935.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C.tmp	msiexec.exe

Executes dropped EXE 5 IoCs

pid	Process
672	down.exe
512	down.exe
2388	{08546478-4617-4f64-9C60-C92C137BA983}.exe
1736	{418804CB-A512-466a-A250-3976DC967973}.exe
3352	LineInst.exe

Loads dropped DLL 20 IoCs

pid	Process
2520	MsiExec.exe
2520	MsiExec.exe
2520	MsiExec.exe
2520	MsiExec.exe
2520	MsiExec.exe
2520	MsiExec.exe
5028	MsiExec.exe
5028	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
672	down.exe
672	down.exe
672	down.exe
672	down.exe
672	down.exe
512	down.exe
512	down.exe
512	down.exe
512	down.exe
2520	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1096	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{08546478-4617-4f64-9C60-C92C137BA983}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{418804CB-A512-466a-A250-3976DC967973}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LineInst.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	colorcpl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	colorcpl.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1732775710"	{08546478-4617-4f64-9C60-C92C137BA983}.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4020	msiexec.exe
4020	msiexec.exe
4896	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
4896	MsiExec.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe
4348	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1096	msiexec.exe
Token: SeSecurityPrivilege	4020	msiexec.exe
Token: SeCreateTokenPrivilege	1096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1096	msiexec.exe
Token: SeLockMemoryPrivilege	1096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1096	msiexec.exe
Token: SeMachineAccountPrivilege	1096	msiexec.exe
Token: SeTcbPrivilege	1096	msiexec.exe
Token: SeSecurityPrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeLoadDriverPrivilege	1096	msiexec.exe
Token: SeSystemProfilePrivilege	1096	msiexec.exe
Token: SeSystemtimePrivilege	1096	msiexec.exe
Token: SeProfSingleProcessPrivilege	1096	msiexec.exe
Token: SeIncBasePriorityPrivilege	1096	msiexec.exe
Token: SeCreatePagefilePrivilege	1096	msiexec.exe
Token: SeCreatePermanentPrivilege	1096	msiexec.exe
Token: SeBackupPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeShutdownPrivilege	1096	msiexec.exe
Token: SeDebugPrivilege	1096	msiexec.exe
Token: SeAuditPrivilege	1096	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1096	msiexec.exe
Token: SeChangeNotifyPrivilege	1096	msiexec.exe
Token: SeRemoteShutdownPrivilege	1096	msiexec.exe
Token: SeUndockPrivilege	1096	msiexec.exe
Token: SeSyncAgentPrivilege	1096	msiexec.exe
Token: SeEnableDelegationPrivilege	1096	msiexec.exe
Token: SeManageVolumePrivilege	1096	msiexec.exe
Token: SeImpersonatePrivilege	1096	msiexec.exe
Token: SeCreateGlobalPrivilege	1096	msiexec.exe
Token: SeCreateTokenPrivilege	1096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1096	msiexec.exe
Token: SeLockMemoryPrivilege	1096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1096	msiexec.exe
Token: SeMachineAccountPrivilege	1096	msiexec.exe
Token: SeTcbPrivilege	1096	msiexec.exe
Token: SeSecurityPrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeLoadDriverPrivilege	1096	msiexec.exe
Token: SeSystemProfilePrivilege	1096	msiexec.exe
Token: SeSystemtimePrivilege	1096	msiexec.exe
Token: SeProfSingleProcessPrivilege	1096	msiexec.exe
Token: SeIncBasePriorityPrivilege	1096	msiexec.exe
Token: SeCreatePagefilePrivilege	1096	msiexec.exe
Token: SeCreatePermanentPrivilege	1096	msiexec.exe
Token: SeBackupPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeShutdownPrivilege	1096	msiexec.exe
Token: SeDebugPrivilege	1096	msiexec.exe
Token: SeAuditPrivilege	1096	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1096	msiexec.exe
Token: SeChangeNotifyPrivilege	1096	msiexec.exe
Token: SeRemoteShutdownPrivilege	1096	msiexec.exe
Token: SeUndockPrivilege	1096	msiexec.exe
Token: SeSyncAgentPrivilege	1096	msiexec.exe
Token: SeEnableDelegationPrivilege	1096	msiexec.exe
Token: SeManageVolumePrivilege	1096	msiexec.exe
Token: SeImpersonatePrivilege	1096	msiexec.exe
Token: SeCreateGlobalPrivilege	1096	msiexec.exe
Token: SeCreateTokenPrivilege	1096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1096	msiexec.exe
Token: SeLockMemoryPrivilege	1096	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1096	msiexec.exe
1096	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 2520	4020	msiexec.exe	85
PID 4020 wrote to memory of 2520	4020	msiexec.exe	85
PID 4020 wrote to memory of 2520	4020	msiexec.exe	85
PID 4020 wrote to memory of 2840	4020	msiexec.exe	106
PID 4020 wrote to memory of 2840	4020	msiexec.exe	106
PID 4020 wrote to memory of 5028	4020	msiexec.exe	108
PID 4020 wrote to memory of 5028	4020	msiexec.exe	108
PID 4020 wrote to memory of 5028	4020	msiexec.exe	108
PID 4020 wrote to memory of 4896	4020	msiexec.exe	109
PID 4020 wrote to memory of 4896	4020	msiexec.exe	109
PID 4896 wrote to memory of 672	4896	MsiExec.exe	110
PID 4896 wrote to memory of 672	4896	MsiExec.exe	110
PID 672 wrote to memory of 512	672	down.exe	111
PID 672 wrote to memory of 512	672	down.exe	111
PID 672 wrote to memory of 4348	672	down.exe	112
PID 672 wrote to memory of 4348	672	down.exe	112
PID 672 wrote to memory of 4348	672	down.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1f8bd3be8998046f4d49d6a7a2f8e13980de241fdb0c4c8b3c2de467fb425461.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1096

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FD990D55E3C47F0870D4A594A962CF2A C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2520
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2840
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B8A8DA416E47B002D8C56CB97CDAC24B
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5028
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding CBAC85D398612141D32CE9B6AA75432E
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Users\Admin\C81E917F-6650-42C6-9B7E-0000077849AE\down.exe
    C:\Users\Admin\C81E917F-6650-42C6-9B7E-0000077849AE\\down.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Users\Admin\C81E917F-6650-42C6-9B7E-0000077849AE\down.exe
      C:\Users\Admin\C81E917F-6650-42C6-9B7E-0000077849AE\down.exe /aut
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:512
  - - C:\Windows\system32\colorcpl.exe
      colorcpl.exe
      4⤵
      Enumerates connected drives
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4348

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4468

C:\Users\Admin\AppData\Local\Temp\{08546478-4617-4f64-9C60-C92C137BA983}.exe
"C:\Users\Admin\AppData\Local\Temp\{08546478-4617-4f64-9C60-C92C137BA983}.exe" /s "C:\Users\Admin\AppData\Local\Temp\{1BBA0BC1-1A06-48b4-AC51-0A80FC6959ED}"
1⤵
- Adds Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2388

C:\Users\Admin\AppData\Local\Temp\{418804CB-A512-466a-A250-3976DC967973}.exe
"C:\Users\Admin\AppData\Local\Temp\{418804CB-A512-466a-A250-3976DC967973}.exe" /s "C:\Users\Admin\AppData\Local\Temp\{99BC79D0-9C4A-4ea4-8803-3082DA6D56F1}"
1⤵
- Adds Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1736

C:\Program Files (x86)\LineInstaller\LineInstaller\LineInstaller\LineInst.exe
"C:\Program Files (x86)\LineInstaller\LineInstaller\LineInstaller\LineInst.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f87a.rbs

Filesize
27KB

MD5
49f349e689656c7ac6b45a569f2b33d5

SHA1
b914a4a359a60905ce7ea86bee0f33d6a2b9b4ef

SHA256
488478d511aaed35d37b130c53d2c20a1875610b76ca3d12af1bb0d54f214bd4

SHA512
5ed855cf66d1867ea9af016445441734c2a436f63d0dad3159bca9a4211f9146dc0449fe9f80b7c918ad2d47eb5da63214b7f74dacb5352f9054648fb61e14f8

Download Submit
C:\Program Files (x86)\LineInstaller\LineInstaller\LineInstaller\LineInst.exe

Filesize
1004KB

MD5
587e3bc21efaf428c87331decc9bfeb3

SHA1
a5b8ebeab4e3968673a61a95350b7f0bf60d7459

SHA256
b931c5686cc09b2183bba197dc151b8e95ca6151e39fb98954352340c0b31120

SHA512
ffae2dab5caf16dc7dfd0a97a8ff6349a466bc57ee043d1ac4d53e011498e39b9a855295d10207ba578c6857abebd445d378e83aa2ff6ec247713d81b370d0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA306.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
594B

MD5
3bb29be2280284a7e7af08b71b38998b

SHA1
c42efc441a35fadcfb72a3a2c229a3bed279a2f3

SHA256
de25a1309710345e6b449a62da183b7caeb4c96e8dd93846c927c00ce23766e4

SHA512
31dabc533fcbb5fa059e653709d900b6d07495091f29a4ca23d0dd7f4edcf228d4b89a3ddee249a88380d4b6d71308ad619b9a82460ded343000c5a58e351eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
2KB

MD5
ff0c7c2667dff4f3ed588f40d047c642

SHA1
1162c83bd0bb0d81b7ab7f616cb012b790aa4adf

SHA256
02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7

SHA512
539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{08546478-4617-4f64-9C60-C92C137BA983}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1BBA0BC1-1A06-48b4-AC51-0A80FC6959ED}

Filesize
164B

MD5
81a71f6feec26723958f2364a4f1aefe

SHA1
3d4605cfd771aedb8ba51389074a60e5a38775ad

SHA256
f244b12a1e911c84dcfea45a49885cf48307d2ddc4c1ac7c1aa21bc310bebd80

SHA512
84f9f20e3a381f1c3cafce07bdfeffd77e19bf0007245e95a80a97fa71e16d877e12ec8d57e8a9e60d008e08b38c9fd670f5374a058980f019590ed1dafd59c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{99BC79D0-9C4A-4ea4-8803-3082DA6D56F1}

Filesize
196B

MD5
473dd2a9eac0718f820d600d1f00ca63

SHA1
65ac8e5a6be263495172340a61fafd43acb30e00

SHA256
45f99459820690c0edfdef775e501a1523cc9cd59ed14577ddc2ae69e38d19ca

SHA512
3ed58ed45b9e3daa625896db02fc0aa0129b77ab2fa0034e81b19a4cf47dfc61246030a4344c9ce68fa7551c8167701e4f3c2e448a787a9a702802959f403c74

Download Submit
C:\Users\Admin\C81E917F-6650-42C6-9B7E-0000077849AE\MSVCP140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Users\Admin\C81E917F-6650-42C6-9B7E-0000077849AE\VCRUNTIME140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\C81E917F-6650-42C6-9B7E-0000077849AE\VCRUNTIME140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\C81E917F-6650-42C6-9B7E-0000077849AE\aut.png

Filesize
1.3MB

MD5
84e23f7b2db9b51553ea2a8206d70fc8

SHA1
58a3f8f377dbad922e36dfeebc7cc326fa3e7053

SHA256
1e7d360137b895d1be8f15487f5820da68180f92e2d361b8898d0aac657ff5dd

SHA512
4a7a6ea0b76c703dd7e90dfab8e6adc3be9dedbb3a36b2d8286b0d9881989e5e121af94e2ab3f7bb71abe623d8df25a0bd87fab1ff067159af020b2a211aef32

Download Submit
C:\Users\Admin\C81E917F-6650-42C6-9B7E-0000077849AE\down.exe

Filesize
485KB

MD5
6cc1f95584aaac98297fa906248af081

SHA1
641c2c14a994768b6b4b6812dfb4df671af0887d

SHA256
5d19450428b7fcda6100ea2c564e576141de595d41aa1508512d0bf4be9f7de6

SHA512
0c4f4bc39c22f7b01fbfcf396f134ab9d4901a730980c7cbb0af22855b9af88b0fa6d23797dcbecf53c75e98d4e97b274124a1ce11963e75323d149d81eb147b

Download Submit
C:\Users\Admin\C81E917F-6650-42C6-9B7E-0000077849AE\view.png

Filesize
2.5MB

MD5
69ccda333ed744774c9bd50d48b5b060

SHA1
01c3cc0fdded504858852f2424ef5a5d12dc8043

SHA256
d6e4bf8490d85afbe02310eb09d09303cf1b53039f48278e3a6b590a704cef8d

SHA512
2d0ab98544d350cf7f3e75364572410441b98858870607e50f86f242458d9fd376700e869e8f851013cce874e220083ee9f80911bbdc223113459fc693d2eaf5

Download Submit
C:\Windows\Installer\MSI5C.tmp

Filesize
25KB

MD5
81902d13c01fd8a187f3a7f2b72d5dd0

SHA1
0ac01518c5588eb2788730c78f0c581f79cf2ed4

SHA256
eef31e9195cfacde7b4e7eb7384c8178d8811063b375fd4a28ae897cc180c6a6

SHA512
04d6e2e937328477803084e0ef9da2c3636cdc9d34af74e2d1871d7190be21cbb2771ae835175e104e24eccba52add1ba6f58407bfd522ef82b81d76e977f24c

Download Submit
C:\users\public\documents\all.zip

Filesize
2.2MB

MD5
f41beb301154b0d589cb8333a0cdb03c

SHA1
21d5506b72362027e208825d887da5ac56dc5382

SHA256
567c9cd73239ebc8b2de7b5dffc47abaa8331d4477ee79ba6db7d1db48ac668d

SHA512
284418382e142c7e0b091d8a8e3371d3cb8e145c186e3a67a189581e081f8e7cad7d02ac417d3db9cf8ed475b73ac8782ab05ed499d9b3c89f8061016ab7a1fc

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
6a438496510d5c2145ca027e9efeed5c

SHA1
a9fdd7e542b7d47562bb672477897e84b3a829ef

SHA256
0760e07ccd0aa6e847acbc0b1775cba65049efaa0f13ba109976ac7bd82ce6dc

SHA512
434360979fbf692f107d8046cf0a69bbb9eeb6ade123c46dec5d34229c5ffbcc984b2802406301a2788b337fc416f95b3b8c1359b7a8d9f7984d649f718b4bdc

Download Submit
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{93a0fa50-e484-44e4-a207-cbfdd1ce7ed1}_OnDiskSnapshotProp

Filesize
6KB

MD5
f407970f7b526a86bef1997bfabec76b

SHA1
3e0c6ef49ebd2a88034a5b0f171d6b857914c14e

SHA256
e648d841d410d74d83b47f5618fcd3d3b8b067047a35e24af2cda8a60ced786a

SHA512
01740920948ec9805a5f1750c787feb88daa5e3136b447b5c0d4f9ee05b6833e2c0cf6487eca2ea0a8f716d913f9f4d718fda7f230222f2a7ec0261022cca76a

Download Submit
memory/4348-85-0x000002A255D50000-0x000002A25602D000-memory.dmp

Filesize
2.9MB

Download
memory/4348-86-0x000002A255D50000-0x000002A25602D000-memory.dmp

Filesize
2.9MB

Download