purplefox | 9657c7e89fc7dca791092e022d768bb327cd31aa0e1bf8b5f578e54aaa5931b2

Analysis

max time kernel
147s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9657c7e89fc7dca791092e022d768bb327cd31aa0e1bf8b5f578e54aaa5931b2.msi
Size

72.5MB
MD5

0582fe0c2148ce8bd5147fb693fcd960
SHA1

02b41250310a884183e40a6c8deafd79767598de
SHA256

9657c7e89fc7dca791092e022d768bb327cd31aa0e1bf8b5f578e54aaa5931b2
SHA512

5e11202d0c9d3364999eed294b29e42eefcea390556243e8daeda5ef4c5bc6a7a76903c0fd454c2ac9818c9f27bbcabceaf7c56e42c86eab09964e65ad70579c
SSDEEP

1572864:CMBHZT3KoUdum8uI/b3BxxSWmEcGB6SxhZt3kDpXMKFzMR7KJDj7o:CMV5Ko0NIjBv2Sxzt0Dp8oz1Dj7

Score

10^/10

purplefox discovery persistence privilege_escalation rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 2 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/files/0x0005000000019605-72.dat	purplefox_rootkit
behavioral1/memory/2392-80-0x00000000000F0000-0x00000000003CD000-memory.dmp	purplefox_rootkit

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 2392	1668	down.exe	40

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2.exe	msiexec.exe
File created	C:\Program Files (x86)\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2\SCREENCAP_1.1.1.5_zzpdf.exe	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f772157.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI230C.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI21C3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f772157.ipi	msiexec.exe
File created	C:\Windows\Installer\f772156.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f772156.msi	msiexec.exe

Executes dropped EXE 4 IoCs

pid	Process
1668	down.exe
2828	down.exe
1064	tsetup-x64.5.7.2.exe
2580	tsetup-x64.5.7.2.tmp

Loads dropped DLL 25 IoCs

pid	Process
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
2816	MsiExec.exe
1756	MsiExec.exe
1048	MsiExec.exe
1048	MsiExec.exe
1048	MsiExec.exe
1668	down.exe
1668	down.exe
1668	down.exe
1668	down.exe
1668	down.exe
2828	down.exe
2828	down.exe
2828	down.exe
2828	down.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
3024	WerFault.exe
2816	MsiExec.exe
1064	tsetup-x64.5.7.2.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2564	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsetup-x64.5.7.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsetup-x64.5.7.2.tmp

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1772	msiexec.exe
1772	msiexec.exe
1048	MsiExec.exe
1048	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2564	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2564	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeSecurityPrivilege	1772	msiexec.exe
Token: SeCreateTokenPrivilege	2564	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2564	msiexec.exe
Token: SeLockMemoryPrivilege	2564	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2564	msiexec.exe
Token: SeMachineAccountPrivilege	2564	msiexec.exe
Token: SeTcbPrivilege	2564	msiexec.exe
Token: SeSecurityPrivilege	2564	msiexec.exe
Token: SeTakeOwnershipPrivilege	2564	msiexec.exe
Token: SeLoadDriverPrivilege	2564	msiexec.exe
Token: SeSystemProfilePrivilege	2564	msiexec.exe
Token: SeSystemtimePrivilege	2564	msiexec.exe
Token: SeProfSingleProcessPrivilege	2564	msiexec.exe
Token: SeIncBasePriorityPrivilege	2564	msiexec.exe
Token: SeCreatePagefilePrivilege	2564	msiexec.exe
Token: SeCreatePermanentPrivilege	2564	msiexec.exe
Token: SeBackupPrivilege	2564	msiexec.exe
Token: SeRestorePrivilege	2564	msiexec.exe
Token: SeShutdownPrivilege	2564	msiexec.exe
Token: SeDebugPrivilege	2564	msiexec.exe
Token: SeAuditPrivilege	2564	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2564	msiexec.exe
Token: SeChangeNotifyPrivilege	2564	msiexec.exe
Token: SeRemoteShutdownPrivilege	2564	msiexec.exe
Token: SeUndockPrivilege	2564	msiexec.exe
Token: SeSyncAgentPrivilege	2564	msiexec.exe
Token: SeEnableDelegationPrivilege	2564	msiexec.exe
Token: SeManageVolumePrivilege	2564	msiexec.exe
Token: SeImpersonatePrivilege	2564	msiexec.exe
Token: SeCreateGlobalPrivilege	2564	msiexec.exe
Token: SeCreateTokenPrivilege	2564	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2564	msiexec.exe
Token: SeLockMemoryPrivilege	2564	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2564	msiexec.exe
Token: SeMachineAccountPrivilege	2564	msiexec.exe
Token: SeTcbPrivilege	2564	msiexec.exe
Token: SeSecurityPrivilege	2564	msiexec.exe
Token: SeTakeOwnershipPrivilege	2564	msiexec.exe
Token: SeLoadDriverPrivilege	2564	msiexec.exe
Token: SeSystemProfilePrivilege	2564	msiexec.exe
Token: SeSystemtimePrivilege	2564	msiexec.exe
Token: SeProfSingleProcessPrivilege	2564	msiexec.exe
Token: SeIncBasePriorityPrivilege	2564	msiexec.exe
Token: SeCreatePagefilePrivilege	2564	msiexec.exe
Token: SeCreatePermanentPrivilege	2564	msiexec.exe
Token: SeBackupPrivilege	2564	msiexec.exe
Token: SeRestorePrivilege	2564	msiexec.exe
Token: SeShutdownPrivilege	2564	msiexec.exe
Token: SeDebugPrivilege	2564	msiexec.exe
Token: SeAuditPrivilege	2564	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2564	msiexec.exe
Token: SeChangeNotifyPrivilege	2564	msiexec.exe
Token: SeRemoteShutdownPrivilege	2564	msiexec.exe
Token: SeUndockPrivilege	2564	msiexec.exe
Token: SeSyncAgentPrivilege	2564	msiexec.exe
Token: SeEnableDelegationPrivilege	2564	msiexec.exe
Token: SeManageVolumePrivilege	2564	msiexec.exe
Token: SeImpersonatePrivilege	2564	msiexec.exe
Token: SeCreateGlobalPrivilege	2564	msiexec.exe
Token: SeCreateTokenPrivilege	2564	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2564	msiexec.exe
2564	msiexec.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2816	1772	msiexec.exe	32
PID 1772 wrote to memory of 2816	1772	msiexec.exe	32
PID 1772 wrote to memory of 2816	1772	msiexec.exe	32
PID 1772 wrote to memory of 2816	1772	msiexec.exe	32
PID 1772 wrote to memory of 2816	1772	msiexec.exe	32
PID 1772 wrote to memory of 2816	1772	msiexec.exe	32
PID 1772 wrote to memory of 2816	1772	msiexec.exe	32
PID 1772 wrote to memory of 1756	1772	msiexec.exe	36
PID 1772 wrote to memory of 1756	1772	msiexec.exe	36
PID 1772 wrote to memory of 1756	1772	msiexec.exe	36
PID 1772 wrote to memory of 1756	1772	msiexec.exe	36
PID 1772 wrote to memory of 1756	1772	msiexec.exe	36
PID 1772 wrote to memory of 1756	1772	msiexec.exe	36
PID 1772 wrote to memory of 1756	1772	msiexec.exe	36
PID 1772 wrote to memory of 1048	1772	msiexec.exe	37
PID 1772 wrote to memory of 1048	1772	msiexec.exe	37
PID 1772 wrote to memory of 1048	1772	msiexec.exe	37
PID 1772 wrote to memory of 1048	1772	msiexec.exe	37
PID 1772 wrote to memory of 1048	1772	msiexec.exe	37
PID 1048 wrote to memory of 1668	1048	MsiExec.exe	38
PID 1048 wrote to memory of 1668	1048	MsiExec.exe	38
PID 1048 wrote to memory of 1668	1048	MsiExec.exe	38
PID 1668 wrote to memory of 2828	1668	down.exe	39
PID 1668 wrote to memory of 2828	1668	down.exe	39
PID 1668 wrote to memory of 2828	1668	down.exe	39
PID 1668 wrote to memory of 2392	1668	down.exe	40
PID 1668 wrote to memory of 2392	1668	down.exe	40
PID 1668 wrote to memory of 2392	1668	down.exe	40
PID 1668 wrote to memory of 2392	1668	down.exe	40
PID 2828 wrote to memory of 3024	2828	down.exe	41
PID 2828 wrote to memory of 3024	2828	down.exe	41
PID 2828 wrote to memory of 3024	2828	down.exe	41
PID 1064 wrote to memory of 2580	1064	tsetup-x64.5.7.2.exe	43
PID 1064 wrote to memory of 2580	1064	tsetup-x64.5.7.2.exe	43
PID 1064 wrote to memory of 2580	1064	tsetup-x64.5.7.2.exe	43
PID 1064 wrote to memory of 2580	1064	tsetup-x64.5.7.2.exe	43
PID 1064 wrote to memory of 2580	1064	tsetup-x64.5.7.2.exe	43
PID 1064 wrote to memory of 2580	1064	tsetup-x64.5.7.2.exe	43
PID 1064 wrote to memory of 2580	1064	tsetup-x64.5.7.2.exe	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9657c7e89fc7dca791092e022d768bb327cd31aa0e1bf8b5f578e54aaa5931b2.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2564

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E9D7C0223320C0240EE954968700A8DC C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2816
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2EC7CFC1635EA3DF593B0E81AA57769F
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1756
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 39B612A0A4DB1189C25ED04056ABAD46
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Users\Admin\4871C664-C94F-4779-9774-000090C99E13\down.exe
    C:\Users\Admin\4871C664-C94F-4779-9774-000090C99E13\\down.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Users\Admin\4871C664-C94F-4779-9774-000090C99E13\down.exe
      C:\Users\Admin\4871C664-C94F-4779-9774-000090C99E13\down.exe /aut
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2828 -s 96
        5⤵
        Loads dropped DLL
        
        PID:3024
  - - C:\Windows\system32\colorcpl.exe
      colorcpl.exe
      4⤵
      PID:2392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2200

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005CC" "00000000000003E8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2440

C:\Program Files (x86)\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2.exe
"C:\Program Files (x86)\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\is-UP5H3.tmp\tsetup-x64.5.7.2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UP5H3.tmp\tsetup-x64.5.7.2.tmp" /SL5="$60194,45215887,814592,C:\Program Files (x86)\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f772158.rbs

Filesize
27KB

MD5
6c288a2cf1a5646c7134bc0d2955f01e

SHA1
92686e0c64cee68914ff8a257f8fb7714f0d14de

SHA256
f941d6a55e43b02f8e6ab96d456098cb4813123915730cf57657163670042caa

SHA512
87c6194d5f8ee9f7cd0511b31918d0e585283e1d40e82b308e0ff8de617e6aa7899fb977dfa7bb33dbf46aab25a5cec3b75ddd986c5251a7fcadfbc46067f07e

Download Submit
C:\Program Files (x86)\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2.exe

Filesize
44.0MB

MD5
b74ac113cdbdd62f48cb78c5980861fb

SHA1
ecd94979f9b7184b8a7c48bfa07dc84e05f03169

SHA256
7a33e0508780f503568a0d6c06280de946d85d66173f18c307236b09df81ba6a

SHA512
0194d62a41ac4eff452c597c2e22eb27886abeb681479c00c10f3338d4a8696871715a0963987e8e7496671e572df6c70d722ecacad4a528a1eed11acc90ee5d

Download Submit
C:\Users\Admin\4871C664-C94F-4779-9774-000090C99E13\MSVCP140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Users\Admin\4871C664-C94F-4779-9774-000090C99E13\VCRUNTIME140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\4871C664-C94F-4779-9774-000090C99E13\VCRUNTIME140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\4871C664-C94F-4779-9774-000090C99E13\aut.png

Filesize
1.3MB

MD5
51698f9d781f9ba83b9d1896f047b666

SHA1
5e28f766d10af39ec28f46f20a8d047474135923

SHA256
300776a76cf4faaa2ef0d0928adf0bb9621ae486e316f81af8d71719d9f413cb

SHA512
cee9cb3c89b0a7defdc5cc61acc479f94a3e29556c9fec5ede12997cee8b67e780af443fae1f81399274e0602ac9102521e6389422ec9ede49e23647a256e952

Download Submit
C:\Users\Admin\4871C664-C94F-4779-9774-000090C99E13\view.png

Filesize
2.5MB

MD5
16feaeba569c71a83a099bcdbc3da361

SHA1
907314e8b8a9b8a61e7eea9af1c466a0e60abb97

SHA256
ddf4875f5190ee8f64bf0851675df3ce6c5fb4580422187d704823f762fd733a

SHA512
318259c5b317972f1a17cf4717d3d332fd380cecb393312a04f4829b18b90362ec097b13fd3901788440d800dc7f26d30777ed5f418572aa2d39534478cd00c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEB78.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI27AF.tmp

Filesize
25KB

MD5
81902d13c01fd8a187f3a7f2b72d5dd0

SHA1
0ac01518c5588eb2788730c78f0c581f79cf2ed4

SHA256
eef31e9195cfacde7b4e7eb7384c8178d8811063b375fd4a28ae897cc180c6a6

SHA512
04d6e2e937328477803084e0ef9da2c3636cdc9d34af74e2d1871d7190be21cbb2771ae835175e104e24eccba52add1ba6f58407bfd522ef82b81d76e977f24c

Download Submit
C:\users\public\documents\all.zip

Filesize
2.5MB

MD5
30bcd4bbebd8869e3c9d45ab6ccc569b

SHA1
61d6f3c40bf0e79c9014fcd56b9fa15f815ff0b2

SHA256
603842b9178b255b621e0b0983d6223c94594732544396c3db695c9e26628ed2

SHA512
660213e9178b4856e7c985e8f4e73f20d7de5bd5480ae0c587ffb8cc6172e1ea7e325b8844816f91a235e5ad83cd501d6bc9b0d76d1e9f8352d0b8856d126765

Download Submit
\Users\Admin\4871C664-C94F-4779-9774-000090C99E13\down.exe

Filesize
1.2MB

MD5
524b5640571507a6440ad71d9ba74742

SHA1
ac4e6c573b079abdd824b87d61f2c39d81c43afb

SHA256
e0a6674160fb7d16d76a75c8cc17e867c28cd0767d696a814c1d1b70740392f4

SHA512
4e21c02fb6323821c76c9bfab550f30864e594b96040be9139e87cfc53e38f3a8ffbea98e06757db22492d8a68f5d7f6c8aec74d41e449c3dab73add3184b251

Download Submit
\Users\Admin\AppData\Local\Temp\is-UP5H3.tmp\tsetup-x64.5.7.2.tmp

Filesize
3.0MB

MD5
0801bad9497c7c91e30748f8483dbd01

SHA1
fc9c3e236f5735479e9ca2f561fff08e66a406d4

SHA256
ed0952742269da0b4419f176d4eac44a4aebd1fb26e91bc628cda7b40d752c21

SHA512
59c1828e99b59a7d71961280e785e1fe3c804b02467372cf4a2b8804b58075f8eb135dcf79d0a2e112befca14fb91615f39ac9113ff78f539cb1af6dd86e0ae2

Download Submit
memory/1048-50-0x0000000002520000-0x0000000003520000-memory.dmp

Filesize
16.0MB

Download
memory/1064-108-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/1064-116-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2392-78-0x00000000000F0000-0x00000000003CD000-memory.dmp

Filesize
2.9MB

Download
memory/2392-80-0x00000000000F0000-0x00000000003CD000-memory.dmp

Filesize
2.9MB

Download
memory/2580-117-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/2816-106-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download