Overview

overview

10

Static

static

1

9657c7e89f...b2.msi

windows7-x64

10

9657c7e89f...b2.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2024 06:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9657c7e89fc7dca791092e022d768bb327cd31aa0e1bf8b5f578e54aaa5931b2.msi

  • Size

    72.5MB

  • MD5

    0582fe0c2148ce8bd5147fb693fcd960

  • SHA1

    02b41250310a884183e40a6c8deafd79767598de

  • SHA256

    9657c7e89fc7dca791092e022d768bb327cd31aa0e1bf8b5f578e54aaa5931b2

  • SHA512

    5e11202d0c9d3364999eed294b29e42eefcea390556243e8daeda5ef4c5bc6a7a76903c0fd454c2ac9818c9f27bbcabceaf7c56e42c86eab09964e65ad70579c

  • SSDEEP

    1572864:CMBHZT3KoUdum8uI/b3BxxSWmEcGB6SxhZt3kDpXMKFzMR7KJDj7o:CMV5Ko0NIjBv2Sxzt0Dp8oz1Dj7

Score
10/10
purplefoxdiscoverypersistenceprivilege_escalationrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 2 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9657c7e89fc7dca791092e022d768bb327cd31aa0e1bf8b5f578e54aaa5931b2.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3272
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 962A8F3668521607BBFD803BA31147F3 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4480
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3816
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 37F1702DAF9417ED474F3EF3B605F4CC
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2700
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding ED96FC9B7251623FFEA2ABCC996F5003
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Users\Admin\5502DA52-0C82-4836-AFC8-0000B4427FF2\down.exe
          C:\Users\Admin\5502DA52-0C82-4836-AFC8-0000B4427FF2\\down.exe
          3⤵
          • Suspicious use of SetThreadContext
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1364
          • C:\Users\Admin\5502DA52-0C82-4836-AFC8-0000B4427FF2\down.exe
            C:\Users\Admin\5502DA52-0C82-4836-AFC8-0000B4427FF2\down.exe /aut
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1816
          • C:\Windows\system32\colorcpl.exe
            colorcpl.exe
            4⤵
              PID:4652
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:5084
      • C:\Program Files (x86)\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2.exe
        "C:\Program Files (x86)\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4656
        • C:\Users\Admin\AppData\Local\Temp\is-EUAP1.tmp\tsetup-x64.5.7.2.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-EUAP1.tmp\tsetup-x64.5.7.2.tmp" /SL5="$1002BC,45215887,814592,C:\Program Files (x86)\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3412

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e580461.rbs
        Filesize

        27KB

        MD5

        58ba6813fcd2238d2240bb177a6bcc3e

        SHA1

        d5762651df469caca3aa1b672824d8afee8b3bf2

        SHA256

        9bc60743b43ee38338861e37a6df0cc3f8395ba74053005ba4822a036371fe6e

        SHA512

        0b326a8a4d0193a7ffc86eac90ee871f5c03d89cd3a815c1c761d56bd465f593fb28d24930d474f334f65970604d3bdbfa9d2766892511b472668e0ae3b0b7b7

        Download Submit

      • C:\Program Files (x86)\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2\tsetup-x64.5.7.2.exe
        Filesize

        44.0MB

        MD5

        b74ac113cdbdd62f48cb78c5980861fb

        SHA1

        ecd94979f9b7184b8a7c48bfa07dc84e05f03169

        SHA256

        7a33e0508780f503568a0d6c06280de946d85d66173f18c307236b09df81ba6a

        SHA512

        0194d62a41ac4eff452c597c2e22eb27886abeb681479c00c10f3338d4a8696871715a0963987e8e7496671e572df6c70d722ecacad4a528a1eed11acc90ee5d

        Download Submit

      • C:\Users\Admin\5502DA52-0C82-4836-AFC8-0000B4427FF2\MSVCP140.dll
        Filesize

        613KB

        MD5

        c1b066f9e3e2f3a6785161a8c7e0346a

        SHA1

        8b3b943e79c40bc81fdac1e038a276d034bbe812

        SHA256

        99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

        SHA512

        36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

        Download Submit

      • C:\Users\Admin\5502DA52-0C82-4836-AFC8-0000B4427FF2\VCRUNTIME140.dll
        Filesize

        116KB

        MD5

        e9b690fbe5c4b96871214379659dd928

        SHA1

        c199a4beac341abc218257080b741ada0fadecaf

        SHA256

        a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

        SHA512

        00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

        Download Submit

      • C:\Users\Admin\5502DA52-0C82-4836-AFC8-0000B4427FF2\aut.png
        Filesize

        1.3MB

        MD5

        51698f9d781f9ba83b9d1896f047b666

        SHA1

        5e28f766d10af39ec28f46f20a8d047474135923

        SHA256

        300776a76cf4faaa2ef0d0928adf0bb9621ae486e316f81af8d71719d9f413cb

        SHA512

        cee9cb3c89b0a7defdc5cc61acc479f94a3e29556c9fec5ede12997cee8b67e780af443fae1f81399274e0602ac9102521e6389422ec9ede49e23647a256e952

        Download Submit

      • C:\Users\Admin\5502DA52-0C82-4836-AFC8-0000B4427FF2\down.exe
        Filesize

        1.2MB

        MD5

        524b5640571507a6440ad71d9ba74742

        SHA1

        ac4e6c573b079abdd824b87d61f2c39d81c43afb

        SHA256

        e0a6674160fb7d16d76a75c8cc17e867c28cd0767d696a814c1d1b70740392f4

        SHA512

        4e21c02fb6323821c76c9bfab550f30864e594b96040be9139e87cfc53e38f3a8ffbea98e06757db22492d8a68f5d7f6c8aec74d41e449c3dab73add3184b251

        Download Submit

      • C:\Users\Admin\5502DA52-0C82-4836-AFC8-0000B4427FF2\vcruntime140_1.dll
        Filesize

        48KB

        MD5

        eb49c1d33b41eb49dfed58aafa9b9a8f

        SHA1

        61786eb9f3f996d85a5f5eea4c555093dd0daab6

        SHA256

        6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

        SHA512

        d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

        Download Submit

      • C:\Users\Admin\5502DA52-0C82-4836-AFC8-0000B4427FF2\view.png
        Filesize

        2.5MB

        MD5

        16feaeba569c71a83a099bcdbc3da361

        SHA1

        907314e8b8a9b8a61e7eea9af1c466a0e60abb97

        SHA256

        ddf4875f5190ee8f64bf0851675df3ce6c5fb4580422187d704823f762fd733a

        SHA512

        318259c5b317972f1a17cf4717d3d332fd380cecb393312a04f4829b18b90362ec097b13fd3901788440d800dc7f26d30777ed5f418572aa2d39534478cd00c4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIA131.tmp
        Filesize

        557KB

        MD5

        db7612f0fd6408d664185cfc81bef0cb

        SHA1

        19a6334ec00365b4f4e57d387ed885b32aa7c9aa

        SHA256

        e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

        SHA512

        25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-EUAP1.tmp\tsetup-x64.5.7.2.tmp
        Filesize

        3.0MB

        MD5

        0801bad9497c7c91e30748f8483dbd01

        SHA1

        fc9c3e236f5735479e9ca2f561fff08e66a406d4

        SHA256

        ed0952742269da0b4419f176d4eac44a4aebd1fb26e91bc628cda7b40d752c21

        SHA512

        59c1828e99b59a7d71961280e785e1fe3c804b02467372cf4a2b8804b58075f8eb135dcf79d0a2e112befca14fb91615f39ac9113ff78f539cb1af6dd86e0ae2

        Download Submit

      • C:\Windows\Installer\MSIAEB.tmp
        Filesize

        25KB

        MD5

        81902d13c01fd8a187f3a7f2b72d5dd0

        SHA1

        0ac01518c5588eb2788730c78f0c581f79cf2ed4

        SHA256

        eef31e9195cfacde7b4e7eb7384c8178d8811063b375fd4a28ae897cc180c6a6

        SHA512

        04d6e2e937328477803084e0ef9da2c3636cdc9d34af74e2d1871d7190be21cbb2771ae835175e104e24eccba52add1ba6f58407bfd522ef82b81d76e977f24c

        Download Submit

      • C:\users\public\documents\all.zip
        Filesize

        2.5MB

        MD5

        30bcd4bbebd8869e3c9d45ab6ccc569b

        SHA1

        61d6f3c40bf0e79c9014fcd56b9fa15f815ff0b2

        SHA256

        603842b9178b255b621e0b0983d6223c94594732544396c3db695c9e26628ed2

        SHA512

        660213e9178b4856e7c985e8f4e73f20d7de5bd5480ae0c587ffb8cc6172e1ea7e325b8844816f91a235e5ad83cd501d6bc9b0d76d1e9f8352d0b8856d126765

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        24.1MB

        MD5

        9d45f1121124599ad19ffa7a84a796e8

        SHA1

        8b68b169bfd3e47bc9c8856fa87a36e837d39c01

        SHA256

        0abb45981637f35e07a355c7e9fd934a0c844a7e0d47b5cdf98104577ef86f5f

        SHA512

        f7d5fd6847b0309626d0903b343d39ffe8c1657e4db4f4daa183d521497a31f1297763469b54c42f098f45e7b5403fdc69b2bcd9d40f8f5f7ab74c4e3785bafc

        Download Submit

      • \??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d9d011a1-688f-4da1-98a2-8c1339452680}_OnDiskSnapshotProp
        Filesize

        6KB

        MD5

        d91c7c4beb18ce42d2b7728d02dfb83f

        SHA1

        34d1a41166856603cff81a4cf9fc0806515cdcb2

        SHA256

        736a79a00cd22991a771f6f1138e24ac44295d1df5ed0f85954542015592c1e6

        SHA512

        97323668d57720be9ebfc7fbac719c7482f79cac1077c0072a4a40caaee19a4bf9f5efde15f61545caafece3b24077fb6a764e52d73911053f92c497e28d45d3

        Download Submit

      • memory/3412-121-0x0000000000400000-0x0000000000710000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/4652-84-0x000001B2B8B80000-0x000001B2B8E5D000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/4656-113-0x0000000000400000-0x00000000004D4000-memory.dmp

        Filesize

        848KB

        Download

      • memory/4656-120-0x0000000000400000-0x00000000004D4000-memory.dmp

        Filesize

        848KB

        Download