Overview

overview

10

Static

static

1

d829e97999...a1.msi

windows7-x64

10

d829e97999...a1.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 13:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d829e97999e1fb03880dc321b0a331937e18b9aa0ee08ca3ab189ce8f410cba1.msi

  • Size

    88.1MB

  • MD5

    35e04cd304b5cb510dd3e0ad154811bc

  • SHA1

    cee9a92ad938ff9e3074356ced22c30bf3902378

  • SHA256

    d829e97999e1fb03880dc321b0a331937e18b9aa0ee08ca3ab189ce8f410cba1

  • SHA512

    be40162927e06e071dac23c057afbeb7c33c64b433fb1445ba73da5f656f09aa97c2e95798be4b5b19f964803fb7942a34e58222c9823a890f8e890af4538354

  • SSDEEP

    1572864:gMDsZW2KfoM2J0s2nMqZ5Nhy+cWev3mZuHshbCLPyZAoOw8mMvxIQPm0MVp0:FIZW2KQWntH6+cXvjKbCLPyWol8myxh/

Score
10/10
purplefoxdiscoverypersistenceprivilege_escalationrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d829e97999e1fb03880dc321b0a331937e18b9aa0ee08ca3ab189ce8f410cba1.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3228
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4444
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7163EE3EF8546FF40B734B294C89ED2D C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3052
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3580
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding F86FEC627C1831085CB988F2FE079CCE
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3660
      • C:\Windows\System32\MsiExec.exe
        C:\Windows\System32\MsiExec.exe -Embedding 7714F9134C8372732540F05870520A12
        2⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1216
        • C:\Users\Admin\17396D6B-7129-45CA-A553-0000E8BF821D\down.exe
          C:\Users\Admin\17396D6B-7129-45CA-A553-0000E8BF821D\\down.exe
          3⤵
          • Suspicious use of SetThreadContext
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Users\Admin\17396D6B-7129-45CA-A553-0000E8BF821D\down.exe
            C:\Users\Admin\17396D6B-7129-45CA-A553-0000E8BF821D\down.exe /aut
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1764
          • C:\Windows\system32\colorcpl.exe
            colorcpl.exe
            4⤵
            • Enumerates connected drives
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:3792
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:996
    • C:\Users\Admin\AppData\Local\Temp\{AC43DBE5-7AF6-4f1d-A1B4-85D71322A6E1}.exe
      "C:\Users\Admin\AppData\Local\Temp\{AC43DBE5-7AF6-4f1d-A1B4-85D71322A6E1}.exe" /s "C:\Users\Admin\AppData\Local\Temp\{E30EC9C6-3FE6-414f-A792-EBA8F26474A0}"
      1⤵
      • Adds Run key to start application
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4564
    • C:\Program Files (x86)\LineInstaller\LineInstaller\LineInstaller\LineInst.exe
      "C:\Program Files (x86)\LineInstaller\LineInstaller\LineInstaller\LineInst.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4592
    • C:\Users\Admin\AppData\Local\Temp\{E8C71A8C-D249-43ba-B7A8-13E83719E603}.exe
      "C:\Users\Admin\AppData\Local\Temp\{E8C71A8C-D249-43ba-B7A8-13E83719E603}.exe" /s "C:\Users\Admin\AppData\Local\Temp\{89F662C1-EA32-4a43-A3D0-A1FC00DBEB80}"
      1⤵
      • Adds Run key to start application
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:384

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57c8cf.rbs
      Filesize

      27KB

      MD5

      f8851f38adb00adbed9153d1c68ee105

      SHA1

      b6bbd13bc7a6b5edd43c50717f60b68c4ac1ceec

      SHA256

      b6661443f716c85a27c0376388af916d3122618cb1b134740cc6c264e2006460

      SHA512

      849d9aa696c590b4456f3be348eb6fafe3ad035304e9b0d08394b050d29066df164364e93ca3813ebc46ece9eb01619b0cc7c3ca109c2cc6115701d86161c681

      Download Submit

    • C:\Program Files (x86)\LineInstaller\LineInstaller\LineInstaller\LineInst.exe
      Filesize

      1004KB

      MD5

      587e3bc21efaf428c87331decc9bfeb3

      SHA1

      a5b8ebeab4e3968673a61a95350b7f0bf60d7459

      SHA256

      b931c5686cc09b2183bba197dc151b8e95ca6151e39fb98954352340c0b31120

      SHA512

      ffae2dab5caf16dc7dfd0a97a8ff6349a466bc57ee043d1ac4d53e011498e39b9a855295d10207ba578c6857abebd445d378e83aa2ff6ec247713d81b370d0ca

      Download Submit

    • C:\Users\Admin\17396D6B-7129-45CA-A553-0000E8BF821D\MSVCP140.dll
      Filesize

      613KB

      MD5

      c1b066f9e3e2f3a6785161a8c7e0346a

      SHA1

      8b3b943e79c40bc81fdac1e038a276d034bbe812

      SHA256

      99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

      SHA512

      36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

      Download Submit

    • C:\Users\Admin\17396D6B-7129-45CA-A553-0000E8BF821D\VCRUNTIME140.dll
      Filesize

      116KB

      MD5

      e9b690fbe5c4b96871214379659dd928

      SHA1

      c199a4beac341abc218257080b741ada0fadecaf

      SHA256

      a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

      SHA512

      00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

      Download Submit

    • C:\Users\Admin\17396D6B-7129-45CA-A553-0000E8BF821D\aut.png
      Filesize

      1.3MB

      MD5

      84e23f7b2db9b51553ea2a8206d70fc8

      SHA1

      58a3f8f377dbad922e36dfeebc7cc326fa3e7053

      SHA256

      1e7d360137b895d1be8f15487f5820da68180f92e2d361b8898d0aac657ff5dd

      SHA512

      4a7a6ea0b76c703dd7e90dfab8e6adc3be9dedbb3a36b2d8286b0d9881989e5e121af94e2ab3f7bb71abe623d8df25a0bd87fab1ff067159af020b2a211aef32

      Download Submit

    • C:\Users\Admin\17396D6B-7129-45CA-A553-0000E8BF821D\down.exe
      Filesize

      485KB

      MD5

      6cc1f95584aaac98297fa906248af081

      SHA1

      641c2c14a994768b6b4b6812dfb4df671af0887d

      SHA256

      5d19450428b7fcda6100ea2c564e576141de595d41aa1508512d0bf4be9f7de6

      SHA512

      0c4f4bc39c22f7b01fbfcf396f134ab9d4901a730980c7cbb0af22855b9af88b0fa6d23797dcbecf53c75e98d4e97b274124a1ce11963e75323d149d81eb147b

      Download Submit

    • C:\Users\Admin\17396D6B-7129-45CA-A553-0000E8BF821D\vcruntime140_1.dll
      Filesize

      48KB

      MD5

      eb49c1d33b41eb49dfed58aafa9b9a8f

      SHA1

      61786eb9f3f996d85a5f5eea4c555093dd0daab6

      SHA256

      6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

      SHA512

      d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

      Download Submit

    • C:\Users\Admin\17396D6B-7129-45CA-A553-0000E8BF821D\view.png
      Filesize

      2.5MB

      MD5

      83f5fa7aa542e81c5fd6ddb7f54decd9

      SHA1

      90f1a86891b0b94f4453a741ab0ab65f884980b2

      SHA256

      d4ca48dd50757bc200f38062b7766930cfe848f3ca93bd188f5a172c5f0661fe

      SHA512

      174d691cd475c89ecf42dc8e6a469beac6e36fd588ef307b24fc8a6ceef434d8ed8b58078ca476e496af17d680d46527f7b86d1d2a1f9dda909bd614a44784df

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI7C06.tmp
      Filesize

      557KB

      MD5

      db7612f0fd6408d664185cfc81bef0cb

      SHA1

      19a6334ec00365b4f4e57d387ed885b32aa7c9aa

      SHA256

      e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

      SHA512

      25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini
      Filesize

      970B

      MD5

      7b60f2ed6972da1816407f24ca44f22c

      SHA1

      efe10a42030cf9f19e4c2c046afc8b19bf9774cf

      SHA256

      1c44aa4da4dd9eb829f7bd3b047963c8433d84a61dc641cac7c799a00ed64f26

      SHA512

      b2e8a04b2b138102db481a6cc5ece359f813442c867e6692f19b90298d7e428c8677fc0359b91c1444eaef6341506fa3d4430c78fe1d7413ac1b1065c9853c7e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini
      Filesize

      1KB

      MD5

      aee3a9aa9562489d93cd74d3bad9dd41

      SHA1

      469f108c2eaaadf601e16c12a71783f506fe570f

      SHA256

      35403d68c69e9e2bf73076c3426cda8a74771679a56ffd973049383a7326cb72

      SHA512

      8585f52bb88e1d5e758031fead32cc7f069524018b0ac879614be401e19fbd9b8f0cc42edd1ad33520070c7dafdb377d2127f036aa57280d5253385192d57ee0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini
      Filesize

      2KB

      MD5

      ff0c7c2667dff4f3ed588f40d047c642

      SHA1

      1162c83bd0bb0d81b7ab7f616cb012b790aa4adf

      SHA256

      02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7

      SHA512

      539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{89F662C1-EA32-4a43-A3D0-A1FC00DBEB80}
      Filesize

      196B

      MD5

      3d5dc1dad2aadf224a4e5f463934bbe1

      SHA1

      c893b53f2f785c7cbf253d8d84e4d631d676a234

      SHA256

      c4060b913cd450c70310dd2b2f6ed2c2c91f881ca50ed5fcd4d6b12f6de04270

      SHA512

      587f8c5ac52eeb2df6f726955c033206c260ee9f6aabee75e967032785c69cd218c472ebb5efa53c89f57d71123c735079598f11bb43ed54d01e1d0e135fed42

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{AC43DBE5-7AF6-4f1d-A1B4-85D71322A6E1}.exe
      Filesize

      1.0MB

      MD5

      217dc98e219a340cb09915244c992a52

      SHA1

      a04f101ca7180955d62e4a1aaeccdcca489209da

      SHA256

      27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

      SHA512

      dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{E30EC9C6-3FE6-414f-A792-EBA8F26474A0}
      Filesize

      164B

      MD5

      81a71f6feec26723958f2364a4f1aefe

      SHA1

      3d4605cfd771aedb8ba51389074a60e5a38775ad

      SHA256

      f244b12a1e911c84dcfea45a49885cf48307d2ddc4c1ac7c1aa21bc310bebd80

      SHA512

      84f9f20e3a381f1c3cafce07bdfeffd77e19bf0007245e95a80a97fa71e16d877e12ec8d57e8a9e60d008e08b38c9fd670f5374a058980f019590ed1dafd59c5

      Download Submit

    • C:\Windows\Installer\MSICFE6.tmp
      Filesize

      25KB

      MD5

      81902d13c01fd8a187f3a7f2b72d5dd0

      SHA1

      0ac01518c5588eb2788730c78f0c581f79cf2ed4

      SHA256

      eef31e9195cfacde7b4e7eb7384c8178d8811063b375fd4a28ae897cc180c6a6

      SHA512

      04d6e2e937328477803084e0ef9da2c3636cdc9d34af74e2d1871d7190be21cbb2771ae835175e104e24eccba52add1ba6f58407bfd522ef82b81d76e977f24c

      Download Submit

    • C:\users\public\documents\all.zip
      Filesize

      2.2MB

      MD5

      da9b9ecb94e94c9613ec172ea7007ab1

      SHA1

      a2555d77b987bd13774af837c8298bf541089a0e

      SHA256

      60af8c6099d8996f540b4cf125d142f57a4727f8f8f32e868e253fbd51ae3831

      SHA512

      5f62765f66569085aab29c05a5b3d9f16805a002ac917c1a96d98f775c943f11ba8c0f66be18fb20eaea59c3fe809289dfbbbfe907b35ca9585af04570dc33f4

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      509d6a9c942846be08f56d85dac137bd

      SHA1

      4e65ebbb96ad7815d034e3fe4594f1fd4ce8666c

      SHA256

      6581a17e25c21af2ea9f9dbc5a56618dbe0c0ba964b531a44d5a318c27f21fdc

      SHA512

      80c83b92311721c0c8dd637305f7bdb7262b42924de5a9d7ef871c568c8be69f21dc0cf107a1ed345ca36213d1657e3d5b68f526e98bd2cae9260c85f3efa319

      Download Submit

    • \??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d484ec1c-11c8-4a35-a873-34c546bbd850}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      ede183e66c571161233951aa3c86d503

      SHA1

      4d996bc5cb5d031474faa4bc5c3d696ba5d1bd42

      SHA256

      476eb477846e214183054b7d4e1e8be7aa8c835fca0b11fac44bfea4a524985b

      SHA512

      e9dfaebbaf621eb65023e4839425c477c69fe4aeb17014551e1ce893a6202ef00a8adcabf68bd47322fc335eb4315768d7175af93c36d9bf1e7b02cfea07a8b8

      Download Submit

    • memory/3792-85-0x000001A9AA230000-0x000001A9AA50D000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/3792-84-0x000001A9AA230000-0x000001A9AA50D000-memory.dmp

      Filesize

      2.9MB

      Download