purplefox | e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Size

91.4MB
MD5

b73e545012c78e7e864318eb0278d0a9
SHA1

a325f1c94ae4df3fbbc48b52098db2f5581d9fde
SHA256

e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470
SHA512

bad9c93d1ca13c38f1bc109ed3f4515acf9fbaa56db45cd5559207a000b2e23b06a4b00ed0595114cbbe99f6c9ffca55d5f09b43b4ff36b449c62b8af7727fb7
SSDEEP

1572864:fkMDsZW2KfoM2J0s2nMqZ5Nhy+cWev3mZuHshbCLPyZAoOw8mMvxIQPm0MVp0TC:fhIZW2KQWntH6+cXvjKbCLPyWol8myxI

Score

10^/10

purplefox discovery persistence rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 2 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023c57-104.dat	purplefox_rootkit
behavioral2/memory/4260-109-0x00000165E51B0000-0x00000165E548D000-memory.dmp	purplefox_rootkit

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Executes dropped EXE 5 IoCs

Processes:

down.exedown.exe{482A507F-0BDA-46ca-9A08-135E3FDC59F0}.exe{543CC638-F20A-4fb7-8D5D-853E2F52B797}.exeLineInst.exe

pid	Process
448	down.exe
856	down.exe
932	{482A507F-0BDA-46ca-9A08-135E3FDC59F0}.exe
2728	{543CC638-F20A-4fb7-8D5D-853E2F52B797}.exe
2756	LineInst.exe

Loads dropped DLL 23 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exedown.exedown.exe

pid	Process
3852	MsiExec.exe
2028	MsiExec.exe
2028	MsiExec.exe
2028	MsiExec.exe
2028	MsiExec.exe
2028	MsiExec.exe
2028	MsiExec.exe
3868	MsiExec.exe
3868	MsiExec.exe
3868	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe
448	down.exe
448	down.exe
448	down.exe
448	down.exe
448	down.exe
448	down.exe
856	down.exe
856	down.exe
856	down.exe
856	down.exe
2028	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{482A507F-0BDA-46ca-9A08-135E3FDC59F0}.exe{543CC638-F20A-4fb7-8D5D-853E2F52B797}.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service = "C:\\programdata\\Mylnk\\down.lnk"	{482A507F-0BDA-46ca-9A08-135E3FDC59F0}.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdeta_Service = "C:\\Users\\Admin\\E9CA7A18-0CB4-4658-A115-0000E6E72777\\down.exe"	{543CC638-F20A-4fb7-8D5D-853E2F52B797}.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exemsiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\W:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\M:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\O:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\Y:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\Z:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\U:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\X:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\I:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\S:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\V:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
File opened (read-only)	\??\K:	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

down.exe

description	pid	Process	procid_target
PID 448 set thread context of 4260	448	down.exe	113

Drops file in Program Files directory 2 IoCs

Processes:

msiexec.exe

description	ioc	Process
File created	C:\Program Files (x86)\LineInstaller\LineInstaller\LineInstaller\1000417_baidusem_bianfengguandan.exe	msiexec.exe
File created	C:\Program Files (x86)\LineInstaller\LineInstaller\LineInstaller\LineInst.exe	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9F5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA92.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB10.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57d949.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d949.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4F12484A-4ABC-4123-9154-7CE914A61D47}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE37D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE776.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MsiExec.exemsiexec.exeMsiExec.exeMsiExec.exe{482A507F-0BDA-46ca-9A08-135E3FDC59F0}.exe{543CC638-F20A-4fb7-8D5D-853E2F52B797}.exeLineInst.exee9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{482A507F-0BDA-46ca-9A08-135E3FDC59F0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{543CC638-F20A-4fb7-8D5D-853E2F52B797}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LineInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 1 IoCs

Processes:

{482A507F-0BDA-46ca-9A08-135E3FDC59F0}.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\EditFlags = "1733058969"	{482A507F-0BDA-46ca-9A08-135E3FDC59F0}.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msiexec.exeMsiExec.exe

pid	Process
4148	msiexec.exe
4148	msiexec.exe
5036	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exee9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe

description	pid	Process
Token: SeSecurityPrivilege	4148	msiexec.exe
Token: SeCreateTokenPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeAssignPrimaryTokenPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeLockMemoryPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeIncreaseQuotaPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeMachineAccountPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeTcbPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeSecurityPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeTakeOwnershipPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeLoadDriverPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeSystemProfilePrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeSystemtimePrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeProfSingleProcessPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeIncBasePriorityPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeCreatePagefilePrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeCreatePermanentPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeBackupPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeRestorePrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeShutdownPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeDebugPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeAuditPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeSystemEnvironmentPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeChangeNotifyPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeRemoteShutdownPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeUndockPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeSyncAgentPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeEnableDelegationPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeManageVolumePrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeImpersonatePrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeCreateGlobalPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeCreateTokenPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeAssignPrimaryTokenPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeLockMemoryPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeIncreaseQuotaPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeMachineAccountPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeTcbPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeSecurityPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeTakeOwnershipPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeLoadDriverPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeSystemProfilePrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeSystemtimePrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeProfSingleProcessPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeIncBasePriorityPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeCreatePagefilePrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeCreatePermanentPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeBackupPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeRestorePrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeShutdownPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeDebugPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeAuditPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeSystemEnvironmentPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeChangeNotifyPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeRemoteShutdownPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeUndockPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeSyncAgentPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeEnableDelegationPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeManageVolumePrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeImpersonatePrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeCreateGlobalPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeCreateTokenPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeAssignPrimaryTokenPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeLockMemoryPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeIncreaseQuotaPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
Token: SeMachineAccountPrivilege	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exemsiexec.exe

pid	Process
4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
1940	msiexec.exe
1940	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

msiexec.exee9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exeMsiExec.exedown.exe

description	pid	Process	procid_target
PID 4148 wrote to memory of 3852	4148	msiexec.exe	85
PID 4148 wrote to memory of 3852	4148	msiexec.exe	85
PID 4148 wrote to memory of 3852	4148	msiexec.exe	85
PID 4704 wrote to memory of 1940	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe	86
PID 4704 wrote to memory of 1940	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe	86
PID 4704 wrote to memory of 1940	4704	e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe	86
PID 4148 wrote to memory of 2028	4148	msiexec.exe	87
PID 4148 wrote to memory of 2028	4148	msiexec.exe	87
PID 4148 wrote to memory of 2028	4148	msiexec.exe	87
PID 4148 wrote to memory of 2688	4148	msiexec.exe	106
PID 4148 wrote to memory of 2688	4148	msiexec.exe	106
PID 4148 wrote to memory of 3868	4148	msiexec.exe	109
PID 4148 wrote to memory of 3868	4148	msiexec.exe	109
PID 4148 wrote to memory of 3868	4148	msiexec.exe	109
PID 4148 wrote to memory of 5036	4148	msiexec.exe	110
PID 4148 wrote to memory of 5036	4148	msiexec.exe	110
PID 5036 wrote to memory of 448	5036	MsiExec.exe	111
PID 5036 wrote to memory of 448	5036	MsiExec.exe	111
PID 448 wrote to memory of 856	448	down.exe	112
PID 448 wrote to memory of 856	448	down.exe	112
PID 448 wrote to memory of 4260	448	down.exe	113
PID 448 wrote to memory of 4260	448	down.exe	113
PID 448 wrote to memory of 4260	448	down.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe
"C:\Users\Admin\AppData\Local\Temp\e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\LineInstaller\LineInstaller 1.0.0\install\LineInstaller.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\e9a400053daab4a54640be4d6d76ef3fccfcef0d55ebd937595e8d2f24c57470.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1732818321 "
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:1940

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 341C86387620B385A50D00EB2D635CB1 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3852
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 296D3E61C4FC2FEC2A64D623E6693F41 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2028
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2688
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C09289C7846A498B85E7B7F3E8D47C43
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3868
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 56365CDF7A935D90DEEC958E25C189E8
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Users\Admin\E9CA7A18-0CB4-4658-A115-0000E6E72777\down.exe
    C:\Users\Admin\E9CA7A18-0CB4-4658-A115-0000E6E72777\\down.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Users\Admin\E9CA7A18-0CB4-4658-A115-0000E6E72777\down.exe
      C:\Users\Admin\E9CA7A18-0CB4-4658-A115-0000E6E72777\down.exe /aut
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:856
  - - C:\Windows\system32\colorcpl.exe
      colorcpl.exe
      4⤵
      PID:4260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4716

C:\Users\Admin\AppData\Local\Temp\{482A507F-0BDA-46ca-9A08-135E3FDC59F0}.exe
"C:\Users\Admin\AppData\Local\Temp\{482A507F-0BDA-46ca-9A08-135E3FDC59F0}.exe" /s "C:\Users\Admin\AppData\Local\Temp\{03FBE12E-7B67-486a-9335-46D9C943C154}"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:932

C:\Users\Admin\AppData\Local\Temp\{543CC638-F20A-4fb7-8D5D-853E2F52B797}.exe
"C:\Users\Admin\AppData\Local\Temp\{543CC638-F20A-4fb7-8D5D-853E2F52B797}.exe" /s "C:\Users\Admin\AppData\Local\Temp\{24E4E18F-BFC7-432c-BFCD-67A858F89702}"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2728

C:\Program Files (x86)\LineInstaller\LineInstaller\LineInstaller\LineInst.exe
"C:\Program Files (x86)\LineInstaller\LineInstaller\LineInstaller\LineInst.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d94a.rbs

Filesize
27KB

MD5
3a335026bb42d33405c757dd29f3731a

SHA1
bd092ccf0456fa0b836c4e504046ac2dd05c41b0

SHA256
f4d8e2876e34aa499e0a4cb92f1b87b89296d71f0fcde90aa174379513d39408

SHA512
b7dd7ffff71d995ce9b3e1d852c7802f8b910941a05d6030cabf516a0f070d4b14c5743eb52b9dc5e32eff9a8f803f813dc801829fa1173ae851582a242fb528

Download Submit
C:\Program Files (x86)\LineInstaller\LineInstaller\LineInstaller\LineInst.exe

Filesize
1004KB

MD5
587e3bc21efaf428c87331decc9bfeb3

SHA1
a5b8ebeab4e3968673a61a95350b7f0bf60d7459

SHA256
b931c5686cc09b2183bba197dc151b8e95ca6151e39fb98954352340c0b31120

SHA512
ffae2dab5caf16dc7dfd0a97a8ff6349a466bc57ee043d1ac4d53e011498e39b9a855295d10207ba578c6857abebd445d378e83aa2ff6ec247713d81b370d0ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8D0E.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegWorkshop.ini

Filesize
2KB

MD5
ff0c7c2667dff4f3ed588f40d047c642

SHA1
1162c83bd0bb0d81b7ab7f616cb012b790aa4adf

SHA256
02af5cb061fd8075e9475c45ab20e86cf2bb4ca9511ddad348645ed5183b9fc7

SHA512
539b1d443232758b6c60a287f2a40200e6e3ba7353f11f18e29ba265c9569a4610e4a80910f79660368a916576ab9c486efa248bf3257e522ef5bfb3d42ef3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{03FBE12E-7B67-486a-9335-46D9C943C154}

Filesize
164B

MD5
81a71f6feec26723958f2364a4f1aefe

SHA1
3d4605cfd771aedb8ba51389074a60e5a38775ad

SHA256
f244b12a1e911c84dcfea45a49885cf48307d2ddc4c1ac7c1aa21bc310bebd80

SHA512
84f9f20e3a381f1c3cafce07bdfeffd77e19bf0007245e95a80a97fa71e16d877e12ec8d57e8a9e60d008e08b38c9fd670f5374a058980f019590ed1dafd59c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{24E4E18F-BFC7-432c-BFCD-67A858F89702}

Filesize
196B

MD5
bcdec035cf03638965007d9480cb8b2f

SHA1
83f1e711bd57ca71cae83d00fba147df5142e284

SHA256
f6377f168ebd29bcb3d7092ae0e0767530914fed1c3ad5d98ec13f5c15c34503

SHA512
963d704e96c0a9ad0e0a3c4320e627bd0389b2f033e3811ef9f29a273f0e38b1d14c2ca161c3c427b01324c58eb2129be07b0b1d6d8cca1077f55cf041c2fafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{482A507F-0BDA-46ca-9A08-135E3FDC59F0}.exe

Filesize
1.0MB

MD5
217dc98e219a340cb09915244c992a52

SHA1
a04f101ca7180955d62e4a1aaeccdcca489209da

SHA256
27c8bd76150ddda5b09d6db11f67269cee2eecac345df67f93aab3e3aaabde7c

SHA512
dddc15992533c8c13000163c7dd59b20e2fbdedbf611338c04f6f9209ec1a95d1f93aaeeae2778890214d333320978f5d2554348722ea6c8489320f0ef1c4c85

Download Submit
C:\Users\Admin\AppData\Roaming\LineInstaller\LineInstaller 1.0.0\install\LineInstaller.msi

Filesize
1.6MB

MD5
c8952ee0f2d8e2536b32f5f7b9016939

SHA1
766314c8ddf6af6300ada6a851dd08cdeb766692

SHA256
3978074552fe6129d679141188d1d1e61e149dd6c23df3a198ef5db9bf349743

SHA512
b65caddfc3b10d489e28ca6b6de08e2cbc8c05aadaa8784a77ad2a1f34367b91f8115263e4c085b7f8be22b2be7ea44b0e6c6c6da7665c164b6f6919c3cbd2cf

Download Submit
C:\Users\Admin\E9CA7A18-0CB4-4658-A115-0000E6E72777\MSVCP140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Users\Admin\E9CA7A18-0CB4-4658-A115-0000E6E72777\VCRUNTIME140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\E9CA7A18-0CB4-4658-A115-0000E6E72777\VCRUNTIME140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\E9CA7A18-0CB4-4658-A115-0000E6E72777\aut.png

Filesize
1.3MB

MD5
84e23f7b2db9b51553ea2a8206d70fc8

SHA1
58a3f8f377dbad922e36dfeebc7cc326fa3e7053

SHA256
1e7d360137b895d1be8f15487f5820da68180f92e2d361b8898d0aac657ff5dd

SHA512
4a7a6ea0b76c703dd7e90dfab8e6adc3be9dedbb3a36b2d8286b0d9881989e5e121af94e2ab3f7bb71abe623d8df25a0bd87fab1ff067159af020b2a211aef32

Download Submit
C:\Users\Admin\E9CA7A18-0CB4-4658-A115-0000E6E72777\down.exe

Filesize
485KB

MD5
6cc1f95584aaac98297fa906248af081

SHA1
641c2c14a994768b6b4b6812dfb4df671af0887d

SHA256
5d19450428b7fcda6100ea2c564e576141de595d41aa1508512d0bf4be9f7de6

SHA512
0c4f4bc39c22f7b01fbfcf396f134ab9d4901a730980c7cbb0af22855b9af88b0fa6d23797dcbecf53c75e98d4e97b274124a1ce11963e75323d149d81eb147b

Download Submit
C:\Users\Admin\E9CA7A18-0CB4-4658-A115-0000E6E72777\view.png

Filesize
2.5MB

MD5
83f5fa7aa542e81c5fd6ddb7f54decd9

SHA1
90f1a86891b0b94f4453a741ab0ab65f884980b2

SHA256
d4ca48dd50757bc200f38062b7766930cfe848f3ca93bd188f5a172c5f0661fe

SHA512
174d691cd475c89ecf42dc8e6a469beac6e36fd588ef307b24fc8a6ceef434d8ed8b58078ca476e496af17d680d46527f7b86d1d2a1f9dda909bd614a44784df

Download Submit
C:\Windows\Installer\MSIDB10.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSIE776.tmp

Filesize
25KB

MD5
81902d13c01fd8a187f3a7f2b72d5dd0

SHA1
0ac01518c5588eb2788730c78f0c581f79cf2ed4

SHA256
eef31e9195cfacde7b4e7eb7384c8178d8811063b375fd4a28ae897cc180c6a6

SHA512
04d6e2e937328477803084e0ef9da2c3636cdc9d34af74e2d1871d7190be21cbb2771ae835175e104e24eccba52add1ba6f58407bfd522ef82b81d76e977f24c

Download Submit
C:\users\public\documents\all.zip

Filesize
2.2MB

MD5
da9b9ecb94e94c9613ec172ea7007ab1

SHA1
a2555d77b987bd13774af837c8298bf541089a0e

SHA256
60af8c6099d8996f540b4cf125d142f57a4727f8f8f32e868e253fbd51ae3831

SHA512
5f62765f66569085aab29c05a5b3d9f16805a002ac917c1a96d98f775c943f11ba8c0f66be18fb20eaea59c3fe809289dfbbbfe907b35ca9585af04570dc33f4

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
2d5d550d9322d7a166cbcb0f4a24207d

SHA1
9e7a050bbff13e890f37a276524fdd1a102adf69

SHA256
dcd49c42a03b535fdb1442addee63301e383ae73d66f84daed37ffe1abfe7711

SHA512
fa670b9cc3d7854511a34839bdd643709793779b9959959f6af4ada480d3b5267b2fa5222cb827f66343a02f851429184b061f9f9a62a153f8da4a718fb63fc8

Download Submit
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{91395bed-0bf2-48c0-8e17-5af0d2b39353}_OnDiskSnapshotProp

Filesize
6KB

MD5
8e3c7c75adb08c0fb1f54d333f981212

SHA1
7c53b23bba34e4254b9df37b611414c2cd3079fe

SHA256
e1f8e9382bc2c5449a96ff41bf4acdcf4d6e4d5a3e280fc0cef20f9296a3e9e9

SHA512
3124ef5f8a6a90da9da33a5b1c3cdd298670ce034e7f5c59b8159219dfc0cf1adb7d3eda00591d358d10dcabfe8421e89800e4cc0c9a241caed49939e3c4cc15

Download Submit
memory/4260-109-0x00000165E51B0000-0x00000165E548D000-memory.dmp

Filesize
2.9MB

Download