Analysis

  • max time kernel
    33s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2024 01:42

Errors

Reason
Machine shutdown

General

  • Target

    20AC0B78.msi

  • Size

    1.4MB

  • MD5

    9c84926dac4e5e7037747c49f58f1724

  • SHA1

    f5695587523152a08eab8f5d11c7ab3251b107d1

  • SHA256

    ee013d9ff7050f96c3ff91d49e90bb60f3a2fb4d41efd918e6cb8aac6cf94e47

  • SHA512

    6b476538935d69362089d8505203dadca4330ba112252870ab5be529ed8b40cca3beff7d27a4e59587b20dd33ff19cd177a1945a7158758d3630578c75b8f17a

  • SSDEEP

    24576:eruDXXh3j04BMeRocDP1Nxyq7KDOJjkDOk4TB4McL8dfbfr7KCN5nQ6BAMVUTH:e+Xx4i5ooIq7iOJwyZeL8dfv7jN5nQ6I

Malware Config

Signatures

  • Detect PurpleFox MSI 1 IoCs

    Detect PurpleFox MSI.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Purplefox family
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 23 IoCs
  • Loads dropped DLL 8 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\20AC0B78.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1828
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DCC0392E7D03D08EFCC134F81738E1B8
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2332
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 15D7CEAA59F5319156003281A3C09FBD M Global\MSI0000
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" interface ipv6 install
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2356
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2716
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2900
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2692
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:3056
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:1704
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:1980
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:1512
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:1056
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2036
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2808
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2256
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F3A77661DCE940719252A8A4DE27A532
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2204
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 24DBD4A4E4B65922DC3CC58B6322B781 M Global\MSI0000
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2156
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" interface ipv6 install
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:1028
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2908
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2832
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2616
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2360
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:1492
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2604
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:1796
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:1864
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:1524
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:1832
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:2952
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1308
    • C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\20AC0B78.msi"
      1⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:612
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:2624
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:3000

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\f76bbd4.rbs

          Filesize

          2KB

          MD5

          edee22d9b2ab428fd43adb5553c20253

          SHA1

          9cedb7570b5616fde34b539872f7220f1c57d71f

          SHA256

          5f82516562fefd0d831b9b25d0e9243ba727fe982be4211503ab33f335799a5a

          SHA512

          2262f0aab758d49c015e88326fa139914992d391e215a89382dd36fffb6ac5c9dfdba8dc41dd192d7e09dc6dd9da6e70d6afffca0f344c6a64d34a787b11499a

        • C:\Config.Msi\f76bbd9.rbs

          Filesize

          3KB

          MD5

          180613bda29e808b7d0b99d6c0a1d812

          SHA1

          b8c03e13817d888b93b53195f225af0f40b4a175

          SHA256

          2b0b03f6a1da545e629cbc7ae8379f6085857dbebbed3ad1d9f040eadd3bfd01

          SHA512

          a4870eaa3f713a4210aff5e3d4abc1c9e9941d6ff8a109dd73214c1a6f44f662d324ff072748e3ca2cff75ee80febcf3c9983c93cebc07001fdbb5c810fa9bbc

        • C:\Windows\Installer\MSIBBEF.tmp

          Filesize

          141KB

          MD5

          4ba8ef50ce73395ad623c770c10e35a7

          SHA1

          63600584c296c0cbe1775a759c34ab384e1bbf76

          SHA256

          6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

          SHA512

          0730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206

        • C:\Windows\Installer\MSIBC8D.tmp

          Filesize

          118KB

          MD5

          4b49c57cbefa1d2773da1f95338e294d

          SHA1

          108ea90d8a42cf31f7d8d7710b5fd713ca048ef9

          SHA256

          68c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08

          SHA512

          42c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165

        • C:\Windows\Installer\f76bbd5.msi

          Filesize

          1.4MB

          MD5

          9c84926dac4e5e7037747c49f58f1724

          SHA1

          f5695587523152a08eab8f5d11c7ab3251b107d1

          SHA256

          ee013d9ff7050f96c3ff91d49e90bb60f3a2fb4d41efd918e6cb8aac6cf94e47

          SHA512

          6b476538935d69362089d8505203dadca4330ba112252870ab5be529ed8b40cca3beff7d27a4e59587b20dd33ff19cd177a1945a7158758d3630578c75b8f17a

        • C:\Windows\dbcode21mk.log

          Filesize

          466KB

          MD5

          25d7d4d9cb576fbe8312f62a3ca6befc

          SHA1

          4067cf680c452e37b247831a73bb8c3c681101de

          SHA256

          bd420aafa950d350801ae2ad331bb23167f94b710f6ef1d0d24b5c0fe76e349c

          SHA512

          c0b0105940b54862f7bf8811e1b1048ae81740d9dd84e3f93f7cc0753841d97fa1e2df27309b36b0952f264d2b9f9ce6d411be2eb4901a54ce72abdb368dbd3b

        • C:\Windows\setupact64.log

          Filesize

          385KB

          MD5

          ba8c6938aa6973e5081f48f1d61e2969

          SHA1

          5fc84fb8a1052c66c3456b39ff0b2f1ba30bac01

          SHA256

          7893c5e68ff78d76c0b4b8ba5ae2367fa9c285efe520de44ff12498ba90df5b0

          SHA512

          8bd5fd25a81fb51996bfbd07d2da4e4de83da36f2eb964dc9558522b2f5c5c1280f3c84606582cdca54c3d78ff1883b43b7c2f9c9a30b556b11f5c11e8c25ff5

        • memory/1700-58-0x0000000002640000-0x000000000270F000-memory.dmp

          Filesize

          828KB

        • memory/2204-38-0x0000000073ED0000-0x0000000073F35000-memory.dmp

          Filesize

          404KB

        • memory/2204-47-0x0000000073EF0000-0x0000000073F40000-memory.dmp

          Filesize

          320KB

        • memory/2332-5-0x0000000073ED0000-0x0000000073F35000-memory.dmp

          Filesize

          404KB

        • memory/2332-14-0x0000000073EF0000-0x0000000073F40000-memory.dmp

          Filesize

          320KB