gh0strat | e308b5f5029ee8f51f866beee18370456632409cd34a77e7992ae82ab282cdb6

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ggggugeliulanqGoogle1217.msi
Size

54.3MB
MD5

afbf73c1469b3641f62cccb2b0bb178a
SHA1

633fd0c782856aba35f718c6806a8693fc2a5689
SHA256

e308b5f5029ee8f51f866beee18370456632409cd34a77e7992ae82ab282cdb6
SHA512

b92be4412e560f3103252a98371c9e0b1a5fde0aaa1016a146988dd0a34acd7d8f43aefcfdd6dd4d53c6058ff5a2b649ae35402996a3b4db2557b010923eaa6b
SSDEEP

786432:kErzXzCnli5q0Nl+nIgX9mt9Pfn8qjeoiMyIDbbLJsaC+lLft7NmkudZ0/4YTx6V:RrvCnMjkmjfn8qjem6Rat7b4kl/F0

Score

10^/10

gh0strat purplefox aspackv2 discovery persistence privilege_escalation rat rootkit spyware stealer trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/1016-91-0x0000000002050000-0x00000000021F1000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/1016-91-0x0000000002050000-0x00000000021F1000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000500000001a459-77.dat	aspack_v212_v242

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	NtHandleCallback.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	NtHandleCallback.exe
File opened (read-only)	\??\U:	NtHandleCallback.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	NtHandleCallback.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	NtHandleCallback.exe
File opened (read-only)	\??\J:	NtHandleCallback.exe
File opened (read-only)	\??\R:	NtHandleCallback.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	NtHandleCallback.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	NtHandleCallback.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	NtHandleCallback.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	NtHandleCallback.exe
File opened (read-only)	\??\T:	NtHandleCallback.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	NtHandleCallback.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	NtHandleCallback.exe
File opened (read-only)	\??\L:	NtHandleCallback.exe
File opened (read-only)	\??\W:	NtHandleCallback.exe
File opened (read-only)	\??\Y:	NtHandleCallback.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	NtHandleCallback.exe
File opened (read-only)	\??\X:	NtHandleCallback.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
2296	tasklist.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f7931f9.msi	msiexec.exe
File created	C:\Windows\Installer\f7931fa.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3785.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7931fa.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7931f9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI340B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 7 IoCs

pid	Process
1652	Google.exe
928	DingTalk.exe
1072	kail.exe
1016	NtHandleCallback.exe
1464	setup.exe
1624	setup.exe
3056	setup.exe

Loads dropped DLL 15 IoCs

pid	Process
2772	MsiExec.exe
2772	MsiExec.exe
2772	MsiExec.exe
972	MsiExec.exe
2772	MsiExec.exe
2772	MsiExec.exe
928	DingTalk.exe
928	DingTalk.exe
1900	cmd.exe
1900	cmd.exe
1900	cmd.exe
1016	NtHandleCallback.exe
1900	cmd.exe
1464	setup.exe
1624	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1276	msiexec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DingTalk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NtHandleCallback.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	NtHandleCallback.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	NtHandleCallback.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2088	timeout.exe
1576	timeout.exe
688	timeout.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2160	msiexec.exe
2160	msiexec.exe
928	DingTalk.exe
928	DingTalk.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
1016	NtHandleCallback.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe
928	DingTalk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	2160	msiexec.exe
Token: SeTakeOwnershipPrivilege	2160	msiexec.exe
Token: SeSecurityPrivilege	2160	msiexec.exe
Token: SeCreateTokenPrivilege	1276	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1276	msiexec.exe
Token: SeLockMemoryPrivilege	1276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1276	msiexec.exe
Token: SeMachineAccountPrivilege	1276	msiexec.exe
Token: SeTcbPrivilege	1276	msiexec.exe
Token: SeSecurityPrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeLoadDriverPrivilege	1276	msiexec.exe
Token: SeSystemProfilePrivilege	1276	msiexec.exe
Token: SeSystemtimePrivilege	1276	msiexec.exe
Token: SeProfSingleProcessPrivilege	1276	msiexec.exe
Token: SeIncBasePriorityPrivilege	1276	msiexec.exe
Token: SeCreatePagefilePrivilege	1276	msiexec.exe
Token: SeCreatePermanentPrivilege	1276	msiexec.exe
Token: SeBackupPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeShutdownPrivilege	1276	msiexec.exe
Token: SeDebugPrivilege	1276	msiexec.exe
Token: SeAuditPrivilege	1276	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1276	msiexec.exe
Token: SeChangeNotifyPrivilege	1276	msiexec.exe
Token: SeRemoteShutdownPrivilege	1276	msiexec.exe
Token: SeUndockPrivilege	1276	msiexec.exe
Token: SeSyncAgentPrivilege	1276	msiexec.exe
Token: SeEnableDelegationPrivilege	1276	msiexec.exe
Token: SeManageVolumePrivilege	1276	msiexec.exe
Token: SeImpersonatePrivilege	1276	msiexec.exe
Token: SeCreateGlobalPrivilege	1276	msiexec.exe
Token: SeCreateTokenPrivilege	1276	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1276	msiexec.exe
Token: SeLockMemoryPrivilege	1276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1276	msiexec.exe
Token: SeMachineAccountPrivilege	1276	msiexec.exe
Token: SeTcbPrivilege	1276	msiexec.exe
Token: SeSecurityPrivilege	1276	msiexec.exe
Token: SeTakeOwnershipPrivilege	1276	msiexec.exe
Token: SeLoadDriverPrivilege	1276	msiexec.exe
Token: SeSystemProfilePrivilege	1276	msiexec.exe
Token: SeSystemtimePrivilege	1276	msiexec.exe
Token: SeProfSingleProcessPrivilege	1276	msiexec.exe
Token: SeIncBasePriorityPrivilege	1276	msiexec.exe
Token: SeCreatePagefilePrivilege	1276	msiexec.exe
Token: SeCreatePermanentPrivilege	1276	msiexec.exe
Token: SeBackupPrivilege	1276	msiexec.exe
Token: SeRestorePrivilege	1276	msiexec.exe
Token: SeShutdownPrivilege	1276	msiexec.exe
Token: SeDebugPrivilege	1276	msiexec.exe
Token: SeAuditPrivilege	1276	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1276	msiexec.exe
Token: SeChangeNotifyPrivilege	1276	msiexec.exe
Token: SeRemoteShutdownPrivilege	1276	msiexec.exe
Token: SeUndockPrivilege	1276	msiexec.exe
Token: SeSyncAgentPrivilege	1276	msiexec.exe
Token: SeEnableDelegationPrivilege	1276	msiexec.exe
Token: SeManageVolumePrivilege	1276	msiexec.exe
Token: SeImpersonatePrivilege	1276	msiexec.exe
Token: SeCreateGlobalPrivilege	1276	msiexec.exe
Token: SeCreateTokenPrivilege	1276	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1276	msiexec.exe
1276	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2772	2160	msiexec.exe	30
PID 2160 wrote to memory of 2772	2160	msiexec.exe	30
PID 2160 wrote to memory of 2772	2160	msiexec.exe	30
PID 2160 wrote to memory of 2772	2160	msiexec.exe	30
PID 2160 wrote to memory of 2772	2160	msiexec.exe	30
PID 2160 wrote to memory of 2772	2160	msiexec.exe	30
PID 2160 wrote to memory of 2772	2160	msiexec.exe	30
PID 2160 wrote to memory of 972	2160	msiexec.exe	34
PID 2160 wrote to memory of 972	2160	msiexec.exe	34
PID 2160 wrote to memory of 972	2160	msiexec.exe	34
PID 2160 wrote to memory of 972	2160	msiexec.exe	34
PID 2160 wrote to memory of 972	2160	msiexec.exe	34
PID 2160 wrote to memory of 972	2160	msiexec.exe	34
PID 2160 wrote to memory of 972	2160	msiexec.exe	34
PID 2772 wrote to memory of 1652	2772	MsiExec.exe	35
PID 2772 wrote to memory of 1652	2772	MsiExec.exe	35
PID 2772 wrote to memory of 1652	2772	MsiExec.exe	35
PID 2772 wrote to memory of 1652	2772	MsiExec.exe	35
PID 1652 wrote to memory of 928	1652	Google.exe	36
PID 1652 wrote to memory of 928	1652	Google.exe	36
PID 1652 wrote to memory of 928	1652	Google.exe	36
PID 1652 wrote to memory of 928	1652	Google.exe	36
PID 928 wrote to memory of 1900	928	DingTalk.exe	37
PID 928 wrote to memory of 1900	928	DingTalk.exe	37
PID 928 wrote to memory of 1900	928	DingTalk.exe	37
PID 928 wrote to memory of 1900	928	DingTalk.exe	37
PID 1900 wrote to memory of 2296	1900	cmd.exe	39
PID 1900 wrote to memory of 2296	1900	cmd.exe	39
PID 1900 wrote to memory of 2296	1900	cmd.exe	39
PID 1900 wrote to memory of 2296	1900	cmd.exe	39
PID 1900 wrote to memory of 436	1900	cmd.exe	40
PID 1900 wrote to memory of 436	1900	cmd.exe	40
PID 1900 wrote to memory of 436	1900	cmd.exe	40
PID 1900 wrote to memory of 436	1900	cmd.exe	40
PID 1900 wrote to memory of 2088	1900	cmd.exe	42
PID 1900 wrote to memory of 2088	1900	cmd.exe	42
PID 1900 wrote to memory of 2088	1900	cmd.exe	42
PID 1900 wrote to memory of 2088	1900	cmd.exe	42
PID 1900 wrote to memory of 1072	1900	cmd.exe	43
PID 1900 wrote to memory of 1072	1900	cmd.exe	43
PID 1900 wrote to memory of 1072	1900	cmd.exe	43
PID 1900 wrote to memory of 1072	1900	cmd.exe	43
PID 1900 wrote to memory of 1576	1900	cmd.exe	44
PID 1900 wrote to memory of 1576	1900	cmd.exe	44
PID 1900 wrote to memory of 1576	1900	cmd.exe	44
PID 1900 wrote to memory of 1576	1900	cmd.exe	44
PID 1900 wrote to memory of 1016	1900	cmd.exe	46
PID 1900 wrote to memory of 1016	1900	cmd.exe	46
PID 1900 wrote to memory of 1016	1900	cmd.exe	46
PID 1900 wrote to memory of 1016	1900	cmd.exe	46
PID 1900 wrote to memory of 688	1900	cmd.exe	47
PID 1900 wrote to memory of 688	1900	cmd.exe	47
PID 1900 wrote to memory of 688	1900	cmd.exe	47
PID 1900 wrote to memory of 688	1900	cmd.exe	47
PID 1900 wrote to memory of 1464	1900	cmd.exe	48
PID 1900 wrote to memory of 1464	1900	cmd.exe	48
PID 1900 wrote to memory of 1464	1900	cmd.exe	48
PID 1900 wrote to memory of 1464	1900	cmd.exe	48
PID 1900 wrote to memory of 1464	1900	cmd.exe	48
PID 1900 wrote to memory of 1464	1900	cmd.exe	48
PID 1900 wrote to memory of 1464	1900	cmd.exe	48
PID 1464 wrote to memory of 1624	1464	setup.exe	49
PID 1464 wrote to memory of 1624	1464	setup.exe	49
PID 1464 wrote to memory of 1624	1464	setup.exe	49

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ggggugeliulanqGoogle1217.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1276

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3133573403CE32D4AD855AD0FC59CB4E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Public\Documents\Google.exe
    "C:\Users\Public\Documents\Google.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Users\Public\Documents\main\current\DingTalk.exe
      "C:\Users\Public\Documents\main\current\DingTalk.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\\Users\\Public\\Documents\\FANG.bat
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq NtHandleCallback.exe"
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2296
      - C:\Windows\SysWOW64\find.exe
        
        find /I "NtHandleCallback.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:436
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 1 /nobreak
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2088
      - C:\Users\Public\Documents\WindowsData\kail.exe
        
        "C:\Users\Public\Documents\WindowsData\kail.exe" x "C:\Users\Public\Documents\WindowsData\me.key" -o"C:\Users\Public\Documents\WindowsData" -pkillstartup -y
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1072
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 1 /nobreak
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1576
      - C:\Users\Public\Documents\WindowsData\NtHandleCallback.exe
        
        "C:\Users\Public\Documents\WindowsData\NtHandleCallback.exe"
        6⤵
        Enumerates connected drives
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1016
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 1 /nobreak
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:688
      - C:\Users\Public\Documents\WindowsData\setup.exe
        
        "C:\Users\Public\Documents\WindowsData\setup.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\CR_22C84.tmp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CR_22C84.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\CR_22C84.tmp\CHROME.PACKED.7Z"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\CR_22C84.tmp\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\CR_22C84.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=70.0.3538.110 --initial-client-data=0x134,0x13c,0x140,0x12c,0x144,0x13a6548,0x13a6558,0x13a6564
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3056
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 912027C0B7CF81298612BAB69647F8D9
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2932

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D0" "00000000000003C4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7931fb.rbs

Filesize
1KB

MD5
6404c7b543b4649237992de215d8fc5c

SHA1
b127867d9268145688555b786471768c297fd85e

SHA256
87b1fa43a4afb6f8fac61ab644d122308dea3b86300ca0698a96a47f7b6606c4

SHA512
d7e3af554827519983f9e26ca2dc6aea77584fbac76556de7cdc63e6cc4d11492fb0f15d8dc13433cc73deb9c31109b0d485cf7290a5659aad00d57b08c6499a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8102.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Public\Documents\FANG.bat

Filesize
2KB

MD5
ae2fd0aba2183a123c840c0afd0551c4

SHA1
05b11a559798fb6c6b39079608dcb9c7c0d32580

SHA256
f6608b596458955ae7feba0b192b31fe6e2f1fbe8fb6dafb5843339ac7bb966f

SHA512
77991355217dadbe04bf98a4d655bcf2576f3960a98467a1f6710180bc11d56558e406c1aa74525a67b4bb1cdc2d54c57d27e41202f3450c3ee2ccc02f1493aa

Download Submit
C:\Users\Public\Documents\Google.exe

Filesize
3.9MB

MD5
627e4a4ff89ecb9fd9c812a8d86b28c3

SHA1
0a8fffcf73bdcb8e0305225c9fcdf73947c59954

SHA256
2bd7ca5ee774736af3c23d30c400b416d6ac41fc814d6f9f239eb1e7be599eb3

SHA512
1f393b4e7ae4b26fb7bc094049983cc6a2d68f6ba99cc1ccf77610edde2f51d9b16b76b48bdf2a65f7fe2c3da9cd33013f8565c64a40a4ac593a30ba9b8b897d

Download Submit
C:\Users\Public\Documents\WindowsData\Server.log

Filesize
1.3MB

MD5
aaba2e8d60314ca07d8b62fdfe5cc3ee

SHA1
9fa85d0832f34b0ba1a8580a074a688004f9e1fb

SHA256
886905a6cee8ae4b352e5285e9c38c6d5cdd6d2374c383b8b62e6ea5825c5c4a

SHA512
9113078dad1d225b75db60d568a2ac4402caa36d715f8aba27d37b2af4e2629c24d960a84335bd9a3d399d93eca54c84298d01d0d48ea040fd38b4e1bb2ddcf3

Download Submit
C:\Users\Public\Documents\WindowsData\WindowsPowerShell WbemScripting.SWbemLocator.vbe

Filesize
1KB

MD5
5dadb16abae0cb3b806b3f5a655ed50f

SHA1
cb0d60063c5a202cc39032889742f090bd799309

SHA256
9718211c0b0a7923aa173b10b6ebf6bd0a2a9ded3ed17e415d05292827a95a8b

SHA512
404a6de46995f659c78d541984d34e955d82fef87f757588156722dc7ed4845cc86af46191cc3ef76770ff52bf289680076d8ab21a3205c1d3f4304339007842

Download Submit
C:\Users\Public\Documents\WindowsData\kail.exe

Filesize
732KB

MD5
42e83bb2537a79b17e13dd936ec2fef4

SHA1
688ac633d0b61fd698459a55d9909164c04ef56e

SHA256
00f85beb322fe51ab3a3b88abcbbbe40f019a7ee53498e27a507da6824adaf76

SHA512
4d07e73371c4e0d24bb9a351c55e20738b61e8efd6f304ecfa1041a5d94a984a2b292648cac5bf831aba345ccf15437334fcae5c91f1032cf7385ebb3a74857c

Download Submit
C:\Users\Public\Documents\main\current\DingTalk.exe

Filesize
1.1MB

MD5
5a512d1a8eaf18c367a0c15ff11671b7

SHA1
b360a012e70d5aadc7a4687621270bb97396e3c7

SHA256
3ea37f077bdc72b4e1deccbb591bf9a319eeb2f132f067f87d7e1dd30034080e

SHA512
6309982639b05b9794183591575dd9afbd901d5aa50078db18106503520fe47ed434ca407dbcd14cbf8ec600567620e861b0e545429e9cbab9002a286ea5b693

Download Submit
\Users\Admin\AppData\Local\Temp\CR_22C84.tmp\setup.exe

Filesize
2.0MB

MD5
f4b59f1167891f6a7ec181e1aa0a8d8b

SHA1
41be9ee189473dfe82e56267a9f6594e825e8dfd

SHA256
4dead65e1a1fbac3245182c6f7b40b5c568a2a7a7fd5b3a2d642b1919dcb93ea

SHA512
f352d37a9fe278686df67f1485663110ba46535f9fd3b55867ec23a0dd5a6d64e1247bb0656470b45dc85d1d0d4bffa4ccdc296d799d7f7786f93f628b6e2ac8

Download Submit
\Users\Public\Documents\WindowsData\Irrlicht.dll

Filesize
121KB

MD5
56995ed5b0877b7c024badde6ff255de

SHA1
f33016ed1a87a8e3dfacd50740325aacfba036a8

SHA256
8c034147471bed12edcc13ed525eb17ec6b6f9197108f4d97f89fa05112499d9

SHA512
68a9ed254d394517315d4c78ecacb4079dd00c501bad3a67257b49de3c60a3de3a8d5056d0363420990e371030a9521f955405f9904448fd64f27fb2fbda8d3f

Download Submit
\Users\Public\Documents\WindowsData\NtHandleCallback.exe

Filesize
150KB

MD5
157b89f140fcdc2fa6d0990a3cf29560

SHA1
bcdfb7aaf53ca6cea2b5a75e6c398efe6eb0dab9

SHA256
63a34aaf8e991e67032e02de652f1f7a8f746a7bff5f196c507732192b6dcaf1

SHA512
26c893e50f6cade2148413ff552418c8f9fac685152b6f1916a74bd8a333cb85026a56afe1cd47e518fdc014f29779372e036a63fe102077b684ec8e6ef3341b

Download Submit
\Users\Public\Documents\WindowsData\setup.exe

Filesize
49.8MB

MD5
e5735b95f35985f9819bf8f47b857482

SHA1
9c0fd34821b004124bb97180268ba0c86feef12e

SHA256
9a59260ff9b1ac88a5c75ed77524b4dbdf24bff78ea512a7c81d39e8b694ab51

SHA512
7c6b5a216e60eb391824fb02b7a2b8c202fdcbb3d41c38cbb034dd78923a5539e900a2fac269092df487135c36eadfb79a59781ad384036224e2bbd1ec8109fa

Download Submit
\Users\Public\Documents\main\current\DataReport.dll

Filesize
128KB

MD5
a018ed8eae43df148a0e4b7e08fac02d

SHA1
eda9b1249e3c19468e128a81dcc0b4043b9de3fe

SHA256
e2e7e20adb4ce0f9ec8eabe6b651e70881cb2c83ebb5be2c681c62b53849343c

SHA512
efef4ab4fe15794977426ff793007dbd3bba09776a1e18175b73e7c52813c751bbf430cccdfebb1b8600203e51db46eb751b364b32acf6c81979b9ea41b0b374

Download Submit
\Users\Public\Documents\main\current\log2.dll

Filesize
353KB

MD5
175ea664f62cdc31949d29a9a3ecd4f2

SHA1
3b8904f28c0e36b9aab2cfeacf2516d47dd3beae

SHA256
1980bff5d376f07c7f01a6301f60d2012a90e84c2f9095ef4c1def3cbfcbe25b

SHA512
8a16e53afe3a086140887df18e7df220856935c3941bc7e4f51066898764887d1b574ee7944e3d4f71c4382b1fccdee969704a5ead0061eac603f6d8fa02e09b

Download Submit
memory/1016-78-0x00000000751B0000-0x00000000751EA000-memory.dmp

Filesize
232KB

Download
memory/1016-79-0x00000000751B0000-0x00000000751EA000-memory.dmp

Filesize
232KB

Download
memory/1016-80-0x00000000751B0000-0x00000000751EA000-memory.dmp

Filesize
232KB

Download
memory/1016-88-0x0000000010000000-0x0000000010145000-memory.dmp

Filesize
1.3MB

Download
memory/1016-91-0x0000000002050000-0x00000000021F1000-memory.dmp

Filesize
1.6MB

Download
memory/1016-127-0x00000000751B0000-0x00000000751EA000-memory.dmp

Filesize
232KB

Download
memory/1016-141-0x00000000751B0000-0x00000000751EA000-memory.dmp

Filesize
232KB

Download