General
-
Target
WPS_Setup.msi
-
Size
264.2MB
-
Sample
250630-yfsktassgt
-
MD5
93fff25b09ca17daab0768d4805720a9
-
SHA1
54ed82769147a141275419f335e25fa987fc10b0
-
SHA256
8742b43b7c7e15fe42455850c0482b8c36f0bf58e71fa3e95a50947ade1a89b1
-
SHA512
e90a2ec76eef11a606f2c2f90d79904b962eff1511fbc65a7e98a58c42e2961be94074b330779bdd0af8b0ba1dda7c1187ed990d6d790884aa131b181fae60a5
-
SSDEEP
6291456:Qw5RSft/Qayo3iK5t4k7sKWGY3y/P0NS4X64feR7qNzsgQVRL+S:95RaVQpo3zuGY6PUS4XwFc8U
Static task
static1
Behavioral task
behavioral1
Sample
WPS_Setup.msi
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
WPS_Setup.msi
Resource
win11-20250619-en
Malware Config
Targets
-
-
Target
WPS_Setup.msi
-
Size
264.2MB
-
MD5
93fff25b09ca17daab0768d4805720a9
-
SHA1
54ed82769147a141275419f335e25fa987fc10b0
-
SHA256
8742b43b7c7e15fe42455850c0482b8c36f0bf58e71fa3e95a50947ade1a89b1
-
SHA512
e90a2ec76eef11a606f2c2f90d79904b962eff1511fbc65a7e98a58c42e2961be94074b330779bdd0af8b0ba1dda7c1187ed990d6d790884aa131b181fae60a5
-
SSDEEP
6291456:Qw5RSft/Qayo3iK5t4k7sKWGY3y/P0NS4X64feR7qNzsgQVRL+S:95RaVQpo3zuGY6PUS4XwFc8U
-
Gh0st RAT payload
-
Gh0strat family
-
Purplefox family
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Installer Packages
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Installer Packages
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Modify Registry
4Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1