gh0strat | f67a41e2609e49ffcd1922c9a892c44c3e9af7c68539c1c3ee6b6fdbedc3d437

Analysis

max time kernel
156s
max time network
167s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
01-08-2022 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

123.exe
Size

1.3MB
MD5

5da8ec7f8cabbbc9ca59b5da5ef84f62
SHA1

c83f88a94ff54d35dd7b2823437c2f9ff5a55e3b
SHA256

f67a41e2609e49ffcd1922c9a892c44c3e9af7c68539c1c3ee6b6fdbedc3d437
SHA512

a241324f31f3c3773243513b55fd553503e12ed510401a8fec0ccaee81a0ccda262181f2367f9bc911b89076022f60584e3f6ac44bdc79d8127dd25fd62092aa

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/1552-69-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1552-70-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1552-73-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1192-83-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1192-90-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/996-94-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/996-96-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1552-69-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1552-70-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1552-73-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1192-83-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1192-90-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/996-94-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/996-96-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe
Executes dropped EXE 5 IoCs

Processes:

RVN.exeHD_123.exeTXPlatforn.exegaccwq.exeTXPlatforn.exe

pid process

1552 RVN.exe
2008 HD_123.exe
1192 TXPlatforn.exe
1768 gaccwq.exe
996 TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

pid	process
1552	RVN.exe
2008	HD_123.exe
1192	TXPlatforn.exe
1768	gaccwq.exe
996	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1552-67-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1552-69-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1552-70-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1552-73-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1192-83-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1192-90-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/996-94-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/996-96-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

123.exeTXPlatforn.exe

pid process

1500 123.exe
1500 123.exe
1500 123.exe
1192 TXPlatforn.exe
Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 4 IoCs

Processes:

123.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	123.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	123.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	123.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	123.exe

Drops file in Windows directory 2 IoCs

Processes:

HD_123.exe

description ioc process

File created C:\Windows\gaccwq.exe HD_123.exe
File opened for modification C:\Windows\gaccwq.exe HD_123.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\gaccwq.exe	HD_123.exe
File opened for modification	C:\Windows\gaccwq.exe	HD_123.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_123.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HD_123.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	HD_123.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

320 PING.EXE

pid	process
320	PING.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

123.exeHD_123.exe

pid	process
1500	123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe
2008	HD_123.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

996 TXPlatforn.exe

pid	process
996	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

RVN.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1552	RVN.exe
Token: SeLoadDriverPrivilege	996	TXPlatforn.exe
Token: 33	996	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	996	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

123.exe

pid process

1500 123.exe
1500 123.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

123.exeRVN.exeTXPlatforn.execmd.exe

description	pid	process	target process
PID 1500 wrote to memory of 1552	1500	123.exe	RVN.exe
PID 1500 wrote to memory of 1552	1500	123.exe	RVN.exe
PID 1500 wrote to memory of 1552	1500	123.exe	RVN.exe
PID 1500 wrote to memory of 1552	1500	123.exe	RVN.exe
PID 1500 wrote to memory of 1552	1500	123.exe	RVN.exe
PID 1500 wrote to memory of 1552	1500	123.exe	RVN.exe
PID 1500 wrote to memory of 1552	1500	123.exe	RVN.exe
PID 1500 wrote to memory of 2008	1500	123.exe	HD_123.exe
PID 1500 wrote to memory of 2008	1500	123.exe	HD_123.exe
PID 1500 wrote to memory of 2008	1500	123.exe	HD_123.exe
PID 1500 wrote to memory of 2008	1500	123.exe	HD_123.exe
PID 1552 wrote to memory of 572	1552	RVN.exe	cmd.exe
PID 1552 wrote to memory of 572	1552	RVN.exe	cmd.exe
PID 1552 wrote to memory of 572	1552	RVN.exe	cmd.exe
PID 1552 wrote to memory of 572	1552	RVN.exe	cmd.exe
PID 1192 wrote to memory of 996	1192	TXPlatforn.exe	TXPlatforn.exe
PID 1192 wrote to memory of 996	1192	TXPlatforn.exe	TXPlatforn.exe
PID 1192 wrote to memory of 996	1192	TXPlatforn.exe	TXPlatforn.exe
PID 1192 wrote to memory of 996	1192	TXPlatforn.exe	TXPlatforn.exe
PID 1192 wrote to memory of 996	1192	TXPlatforn.exe	TXPlatforn.exe
PID 1192 wrote to memory of 996	1192	TXPlatforn.exe	TXPlatforn.exe
PID 1192 wrote to memory of 996	1192	TXPlatforn.exe	TXPlatforn.exe
PID 572 wrote to memory of 320	572	cmd.exe	PING.EXE
PID 572 wrote to memory of 320	572	cmd.exe	PING.EXE
PID 572 wrote to memory of 320	572	cmd.exe	PING.EXE
PID 572 wrote to memory of 320	572	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:320

C:\Users\Admin\AppData\Local\Temp\HD_123.exe
C:\Users\Admin\AppData\Local\Temp\HD_123.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\gaccwq.exe
C:\Windows\gaccwq.exe
1⤵
- Executes dropped EXE
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_123.exe
Filesize
200KB

MD5
c67c0f6bb7eb9ac1f98fd48403448762

SHA1
faf03b7fb6ce1c3b1b2702d5827dfb1d48700437

SHA256
ec5f8eb2eab51124736d78c433a7726b2a52489e76ceab2cc924e68c67eff83b

SHA512
0f4664b3c49e81f5521fc6b2c48723dea94711a1bc0400a6e18b101c5bf3c59b4bac7899d9d3758934091645beaea140df174c06ba53ab479d2b3e75bd880890

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_123.exe
Filesize
200KB

MD5
c67c0f6bb7eb9ac1f98fd48403448762

SHA1
faf03b7fb6ce1c3b1b2702d5827dfb1d48700437

SHA256
ec5f8eb2eab51124736d78c433a7726b2a52489e76ceab2cc924e68c67eff83b

SHA512
0f4664b3c49e81f5521fc6b2c48723dea94711a1bc0400a6e18b101c5bf3c59b4bac7899d9d3758934091645beaea140df174c06ba53ab479d2b3e75bd880890

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Windows\SysWOW64\TXPlatforn.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Windows\SysWOW64\TXPlatforn.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
C:\Windows\gaccwq.exe
Filesize
200KB

MD5
c67c0f6bb7eb9ac1f98fd48403448762

SHA1
faf03b7fb6ce1c3b1b2702d5827dfb1d48700437

SHA256
ec5f8eb2eab51124736d78c433a7726b2a52489e76ceab2cc924e68c67eff83b

SHA512
0f4664b3c49e81f5521fc6b2c48723dea94711a1bc0400a6e18b101c5bf3c59b4bac7899d9d3758934091645beaea140df174c06ba53ab479d2b3e75bd880890

Download Submit
\Users\Admin\AppData\Local\Temp\HD_123.exe
Filesize
200KB

MD5
c67c0f6bb7eb9ac1f98fd48403448762

SHA1
faf03b7fb6ce1c3b1b2702d5827dfb1d48700437

SHA256
ec5f8eb2eab51124736d78c433a7726b2a52489e76ceab2cc924e68c67eff83b

SHA512
0f4664b3c49e81f5521fc6b2c48723dea94711a1bc0400a6e18b101c5bf3c59b4bac7899d9d3758934091645beaea140df174c06ba53ab479d2b3e75bd880890

Download Submit
\Users\Admin\AppData\Local\Temp\HD_123.exe
Filesize
200KB

MD5
c67c0f6bb7eb9ac1f98fd48403448762

SHA1
faf03b7fb6ce1c3b1b2702d5827dfb1d48700437

SHA256
ec5f8eb2eab51124736d78c433a7726b2a52489e76ceab2cc924e68c67eff83b

SHA512
0f4664b3c49e81f5521fc6b2c48723dea94711a1bc0400a6e18b101c5bf3c59b4bac7899d9d3758934091645beaea140df174c06ba53ab479d2b3e75bd880890

Download Submit
\Users\Admin\AppData\Local\Temp\RVN.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
\Windows\SysWOW64\TXPlatforn.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
memory/320-95-0x0000000000000000-mapping.dmp

Download
memory/572-81-0x0000000000000000-mapping.dmp

Download
memory/996-86-0x0000000000000000-mapping.dmp

Download
memory/996-96-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/996-94-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1192-90-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1192-83-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1500-54-0x00000000768C1000-0x00000000768C3000-memory.dmp

Filesize
8KB

Download
memory/1552-67-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1552-70-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1552-69-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1552-56-0x0000000000000000-mapping.dmp

Download
memory/1552-73-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2008-63-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2008-60-0x0000000000000000-mapping.dmp

Download