Analysis
-
max time kernel
156s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
01-08-2022 17:11
Static task
static1
Behavioral task
behavioral1
Sample
123.exe
Resource
win7-20220715-en
General
-
Target
123.exe
-
Size
1.3MB
-
MD5
5da8ec7f8cabbbc9ca59b5da5ef84f62
-
SHA1
c83f88a94ff54d35dd7b2823437c2f9ff5a55e3b
-
SHA256
f67a41e2609e49ffcd1922c9a892c44c3e9af7c68539c1c3ee6b6fdbedc3d437
-
SHA512
a241324f31f3c3773243513b55fd553503e12ed510401a8fec0ccaee81a0ccda262181f2367f9bc911b89076022f60584e3f6ac44bdc79d8127dd25fd62092aa
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1552-69-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1552-70-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1552-73-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1192-83-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1192-90-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/996-94-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/996-96-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1552-69-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1552-70-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1552-73-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1192-83-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1192-90-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/996-94-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/996-96-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Executes dropped EXE 5 IoCs
Processes:
RVN.exeHD_123.exeTXPlatforn.exegaccwq.exeTXPlatforn.exepid process 1552 RVN.exe 2008 HD_123.exe 1192 TXPlatforn.exe 1768 gaccwq.exe 996 TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Processes:
resource yara_rule behavioral1/memory/1552-67-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1552-69-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1552-70-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1552-73-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1192-83-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1192-90-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/996-94-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/996-96-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Loads dropped DLL 4 IoCs
Processes:
123.exeTXPlatforn.exepid process 1500 123.exe 1500 123.exe 1500 123.exe 1192 TXPlatforn.exe -
Drops file in System32 directory 2 IoCs
Processes:
RVN.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 4 IoCs
Processes:
123.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 123.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 123.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 123.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 123.exe -
Drops file in Windows directory 2 IoCs
Processes:
HD_123.exedescription ioc process File created C:\Windows\gaccwq.exe HD_123.exe File opened for modification C:\Windows\gaccwq.exe HD_123.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
HD_123.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 HD_123.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz HD_123.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
123.exeHD_123.exepid process 1500 123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe 2008 HD_123.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 996 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
RVN.exeTXPlatforn.exedescription pid process Token: SeIncBasePriorityPrivilege 1552 RVN.exe Token: SeLoadDriverPrivilege 996 TXPlatforn.exe Token: 33 996 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 996 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
123.exepid process 1500 123.exe 1500 123.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
123.exeRVN.exeTXPlatforn.execmd.exedescription pid process target process PID 1500 wrote to memory of 1552 1500 123.exe RVN.exe PID 1500 wrote to memory of 1552 1500 123.exe RVN.exe PID 1500 wrote to memory of 1552 1500 123.exe RVN.exe PID 1500 wrote to memory of 1552 1500 123.exe RVN.exe PID 1500 wrote to memory of 1552 1500 123.exe RVN.exe PID 1500 wrote to memory of 1552 1500 123.exe RVN.exe PID 1500 wrote to memory of 1552 1500 123.exe RVN.exe PID 1500 wrote to memory of 2008 1500 123.exe HD_123.exe PID 1500 wrote to memory of 2008 1500 123.exe HD_123.exe PID 1500 wrote to memory of 2008 1500 123.exe HD_123.exe PID 1500 wrote to memory of 2008 1500 123.exe HD_123.exe PID 1552 wrote to memory of 572 1552 RVN.exe cmd.exe PID 1552 wrote to memory of 572 1552 RVN.exe cmd.exe PID 1552 wrote to memory of 572 1552 RVN.exe cmd.exe PID 1552 wrote to memory of 572 1552 RVN.exe cmd.exe PID 1192 wrote to memory of 996 1192 TXPlatforn.exe TXPlatforn.exe PID 1192 wrote to memory of 996 1192 TXPlatforn.exe TXPlatforn.exe PID 1192 wrote to memory of 996 1192 TXPlatforn.exe TXPlatforn.exe PID 1192 wrote to memory of 996 1192 TXPlatforn.exe TXPlatforn.exe PID 1192 wrote to memory of 996 1192 TXPlatforn.exe TXPlatforn.exe PID 1192 wrote to memory of 996 1192 TXPlatforn.exe TXPlatforn.exe PID 1192 wrote to memory of 996 1192 TXPlatforn.exe TXPlatforn.exe PID 572 wrote to memory of 320 572 cmd.exe PING.EXE PID 572 wrote to memory of 320 572 cmd.exe PING.EXE PID 572 wrote to memory of 320 572 cmd.exe PING.EXE PID 572 wrote to memory of 320 572 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_123.exeC:\Users\Admin\AppData\Local\Temp\HD_123.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\gaccwq.exeC:\Windows\gaccwq.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_123.exeFilesize
200KB
MD5c67c0f6bb7eb9ac1f98fd48403448762
SHA1faf03b7fb6ce1c3b1b2702d5827dfb1d48700437
SHA256ec5f8eb2eab51124736d78c433a7726b2a52489e76ceab2cc924e68c67eff83b
SHA5120f4664b3c49e81f5521fc6b2c48723dea94711a1bc0400a6e18b101c5bf3c59b4bac7899d9d3758934091645beaea140df174c06ba53ab479d2b3e75bd880890
-
C:\Users\Admin\AppData\Local\Temp\HD_123.exeFilesize
200KB
MD5c67c0f6bb7eb9ac1f98fd48403448762
SHA1faf03b7fb6ce1c3b1b2702d5827dfb1d48700437
SHA256ec5f8eb2eab51124736d78c433a7726b2a52489e76ceab2cc924e68c67eff83b
SHA5120f4664b3c49e81f5521fc6b2c48723dea94711a1bc0400a6e18b101c5bf3c59b4bac7899d9d3758934091645beaea140df174c06ba53ab479d2b3e75bd880890
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
C:\Windows\SysWOW64\TXPlatforn.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
C:\Windows\SysWOW64\TXPlatforn.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
C:\Windows\gaccwq.exeFilesize
200KB
MD5c67c0f6bb7eb9ac1f98fd48403448762
SHA1faf03b7fb6ce1c3b1b2702d5827dfb1d48700437
SHA256ec5f8eb2eab51124736d78c433a7726b2a52489e76ceab2cc924e68c67eff83b
SHA5120f4664b3c49e81f5521fc6b2c48723dea94711a1bc0400a6e18b101c5bf3c59b4bac7899d9d3758934091645beaea140df174c06ba53ab479d2b3e75bd880890
-
\Users\Admin\AppData\Local\Temp\HD_123.exeFilesize
200KB
MD5c67c0f6bb7eb9ac1f98fd48403448762
SHA1faf03b7fb6ce1c3b1b2702d5827dfb1d48700437
SHA256ec5f8eb2eab51124736d78c433a7726b2a52489e76ceab2cc924e68c67eff83b
SHA5120f4664b3c49e81f5521fc6b2c48723dea94711a1bc0400a6e18b101c5bf3c59b4bac7899d9d3758934091645beaea140df174c06ba53ab479d2b3e75bd880890
-
\Users\Admin\AppData\Local\Temp\HD_123.exeFilesize
200KB
MD5c67c0f6bb7eb9ac1f98fd48403448762
SHA1faf03b7fb6ce1c3b1b2702d5827dfb1d48700437
SHA256ec5f8eb2eab51124736d78c433a7726b2a52489e76ceab2cc924e68c67eff83b
SHA5120f4664b3c49e81f5521fc6b2c48723dea94711a1bc0400a6e18b101c5bf3c59b4bac7899d9d3758934091645beaea140df174c06ba53ab479d2b3e75bd880890
-
\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
\Windows\SysWOW64\TXPlatforn.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
memory/320-95-0x0000000000000000-mapping.dmp
-
memory/572-81-0x0000000000000000-mapping.dmp
-
memory/996-86-0x0000000000000000-mapping.dmp
-
memory/996-96-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/996-94-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1192-90-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1192-83-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1500-54-0x00000000768C1000-0x00000000768C3000-memory.dmpFilesize
8KB
-
memory/1552-67-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1552-70-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1552-69-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1552-56-0x0000000000000000-mapping.dmp
-
memory/1552-73-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2008-63-0x0000000010000000-0x000000001000F000-memory.dmpFilesize
60KB
-
memory/2008-60-0x0000000000000000-mapping.dmp