Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
20-10-2022 15:10
General
-
Target
3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe
-
Size
36KB
-
MD5
2e5301c5190bee4c4ea97fad9fd86003
-
SHA1
4c401e6cdf0250d68e30b5137586897a63ff629c
-
SHA256
3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207
-
SHA512
8f416ae87c4513d692c8e64e860434cece3118a635ac7187f91621da4217917886add5352ea80826d7000bdebda59ae6cbf02ee109a3b0cb3c9f7279524c1642
-
SSDEEP
384:Ew/jpHowi33kTwFJ40sBWhlabvdF2t7S9wd5ASc:/lH3i3yAJ8eMFF2pCI2
Malware Config
Signatures
-
Detect PurpleFox Rootkit 4 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 3 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
UAC bypass 3 TTPs 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 3 IoCs
-
Loads dropped DLL 10 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 2 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe"C:\Users\Admin\AppData\Local\Temp\3e4ae86da25de5139204a7961c88c2496cf64a88101c2574f0ea243667691207.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im dllhosts.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im dllhosts.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im k4.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Public\Documents\2022060125.vbe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\2022060125.vbe"3⤵
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sch.vbe"2⤵
-
-
C:\Users\Public\Documents\k4.exe"C:\Users\Public\Documents\k4.exe" /E2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\system32\cmd.exe"C:\WINDOWS\system32\cmd.exe" /c ^c^M^D, , /v^:O ,/R " , ( , (S^ET ^l^U=^-), )&(^sET N^aV=\^Public^\Docu^m^en^t)& (^s^eT ^S^m^KR=^ver)&&(, ,, , , (^sET idZ^S=cmd ^/c C:\^U^sers^\Publi^c\Do^cu) ,)&& (sE^t ^ ^5UR2=s\^unz^ip.^d^a^t -d)&&(^sET ^b^Vx=xe^ ^-^o)& ( , (^Set ^PXyG=^e^rver^^^^^^^>Se^r) )&(s^ET ^ w^GR=:\^U^sers)&( , , , , , (^SE^t G^2T=^ ), )& (^Se^T ^78=^men^ts^\un^zip.e)& (^Set B^X=^ ""%ap^pda^ta%"")& (^SEt p^1vS=P^ )&(S^et DBh^u=^^^^^^^&^e^cho ^S)&& S^ET ^u^Yw^J=""&&( , (^SET 7D3^y=^.^dll) , )& ( ,(^SET ^ ^gE=^C) , )&& ( , (SE^T ^ ^2^R^X=Start^u^p8^888 ) , , , )& , C^All,S^E^T 4Zb=%idZ^S%%^78%%^b^Vx%%G^2T%%^l^U%%p^1vS%%^2^R^X%%^gE%%w^GR%%N^aV%%^5UR2%%B^X%%DBh^u%%^PXyG%%^S^m^KR%%7D3^y%&&, , ^CaLL , , E^CHo , %4^Z^b:""^=!uY^wJ:~0, ^-1!%"|,%pubLic:~ 14%MD,2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execMD , , /v:O ,/R " , ( , (S^ET ^l^U=^-), )&(^sET N^aV=\^Public^\Docu^m^en^t)& (^s^eT ^S^m^KR=^ver)&&(, ,, , , (^sET idZ^S=cmd ^/c C:\^U^sers^\Publi^c\Do^cu) ,)&& (sE^t ^ ^5UR2=s\^unz^ip.^d^a^t -d)&&(^sET ^b^Vx=xe^ ^-^o)& ( , (^Set ^PXyG=^e^rver^^^^^^^>Se^r) )&(s^ET ^ w^GR=:\^U^sers)&( , , , , , (^SE^t G^2T=^ ), )& (^Se^T ^78=^men^ts^\un^zip.e)& (^Set B^X=^ ""%ap^pda^ta%"")& (^SEt p^1vS=P^ )&(S^et DBh^u=^^^^^^^&^e^cho ^S)&& S^ET ^u^Yw^J=""&&( , (^SET 7D3^y=^.^dll) , )& ( ,(^SET ^ ^gE=^C) , )&& ( , (SE^T ^ ^2^R^X=Start^u^p8^888 ) , , , )& , C^All,S^E^T 4Zb=%idZ^S%%^78%%^b^Vx%%G^2T%%^l^U%%p^1vS%%^2^R^X%%^gE%%w^GR%%N^aV%%^5UR2%%B^X%%DBh^u%%^PXyG%%^S^m^KR%%7D3^y%&&, , ^CaLL , , E^CHo , %4^Z^b:""^=!uY^wJ:~0, ^-1!%"3⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
-
-
C:\Windows\system32\cmd.execMD ,3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c C:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\Users\Admin\AppData\Roaming"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\unzip.exeC:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\Users\Admin\AppData\Roaming"5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
-
-
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\dllhosts.exe"C:\Users\Public\Documents\dllhosts.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\dllhosts.exeC:\Users\Public\Documents\dllhosts.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 520 -s 603⤵
- Loads dropped DLL
- Program crash
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180B
MD5d66c7e77096d4f4c406170b6ca0ad123
SHA19bb461061c7276ebe2a493f690d72263c0da8962
SHA256cd0a0ac1315f1f473f4a42bed62fad7033fe68a3e0cf72a7b354a7e3dd78e8a8
SHA512015788021b53eb278be1238b26a01499dcb809d93ee747bc89208f8d3570a7b0b813c70ea054e70584b536da4811f0a58ef38c96a984e6b3a54654774e5c7592
-
Filesize
119KB
MD5b3e30cbd7f8042c7141a3957a33399a4
SHA11f808c68f20c396898ff95edd9fb154fc6f86840
SHA256edae6213d100b2a99079e7211adaefdd469edd0fa75b3146bd710a0aab83d833
SHA512b9061402648c1aba42665cf93a4e02d5aefe9ef5e409d21a715ae9e71ed4eb8de5c39bb3c47b69cd3b94a9a5e13e63c685c2cc92e4c4354be2cb2ade771547ff
-
Filesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
Filesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
Filesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
Filesize
179B
MD5d569f44ce5792ee816b4182e3c7bc7da
SHA1f16a402cd6030b5c7faa5c85ade3005d66d5232a
SHA25659ff328647ccee11ad437e02b6e84c12511333553837b6fa270eefd21a3eccbf
SHA512bb0f888ff00038d1787e6cce8b09b61761d93594cbfe08d2dbf650c1802938d6df7b4b854c1af97ad405fb3b1460aab339e636852d51dc6b6849d27a5af9560b
-
Filesize
1KB
MD5e1fafb36f4da2c3be5dc9be1ad0b9805
SHA17d64a899e0ab62f3cd6ebf5bdade782c99c00713
SHA256a862acb112f57458ad35e5e5fc90f0d270a7600af694a6b7052d161806e5dd69
SHA5125c530b09b6459f34072dfccb7ccec5cbb791fc6cdc2633993da91fbef9c4d1172aec51ace3fb3cb8ac25b6721b4e6f5f1fd1a8fac7d95abbad8f6430e4abbc3e
-
Filesize
164KB
MD575375c22c72f1beb76bea39c22a1ed68
SHA1e1652b058195db3f5f754b7ab430652ae04a50b8
SHA2568d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
SHA5121b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a
-
Filesize
164KB
MD575375c22c72f1beb76bea39c22a1ed68
SHA1e1652b058195db3f5f754b7ab430652ae04a50b8
SHA2568d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
SHA5121b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a
-
Filesize
2KB
MD57503a871168c07ca47a87c933f004f66
SHA1764d09fe3b1f756a467e4a96d5cc3453732c3cfb
SHA2568a3d404f5cdd1611433ea97e8a5ebf8696d8cdcf805331201a4fb4f7203023de
SHA5124f7bbab0fcdb150cf368ab9fa2d23f26082ae1ac1d1a4cebc7ea9b2724125c7f5e013b2180a08a3f0002e416e6be5e6233f47fb7f5dbebd1b503f09a5ea24831
-
Filesize
1KB
MD53af508a542bdfa6927737a2d91d74f40
SHA1433f04e960f68ce05358af2d672a9b649de4e3ce
SHA256e7e3e44142369b3a312005313f8569f2bcd45bcdc8ea9e141616654bcd090b60
SHA512b35ad011ca3770c1a1e2a655a614e91ebd96ce29099969c727a69e77a390b91078512ce55883d7290e4dd46c5f04f0461b2833f568d23da1fc4d91ea4633d3bc
-
Filesize
539KB
MD5c9ea662b66ef3b09237a4f034ed0dc1b
SHA13aa6b4311a9ced86ce5742da718750545ea994e2
SHA25610180dba512d06abb196a1cfb046f44fd4fef69251f9a705a317e2408e0026c1
SHA512a90c8e5cfc8f0a52dfa570c020f429d70e398fc7957d9c83588331575bd34b33ad5b16ba8cd4daa1f3e85d6dac56629def6e7e088dd4401dd5defe6a3234044c
-
Filesize
44KB
MD50a47b35697a401f4471c3f49820dbb76
SHA1fb2f73e3e79955f3601272d1daa144f64d81547f
SHA256baafb6435287b35b3f4808958439b6a2aa04aaa9e4ce95d7e46855c874fb1e66
SHA51289c5808643311d6053a1b9e21948fae07436e1e8d861d520dfc3fa91f078aabb3227ed461ec59e9977e4e6db4840e79d36ee73caab5bfa5cf303a4c6385d38db
-
Filesize
119KB
MD5b3e30cbd7f8042c7141a3957a33399a4
SHA11f808c68f20c396898ff95edd9fb154fc6f86840
SHA256edae6213d100b2a99079e7211adaefdd469edd0fa75b3146bd710a0aab83d833
SHA512b9061402648c1aba42665cf93a4e02d5aefe9ef5e409d21a715ae9e71ed4eb8de5c39bb3c47b69cd3b94a9a5e13e63c685c2cc92e4c4354be2cb2ade771547ff
-
Filesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
Filesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
Filesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
Filesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
Filesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
Filesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
Filesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
Filesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
-
-
Filesize
576KB
-
-
-
-
-
-
Filesize
8KB
-
-
-
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.6MB
-
Filesize
1.3MB
-
-
Filesize
8KB
-
-
-
-
-
-
-