Analysis
-
max time kernel
270s -
max time network
295s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
01-11-2022 00:22
General
-
Target
PPPPPPPPPPPPPPP.exe
-
Size
60KB
-
MD5
94406fab156e3ed962899d6a473683c5
-
SHA1
08ef787ee7264e87abdb1933102ae94a8056a587
-
SHA256
422c3df285fbd86303eb0448583550d7584a330095c60ada442cb1beb97cf670
-
SHA512
c5ae7834d4722e7ca702258203f718a00403d76455cfe5e75743f116a4bd0c37ec33dcf89c6f779e8247519ae65e12523fe6bc7aede28a360fbf4687e1b2bba2
-
SSDEEP
768:DlH3iOcmCQkUF7Q3n8Q37RGC5fBPcKX0hT6tUTNtg3333rIX72s2H3eI2:DlHyOcmCD27c8oN5JPcQQhg3333rdX9
Malware Config
Signatures
-
Detect PurpleFox Rootkit 2 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 2 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
UAC bypass 3 TTPs 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 3 IoCs
-
Loads dropped DLL 8 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 57 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PPPPPPPPPPPPPPP.exe"C:\Users\Admin\AppData\Local\Temp\PPPPPPPPPPPPPPP.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe2⤵
- Executes dropped EXE
-
C:\Users\Public\Documents\k4.exeC:/Users/Public/Documents/k4.exe /D2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /t /im k4.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /t /im k4.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b C:\\Users\\Public\\Documents\\MZ.txt+C:\\Users\\Public\\Documents\\TAS.txt C:\\Users\\Public\\Documents\\TASLoginBase.dll2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Public\Documents\2022060125.vbe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\2022060125.vbe"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sch.vbe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c del C:\\Users\\Public\\Documents\\TASLoginBase.dll2⤵
-
C:\Users\Public\Documents\k4.exe"C:\Users\Public\Documents\k4.exe" /E2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\system32\cmd.exe"C:\WINDOWS\system32\cmd.exe" /c C:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\Users\Admin\AppData\Roaming"2⤵
-
C:\Users\Public\Documents\unzip.exeC:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\Users\Admin\AppData\Roaming"3⤵
- Executes dropped EXE
- Drops startup file
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\dllhosts.exe"C:\Users\Public\Documents\dllhosts.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\dllhosts.exeC:\Users\Public\Documents\dllhosts.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 603⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Documents\2022060125.vbeFilesize
180B
MD5d66c7e77096d4f4c406170b6ca0ad123
SHA19bb461061c7276ebe2a493f690d72263c0da8962
SHA256cd0a0ac1315f1f473f4a42bed62fad7033fe68a3e0cf72a7b354a7e3dd78e8a8
SHA512015788021b53eb278be1238b26a01499dcb809d93ee747bc89208f8d3570a7b0b813c70ea054e70584b536da4811f0a58ef38c96a984e6b3a54654774e5c7592
-
C:\Users\Public\Documents\MZ.txtFilesize
2B
MD5ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b
-
C:\Users\Public\Documents\TAS.txtFilesize
92KB
MD5245390db827b6139081bf816f9fa095b
SHA11dbf1dfb99e55178a212bc5398c7322aa486db05
SHA2560762b64860a7f33b4e7d17f2038d7d0e08f36221b9696bd941e53074e897ac7f
SHA512ef0a5426db96c83b48e2cfc6bf760eeef9cf030dfc3d1be1e564332f92eb1dc2ecf9871872ed3a9876d7883a717f233bd73cdfb60c698e30272ede6f99374aa4
-
C:\Users\Public\Documents\TASLoginBase.dllFilesize
93KB
MD5b15697fa74cbc78d9197eacdcafb5686
SHA1882437010e9b06054a5ebf54156ed47f04653ea1
SHA2562ab8df88d746213787c04b872c7259df83b70e39ba4188fa15ef3ce34b9d0bf4
SHA512e4c9b53991b87e99d35818465154f6595001ada7e71d2b7cab4333c81997fb4aaec472a66e2b6fa66e039a1bdc40ff2458f7123330bd93421d01004cc0c58d4b
-
C:\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
C:\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
C:\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
C:\Users\Public\Documents\sch.vbeFilesize
179B
MD5d569f44ce5792ee816b4182e3c7bc7da
SHA1f16a402cd6030b5c7faa5c85ade3005d66d5232a
SHA25659ff328647ccee11ad437e02b6e84c12511333553837b6fa270eefd21a3eccbf
SHA512bb0f888ff00038d1787e6cce8b09b61761d93594cbfe08d2dbf650c1802938d6df7b4b854c1af97ad405fb3b1460aab339e636852d51dc6b6849d27a5af9560b
-
C:\Users\Public\Documents\unzip.datFilesize
1KB
MD5030bfec240cc95293c84c1b7d8888b48
SHA1ceea3cebec2f467be1c8b356d8022dbe0285bc5c
SHA25610df1c86ccea95c0d012135bbfe1b32cae4f13574883063a1d8c0312158ff77f
SHA512ec54405365b094230acc6c81365ab5a893ad1121ba7120227a2d96aff4f9e3c1cab9683d7e6a8459b4c54e457a0eb49f9493f25fcfd094dc6d0421875200c910
-
C:\Users\Public\Documents\unzip.exeFilesize
164KB
MD575375c22c72f1beb76bea39c22a1ed68
SHA1e1652b058195db3f5f754b7ab430652ae04a50b8
SHA2568d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a
SHA5121b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a
-
C:\Users\Public\Documents\unzip.lnkFilesize
892B
MD53d55c02372fb69460b0f774b89130dba
SHA1b50d58ef0fc2c9af80e3ecedfc76b2956ff28244
SHA25667c8871cd1491fec17ad8eba0c13203d79096a58b76e4a4d2902b8d71928ac2e
SHA5124d8850f4cb37aef07cf59396df6b55b6496b3660f70b5551f5582685e1968c1a09836ec886f6297ff8ea0114d237c829c3b7e6df635a06bbd89f4bbf20aa4080
-
C:\Users\Public\Documents\update.lnkFilesize
1KB
MD53af508a542bdfa6927737a2d91d74f40
SHA1433f04e960f68ce05358af2d672a9b649de4e3ce
SHA256e7e3e44142369b3a312005313f8569f2bcd45bcdc8ea9e141616654bcd090b60
SHA512b35ad011ca3770c1a1e2a655a614e91ebd96ce29099969c727a69e77a390b91078512ce55883d7290e4dd46c5f04f0461b2833f568d23da1fc4d91ea4633d3bc
-
C:\Users\Public\Documents\update.logFilesize
539KB
MD5d0be8152d070cd7850138f2a3241049c
SHA12b1656158a25c3bd870b6c4a863421800d28d1bf
SHA256c48ace234909809264c5c24ccb42a909b7b99f78e83f87909ee81164be21fda2
SHA512238537f65be2f9d32b6673d5b0260bf3288892b3759d3d38cdfa705fb3469db5533903bf16c741284fd6e595d3ed4bdcd79c3f259200a85a1d0a05d7e8226272
-
\Users\Public\Documents\TASLoginBase.dllFilesize
93KB
MD5b15697fa74cbc78d9197eacdcafb5686
SHA1882437010e9b06054a5ebf54156ed47f04653ea1
SHA2562ab8df88d746213787c04b872c7259df83b70e39ba4188fa15ef3ce34b9d0bf4
SHA512e4c9b53991b87e99d35818465154f6595001ada7e71d2b7cab4333c81997fb4aaec472a66e2b6fa66e039a1bdc40ff2458f7123330bd93421d01004cc0c58d4b
-
\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
\Users\Public\Documents\dllhosts.exeFilesize
411KB
MD566557b2bd93e70a2804e983b279ab473
SHA14e58505689fd9643b5011880ce94b22cbfadf917
SHA256a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31
SHA512b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4
-
\Users\Public\Documents\k4.exeFilesize
892KB
MD533e29221e2825001d32f78632217d250
SHA19122127fc91790a1edb78003e9b58a9b00355ed5
SHA25665d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d
SHA51201d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93
-
memory/384-68-0x0000000000000000-mapping.dmp
-
memory/840-113-0x0000000000000000-mapping.dmp
-
memory/1084-79-0x0000000000000000-mapping.dmp
-
memory/1156-64-0x0000000000000000-mapping.dmp
-
memory/1292-56-0x0000000000000000-mapping.dmp
-
memory/1292-96-0x0000000000000000-mapping.dmp
-
memory/1292-58-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmpFilesize
8KB
-
memory/1420-100-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/1420-112-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/1420-97-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/1420-98-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/1420-92-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/1420-90-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/1420-93-0x00000000005433C0-mapping.dmp
-
memory/1476-60-0x0000000000000000-mapping.dmp
-
memory/1488-70-0x0000000000000000-mapping.dmp
-
memory/1764-114-0x0000000000000000-mapping.dmp
-
memory/1776-65-0x0000000000000000-mapping.dmp
-
memory/1828-63-0x0000000000000000-mapping.dmp
-
memory/1884-89-0x0000000000400000-0x0000000000490000-memory.dmpFilesize
576KB
-
memory/1884-84-0x0000000000000000-mapping.dmp
-
memory/1916-74-0x0000000000000000-mapping.dmp
-
memory/1988-54-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB