Overview

overview

10

Static

static

î...£i.exe

windows7-x64

8

î...£i.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    163s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2022 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    i.exe

  • Size

    3.0MB

  • MD5

    365d7fdc34a8c57a60a4d1cd548e507b

  • SHA1

    eb635b6e7fa6fe1e3a83026fd47c87bc78753006

  • SHA256

    cf2667a5f76796a5ccc9995582737765e20eaf53b70b3688885974877f1d2d75

  • SHA512

    ca7e0f0c3aa1034b90bb613908eac6f1aeb443b5dccb4c0c5d315747baa2843b67cfee3ae020c68c9a7cd7e9f197a5a870936f382c1e252aa12333396e403bf2

  • SSDEEP

    12288:ny4zXZXBJ+LgSRQTy3pFjIwUOIojNoEFjwqIHGRGvFvaPw+3Y12wW:vrJ+LgTTy3pFjIwUOPVFjv8dvaPNI4D

Score
10/10
gh0stratpurplefoxratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 4 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops startup file 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 51 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\i.exe
    "C:\Users\Admin\AppData\Local\Temp\i.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" C:\Users\Public\Music\lhrhbe
      2⤵
        PID:2756
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3300
      • C:\Users\Public\ineng\snkc.exe
        "C:\Users\Public\ineng\snkc.exe" C:\Users\Public\ineng\fac.zip -d C:\Users\Admin\AppData\Roaming
        2⤵
        • Executes dropped EXE
        • Drops startup file
        PID:1020
      • C:\Users\Public\Pictures\Vrice\vqytap\blqxgc.exe
        "C:\Users\Public\Pictures\Vrice\vqytap\blqxgc.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3940
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3176

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\SHELL.TXT
        Filesize

        1.2MB

        MD5

        6c31255e56b22ff932555778af8798d7

        SHA1

        4cd2c651c1bb4d8bf861d6acf379c8f6e7a25b8a

        SHA256

        9bb3e1d29f1527268455a26c640fd09bca608b2bc1559dc9deda94aa2221abcd

        SHA512

        9880a646ae7db6b395a0605f15daaab1f9c7d890167e68b395981f4feefb4c9d824f943fa0b7b692a89622920a034386e4a1540d7c2220db29f00e7f2ca61b4f

        Download Submit
      • C:\Users\Public\Music\lhrhbe\akrusq.lnk
        Filesize

        1KB

        MD5

        cb182a9ef681251f067937aa372f0a4d

        SHA1

        6aef9fd724115378aa1f76ecdb9b131dec91ae45

        SHA256

        4323bed971efb532829e4381146a4fe57dabca6a15a38f871a9d6eb1ae98e9a4

        SHA512

        37ab7c7ea06e52df6382c23e7b5ffebf60b2f7a8c54c84b2d7df8289fd78ce30bcb2a26d08c1fa78a70ac1c612a1f43d613516e9cf79217ae397856b3950966b

        Download Submit
      • C:\Users\Public\Music\lhrhbe\cmgdhpu.url
        Filesize

        136B

        MD5

        ac76681ba6f60fab1987bb8b3756392b

        SHA1

        3de6eb4c4d6196beef424f17daba5d8d37d6bd34

        SHA256

        f55901048ccf7a9ca4311503607d0f535d2e5ad3011afaecc52a242915df3039

        SHA512

        706c600635cf8235315fdbda1dec57d5d23a867cc06838a7d8ecc7d421c3eb8b6d24e22809960a6b162b063c7a9d92d9017596475768cb0124cd7e108b94a40d

        Download Submit
      • C:\Users\Public\Music\lhrhbe\cnwfvry.url
        Filesize

        136B

        MD5

        ac76681ba6f60fab1987bb8b3756392b

        SHA1

        3de6eb4c4d6196beef424f17daba5d8d37d6bd34

        SHA256

        f55901048ccf7a9ca4311503607d0f535d2e5ad3011afaecc52a242915df3039

        SHA512

        706c600635cf8235315fdbda1dec57d5d23a867cc06838a7d8ecc7d421c3eb8b6d24e22809960a6b162b063c7a9d92d9017596475768cb0124cd7e108b94a40d

        Download Submit
      • C:\Users\Public\Music\lhrhbe\gvdltp.lnk
        Filesize

        1KB

        MD5

        1f0ebe29809688099e9cd0795783026c

        SHA1

        7f3f46a663092117ea6030b76384477dfea50623

        SHA256

        6050f6a23967f66b06a1c055f97bfa9e3986024771251234e5f57684c0ff8245

        SHA512

        1347f8b8f393cb88e382c66e697c5d976f0765ba95802d3e3c22cff822655e6a6203d2c416745f96ee2582af0ad6ab72b70aaa1543af3718165ddee9807ad65c

        Download Submit
      • C:\Users\Public\Music\lhrhbe\ioaypo.lnk
        Filesize

        1KB

        MD5

        2df938db6bb42d2ed882f3979729452c

        SHA1

        448a7175d5488ef65020af089c689a8261e6581f

        SHA256

        7c27b7587b54d5995e6c866a99bc13def47f75ba5ba736b35a8b9712e713f848

        SHA512

        22bfe49da9c7b0c82b06ae04f3535b95549766c8e98d5d0cf1acb95b8eef7bced36f9f0416ebba3ffbe0c255919269b0cda277abc41d43c887a0795f4702d93f

        Download Submit
      • C:\Users\Public\Music\lhrhbe\mnvrpc.lnk
        Filesize

        1KB

        MD5

        a0e1776f0b16c5a574c79fe5f1a7973b

        SHA1

        3081ecb803ff15776cc3be95d890a9cd4c090280

        SHA256

        9661093824ebc5f07cd6a707c9fecf2e69760b637850a6f0df882a787d420f0c

        SHA512

        12122b74bb489f3f229124b5a494a4852030a866824b0363384dfde4c3552423f2787cfa7987734ca7965f6eb555b1859700246fac44c07db4780b06e459f8a0

        Download Submit
      • C:\Users\Public\Music\lhrhbe\oofyglu.url
        Filesize

        136B

        MD5

        ac76681ba6f60fab1987bb8b3756392b

        SHA1

        3de6eb4c4d6196beef424f17daba5d8d37d6bd34

        SHA256

        f55901048ccf7a9ca4311503607d0f535d2e5ad3011afaecc52a242915df3039

        SHA512

        706c600635cf8235315fdbda1dec57d5d23a867cc06838a7d8ecc7d421c3eb8b6d24e22809960a6b162b063c7a9d92d9017596475768cb0124cd7e108b94a40d

        Download Submit
      • C:\Users\Public\Music\lhrhbe\qbekbn.lnk
        Filesize

        1KB

        MD5

        9a4916a6da214d1ac11319ffa16b6523

        SHA1

        7497774c036fe4a35988185b5a575ce89c66a645

        SHA256

        9dbad69e513ff0b28712962668193216e7e69bc560f8da3f4823409cac5007ab

        SHA512

        6e578543a67ae733ae28696b582ac5ba161ae22d548f65fd1218e241acdfcbbcf0d0242ebf1499f8a5296f6c90818acb4d3bc69ed61233fcf77878f67cec83a2

        Download Submit
      • C:\Users\Public\Music\lhrhbe\qbygybv.url
        Filesize

        136B

        MD5

        ac76681ba6f60fab1987bb8b3756392b

        SHA1

        3de6eb4c4d6196beef424f17daba5d8d37d6bd34

        SHA256

        f55901048ccf7a9ca4311503607d0f535d2e5ad3011afaecc52a242915df3039

        SHA512

        706c600635cf8235315fdbda1dec57d5d23a867cc06838a7d8ecc7d421c3eb8b6d24e22809960a6b162b063c7a9d92d9017596475768cb0124cd7e108b94a40d

        Download Submit
      • C:\Users\Public\Music\lhrhbe\tfrgpa.lnk
        Filesize

        1KB

        MD5

        5b93c3e80c3d49c5ec25b2c5cda4916a

        SHA1

        3856841824ce38d8be350a050606b973d3188750

        SHA256

        63a1eaeb327a6d3bf0c179a4de79af16033246b37e519505ff2ceaed44a7a3e6

        SHA512

        ae5023a11232d96bab74b39bf0c7afa7306bc6d601f6a1a97e9ac2036ab2eecf4ebf4f41cdbfd3325b9bbe6faebb53ae393c89ee38b50608ba6f3b45a713e413

        Download Submit
      • C:\Users\Public\Music\lhrhbe\vdxkprv.url
        Filesize

        136B

        MD5

        ac76681ba6f60fab1987bb8b3756392b

        SHA1

        3de6eb4c4d6196beef424f17daba5d8d37d6bd34

        SHA256

        f55901048ccf7a9ca4311503607d0f535d2e5ad3011afaecc52a242915df3039

        SHA512

        706c600635cf8235315fdbda1dec57d5d23a867cc06838a7d8ecc7d421c3eb8b6d24e22809960a6b162b063c7a9d92d9017596475768cb0124cd7e108b94a40d

        Download Submit
      • C:\Users\Public\Music\lhrhbe\yhdbqgb.url
        Filesize

        136B

        MD5

        ac76681ba6f60fab1987bb8b3756392b

        SHA1

        3de6eb4c4d6196beef424f17daba5d8d37d6bd34

        SHA256

        f55901048ccf7a9ca4311503607d0f535d2e5ad3011afaecc52a242915df3039

        SHA512

        706c600635cf8235315fdbda1dec57d5d23a867cc06838a7d8ecc7d421c3eb8b6d24e22809960a6b162b063c7a9d92d9017596475768cb0124cd7e108b94a40d

        Download Submit
      • C:\Users\Public\Pictures\Vrice\vqytap\blqxgc.exe
        Filesize

        340KB

        MD5

        83020e8c25dd7d078733fe74c80d9b46

        SHA1

        57aa17d77a4912ed48b086cc86e78ffde7646aaa

        SHA256

        33b1ff750a50970f7646806c41e444ce956566691efe735b2ff541c429c2b2d6

        SHA512

        8b958749c6504874109adda9eb7bcc077e68474abd5fb2914aa1dd1212cf3e4c79c678aee7f23ef99a608fdd24fb39e12e57881db8708935a78999c999a70faa

        Download Submit
      • C:\Users\Public\Pictures\Vrice\vqytap\blqxgc.exe
        Filesize

        340KB

        MD5

        83020e8c25dd7d078733fe74c80d9b46

        SHA1

        57aa17d77a4912ed48b086cc86e78ffde7646aaa

        SHA256

        33b1ff750a50970f7646806c41e444ce956566691efe735b2ff541c429c2b2d6

        SHA512

        8b958749c6504874109adda9eb7bcc077e68474abd5fb2914aa1dd1212cf3e4c79c678aee7f23ef99a608fdd24fb39e12e57881db8708935a78999c999a70faa

        Download Submit
      • C:\Users\Public\Pictures\Vrice\vqytap\libeay32.dll
        Filesize

        690KB

        MD5

        f23fb8f6ad1a64c2723bbe997c431ad5

        SHA1

        05a3a84f71245bc12d8d6e43d3dab86dbe4f3a2e

        SHA256

        47900ae4431426ae1ea6b4010c8e5f683c62fc001b76a887ac035d69634fbe5a

        SHA512

        82afbb1f19e55e8d7dbd4db652e41a80eefdff21e59a94a62c7f0d289adae32153000f6c87e2b6b655e68b93bed49af4d71f4018b433c41b81765250b52838f4

        Download Submit
      • C:\Users\Public\Pictures\Vrice\vqytap\libeay32.dll
        Filesize

        690KB

        MD5

        f23fb8f6ad1a64c2723bbe997c431ad5

        SHA1

        05a3a84f71245bc12d8d6e43d3dab86dbe4f3a2e

        SHA256

        47900ae4431426ae1ea6b4010c8e5f683c62fc001b76a887ac035d69634fbe5a

        SHA512

        82afbb1f19e55e8d7dbd4db652e41a80eefdff21e59a94a62c7f0d289adae32153000f6c87e2b6b655e68b93bed49af4d71f4018b433c41b81765250b52838f4

        Download Submit
      • C:\Users\Public\Pictures\Vrice\vqytap\ssleay32.dll
        Filesize

        425KB

        MD5

        68e32ca1d7031ff1bfeaef5080a7806c

        SHA1

        8b43f487401145e188b9ee4bfdcfd263f0c50a5f

        SHA256

        702c06cd8b4d10340ce1e5064183c28146cea864a606db416e29c2edd38c2d63

        SHA512

        a13c33c0a25faf54816436585c3250f50df1c685495ef1ae51417fc4489e9d527e30ad03c4f2b4f3d17cdbb1abd1c820b154faa55705e588921d8fb392a033ae

        Download Submit
      • C:\Users\Public\Pictures\Vrice\vqytap\ssleay32.dll
        Filesize

        425KB

        MD5

        68e32ca1d7031ff1bfeaef5080a7806c

        SHA1

        8b43f487401145e188b9ee4bfdcfd263f0c50a5f

        SHA256

        702c06cd8b4d10340ce1e5064183c28146cea864a606db416e29c2edd38c2d63

        SHA512

        a13c33c0a25faf54816436585c3250f50df1c685495ef1ae51417fc4489e9d527e30ad03c4f2b4f3d17cdbb1abd1c820b154faa55705e588921d8fb392a033ae

        Download Submit
      • C:\Users\Public\Pictures\Vrice\vqytap\wc.xml
        Filesize

        136KB

        MD5

        1059e69d1c7ac07ba7cb078772b58857

        SHA1

        1a18272e515c8ab533dc496fd14c14bdf1241e9c

        SHA256

        37f88d448e084378dca4a5e6223c17dae389607c062c51903f7e132d4e65b4fe

        SHA512

        10220d3ec431acdc416073bb9ac4e5a6aac54323071787dd3bf1dd83c3771af1bc095b665b246cd0c3db10f5a2c2e70a34953e750b6c74efd9caf27ed7489c77

        Download Submit
      • C:\Users\Public\Pictures\Vrice\vqytap\zlib1.dll
        Filesize

        98KB

        MD5

        d90dad5eea33a178bac56fff2847d4c2

        SHA1

        cbbce727fd8447487c7fc68051b24df17d043649

        SHA256

        104162a59e7784e1fe2ec0b7db8836e1eb905abfd1602a05d86debe930b40cbf

        SHA512

        8dbe57e32554d049a0779c40645dfbad2eaa1eeaf746898cd44f8686265f1fd4f84d6f857ba40644294d817d5c5eab6ba6271df55c56047fd16c10b8478184eb

        Download Submit
      • C:\Users\Public\Pictures\Vrice\vqytap\zlib1.dll
        Filesize

        98KB

        MD5

        d90dad5eea33a178bac56fff2847d4c2

        SHA1

        cbbce727fd8447487c7fc68051b24df17d043649

        SHA256

        104162a59e7784e1fe2ec0b7db8836e1eb905abfd1602a05d86debe930b40cbf

        SHA512

        8dbe57e32554d049a0779c40645dfbad2eaa1eeaf746898cd44f8686265f1fd4f84d6f857ba40644294d817d5c5eab6ba6271df55c56047fd16c10b8478184eb

        Download Submit
      • C:\Users\Public\ineng\fac.zip
        Filesize

        1KB

        MD5

        ecefe248fc6060abeabb1284c97ed387

        SHA1

        8b97a1ecbe3ec02dd8ff1bac361aa175d4a3ba01

        SHA256

        dbc9fb5b23d6a888a5f94bbd427eba461c3f9185638bb7100eb018ef1ce4d5bd

        SHA512

        765fe11209c8555515ad6e0b9d54816a7383d0e65d61d91d95603191ca8a0efcc8d0bb86df754bc920538bf097656c44ba1c33b6b2b3e7ee3a01710f626f26fc

        Download Submit
      • C:\Users\Public\ineng\snkc.exe
        Filesize

        40KB

        MD5

        d3ed82f676591a9c47037a7b66908832

        SHA1

        49533ea0b019b76131c14936814f99b9794d506b

        SHA256

        0ef64a90dad0929f282fa1425422b2ffd70bf2ac803371fe3c780afefad66455

        SHA512

        c79e09b8f47200acec33042cf183ead8cb3f7f87380e2ee4b3a2d6a05d96305277dea13974714d3e8ff8dd7c4733a2e4e93e137408de66ef60b6ec6f3e862986

        Download Submit
      • C:\Users\Public\ineng\snkc.exe
        Filesize

        40KB

        MD5

        d3ed82f676591a9c47037a7b66908832

        SHA1

        49533ea0b019b76131c14936814f99b9794d506b

        SHA256

        0ef64a90dad0929f282fa1425422b2ffd70bf2ac803371fe3c780afefad66455

        SHA512

        c79e09b8f47200acec33042cf183ead8cb3f7f87380e2ee4b3a2d6a05d96305277dea13974714d3e8ff8dd7c4733a2e4e93e137408de66ef60b6ec6f3e862986

        Download Submit
      • memory/1020-142-0x0000000000000000-mapping.dmp
        Download
      • memory/1020-145-0x0000000000400000-0x000000000042B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/2756-132-0x0000000000000000-mapping.dmp
        Download
      • memory/3940-153-0x0000000000000000-mapping.dmp
        Download
      • memory/3940-163-0x00000000038E0000-0x0000000003A85000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3940-164-0x0000000010000000-0x00000000101A6000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3940-165-0x0000000000760000-0x0000000000783000-memory.dmp
        Filesize

        140KB

        Download
      • memory/3940-166-0x00000000037A0000-0x00000000038D8000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/3940-167-0x00000000038E0000-0x0000000003A85000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3940-168-0x00000000038E0000-0x0000000003A85000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4804-140-0x0000000005DA0000-0x0000000005E32000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4804-139-0x0000000006430000-0x00000000069D4000-memory.dmp
        Filesize

        5.6MB

        Download