Overview

overview

10

Static

static

3783f305e6...95.exe

windows7-x64

10

3783f305e6...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2022 21:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3783f305e648ec62701e1a3c57b8897e028a7294e77f8868eb72c04e41b4bb95.exe

  • Size

    416KB

  • MD5

    dfc7f23c614f09dbd3c51b91177ec88b

  • SHA1

    0d3b03a486fa37e0fddd7e59c5a329869c663633

  • SHA256

    3783f305e648ec62701e1a3c57b8897e028a7294e77f8868eb72c04e41b4bb95

  • SHA512

    25e3d55463d672c18856598c9735e6d6b22152c2123769e1ebc8d13a6acc5843ff745ec1815d9f982b0b75f3036044baac326c8552a9a946eb787b3c4d8e3a7d

  • SSDEEP

    6144:REg2/FmkfKc+Mz6aEctnbbWj/VI1N5kvsWT6kRXAfAarxGEEXXUOCwKHmp4N9:OtUsz6aEcV6rVI/HWTxRXAoi647

Score
10/10
gh0stratpurplefoxevasionpersistenceratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 7 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 7 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3783f305e648ec62701e1a3c57b8897e028a7294e77f8868eb72c04e41b4bb95.exe
    "C:\Users\Admin\AppData\Local\Temp\3783f305e648ec62701e1a3c57b8897e028a7294e77f8868eb72c04e41b4bb95.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c attrib C:\Users\Admin\AppData\Local\Temp\3783F3~1.EXE +s +h
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\SysWOW64\attrib.exe
        attrib C:\Users\Admin\AppData\Local\Temp\3783F3~1.EXE +s +h
        3⤵
        • Sets file to hidden
        • Views/modifies file attributes
        PID:4552
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c md C:\ProgramData\Micros
      2⤵
        PID:4280
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md C:\ProgramData\Micros
        2⤵
          PID:4932
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c md C:\ProgramData\Micros
          2⤵
            PID:460
          • C:\ProgramData\windows.exe
            C:\ProgramData\windows.exe
            2⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Adds Run key to start application
            • Enumerates connected drives
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2492
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c attrib C:\PROGRA~3\windows.exe +s +h
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2004
              • C:\Windows\SysWOW64\attrib.exe
                attrib C:\PROGRA~3\windows.exe +s +h
                4⤵
                • Sets file to hidden
                • Drops file in Program Files directory
                • Views/modifies file attributes
                PID:2856
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c md C:\ProgramData\ru
              3⤵
                PID:3996

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Hidden Files and Directories

          2
          T1158

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Hidden Files and Directories

          2
          T1158

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          3
          T1012

          System Information Discovery

          4
          T1082

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Micros\1.txt
            Filesize

            76KB

            MD5

            a0174e9945895fa8ace11f6bb4a64298

            SHA1

            527c4ebc005deb88f29edd83a23ac977735d76c4

            SHA256

            2dcd521895377ae3463dd61369c7fc6aafd8610e020592bf29b88888fc295ca0

            SHA512

            974f26161cc94c42fbe781db476562ccee90051f5c419ad156d4d17ab63231fa62a064c32cf1acc648e06d01d7f69e785f1421407859f2d78976d76a89b27dec

            Download Submit
          • C:\ProgramData\Micros\2.txt
            Filesize

            44KB

            MD5

            96d097045736a2a1526d63c2d83a6b22

            SHA1

            dde933d7fcc22e41f981d043a3aa835e3b19f86e

            SHA256

            abbd451b402243bf00ad76f253d2b1c3f80d1d6f6c7f5b2f0d5e3fdd7f9c06e5

            SHA512

            e6ef5a7f25af760fef212b46b1796b8b386575e258a8b02a4c74510bb600e7fac3d344cceae14ef4b72a2520022e7cc611b34a56f737892ed4970ed1150945bd

            Download Submit
          • C:\ProgramData\SHELL.TXT
            Filesize

            1.2MB

            MD5

            399dbed89b6eb31237ab085dbc18728a

            SHA1

            2ec1384fcbeef7122fc3ef97cb6a18ead214f7b8

            SHA256

            9d1d6b9d33f33fb777706e4a48fe3efec12f32a0b19d16db45995451d71ed44a

            SHA512

            4b4f7fd02754209b7527a7f1e68d87e072485e1bf12324850917afb384e59dc783170a0b11ec39acad2fea6753492ab07d8f610199074c1808a5bb3c7f42a1c4

            Download Submit
          • C:\ProgramData\SHELL.ini
            Filesize

            94B

            MD5

            0152439df609b41e4e0314303534dcc6

            SHA1

            7708dc87728d70cb230d9475154a44b82496d91c

            SHA256

            765bab985a52c6a63ee1af27bce853626e16a8a53106893a3560e0a97dc5806e

            SHA512

            ba80f943ad211c950cdd81f7d6e3caabf0db82227cd2eed340a76a21a6e56c21d2a2760e9acf89c78903f4c239e9df7db897e4e76a2ab7bb07242d9751c9f01c

            Download Submit
          • C:\ProgramData\windows.exe
            Filesize

            416KB

            MD5

            dfc7f23c614f09dbd3c51b91177ec88b

            SHA1

            0d3b03a486fa37e0fddd7e59c5a329869c663633

            SHA256

            3783f305e648ec62701e1a3c57b8897e028a7294e77f8868eb72c04e41b4bb95

            SHA512

            25e3d55463d672c18856598c9735e6d6b22152c2123769e1ebc8d13a6acc5843ff745ec1815d9f982b0b75f3036044baac326c8552a9a946eb787b3c4d8e3a7d

            Download Submit
          • C:\ProgramData\windows.exe
            Filesize

            416KB

            MD5

            dfc7f23c614f09dbd3c51b91177ec88b

            SHA1

            0d3b03a486fa37e0fddd7e59c5a329869c663633

            SHA256

            3783f305e648ec62701e1a3c57b8897e028a7294e77f8868eb72c04e41b4bb95

            SHA512

            25e3d55463d672c18856598c9735e6d6b22152c2123769e1ebc8d13a6acc5843ff745ec1815d9f982b0b75f3036044baac326c8552a9a946eb787b3c4d8e3a7d

            Download Submit
          • memory/460-138-0x0000000000000000-mapping.dmp
            Download
          • memory/2004-147-0x0000000000000000-mapping.dmp
            Download
          • memory/2492-140-0x0000000000000000-mapping.dmp
            Download
          • memory/2492-153-0x00000000025B0000-0x0000000002756000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/2492-145-0x00000000025B0000-0x0000000002756000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/2492-150-0x00000000025B0000-0x0000000002756000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/2856-148-0x0000000000000000-mapping.dmp
            Download
          • memory/3996-149-0x0000000000000000-mapping.dmp
            Download
          • memory/4280-137-0x0000000000000000-mapping.dmp
            Download
          • memory/4324-146-0x0000000002F50000-0x00000000030F6000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4324-132-0x0000000002F50000-0x00000000030F6000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4324-134-0x0000000002F50000-0x00000000030F6000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4324-133-0x0000000002E10000-0x0000000002F49000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/4552-139-0x0000000000000000-mapping.dmp
            Download
          • memory/4932-136-0x0000000000000000-mapping.dmp
            Download
          • memory/5036-135-0x0000000000000000-mapping.dmp
            Download