Overview

overview

10

Static

static

2086b8409e...4a.exe

windows7-x64

10

2086b8409e...4a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-11-2022 03:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2086b8409ea31624c1d25581d4729ad48f3cde3a3b4969f2c9b79ca6ae6c354a.exe

  • Size

    24KB

  • MD5

    046fb6d83046827da18086aa6ac523aa

  • SHA1

    945ceb168b4b5f207aa9e516584c32de29bb650c

  • SHA256

    2086b8409ea31624c1d25581d4729ad48f3cde3a3b4969f2c9b79ca6ae6c354a

  • SHA512

    3c9477c45f95b7815729d7e7ced5427e176d929d8f31f163de5b502e9189ddd5d07a88d6b3b9323a99898672587ba7b071dd8f3691690191f7a4907f26b170b3

  • SSDEEP

    192:8FES6pYk/gvPNJv+mv+kAUoynYlLvJpNNwD1iT9fF73At4EaQ9r:8v73NvViTkaQl

Score
10/10
gh0stratpurplefoxevasionratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 2 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2086b8409ea31624c1d25581d4729ad48f3cde3a3b4969f2c9b79ca6ae6c354a.exe
    "C:\Users\Admin\AppData\Local\Temp\2086b8409ea31624c1d25581d4729ad48f3cde3a3b4969f2c9b79ca6ae6c354a.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4868
    • C:\Users\Public\Documents\k4.exe
      C:/Users/Public/Documents/k4.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:4952
    • C:\Users\Public\Documents\k4.exe
      C:/Users/Public/Documents/k4.exe /D
      2⤵
      • Executes dropped EXE
      PID:1324
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /t /im k4.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3424
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /t /im k4.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1664
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b C:\\Users\\Public\\Documents\\MZ.txt+C:\\Users\\Public\\Documents\\TAS.txt C:\\Users\\Public\\Documents\\TASLoginBase.dll
      2⤵
        PID:4576
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c C:\\Users\\Public\\Documents\\2022060125.vbe
        2⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:336
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\2022060125.vbe"
          3⤵
            PID:1644
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\sch.vbe"
          2⤵
            PID:5036
          • C:\Users\Public\Documents\k4.exe
            "C:\Users\Public\Documents\k4.exe" /E
            2⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious use of AdjustPrivilegeToken
            PID:2136
        • C:\Windows\system32\mmc.exe
          C:\Windows\system32\mmc.exe -Embedding
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Users\Public\Documents\dllhosts.exe
            "C:\Users\Public\Documents\dllhosts.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3104
            • C:\Users\Public\Documents\dllhosts.exe
              C:\Users\Public\Documents\dllhosts.exe
              3⤵
              • Executes dropped EXE
              • Enumerates connected drives
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2364
        • C:\Windows\system32\mmc.exe
          C:\Windows\system32\mmc.exe -Embedding
          1⤵
          • Suspicious behavior: SetClipboardViewer
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4088
          • C:\WINDOWS\system32\cmd.exe
            "C:\WINDOWS\system32\cmd.exe" /c C:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\Users\Admin\AppData\Roaming"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4672
            • C:\Users\Public\Documents\unzip.exe
              C:\Users\Public\Documents\unzip.exe -o -P Startup8888 C:\Users\Public\Documents\unzip.dat -d "C:\Users\Admin\AppData\Roaming"
              3⤵
              • Executes dropped EXE
              • Drops startup file
              PID:1292

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Bypass User Account Control

        1
        T1088

        Defense Evasion

        Bypass User Account Control

        1
        T1088

        Disabling Security Tools

        1
        T1089

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        4
        T1012

        System Information Discovery

        6
        T1082

        Peripheral Device Discovery

        2
        T1120

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Public\Documents\2022060125.vbe
          Filesize

          180B

          MD5

          d66c7e77096d4f4c406170b6ca0ad123

          SHA1

          9bb461061c7276ebe2a493f690d72263c0da8962

          SHA256

          cd0a0ac1315f1f473f4a42bed62fad7033fe68a3e0cf72a7b354a7e3dd78e8a8

          SHA512

          015788021b53eb278be1238b26a01499dcb809d93ee747bc89208f8d3570a7b0b813c70ea054e70584b536da4811f0a58ef38c96a984e6b3a54654774e5c7592

          Download Submit
        • C:\Users\Public\Documents\Class.dll
          Filesize

          47KB

          MD5

          489c64a28a4295f0927e530632af0c34

          SHA1

          7787a8a54513c590bb9ac8539229efc508cee774

          SHA256

          3bccac3eb915a400ada9ef06c9b576a330e217a5a35f8c8c87612c0273b276c6

          SHA512

          c82f242762f0bff06fc85fa4710681fee7538643da546990bca19befcd375ac03e5cf7fa4acc234bee401df4be95ac33933b0c6f6adb2868c23ac3cbe9fd806f

          Download Submit
        • C:\Users\Public\Documents\MZ.txt
          Filesize

          2B

          MD5

          ac6ad5d9b99757c3a878f2d275ace198

          SHA1

          439baa1b33514fb81632aaf44d16a9378c5664fc

          SHA256

          9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

          SHA512

          bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

          Download Submit
        • C:\Users\Public\Documents\TAS.txt
          Filesize

          311KB

          MD5

          2044e12d279ed89fc79743797cbc36a1

          SHA1

          0352402983a679c31df3c1914c308a5496f8ebef

          SHA256

          23b58e1be56b36e88607f594f32ac73484467a2ebba28f3c959b17b4569dfe8a

          SHA512

          37e70930d5ba1753239aede633b0c6330b3e443bf7b6dc891d48b923072214f96f05acfd8d2da2fd52064a0cda1c87d7ad0c0fd88c3aaf959aa3b0d48525893d

          Download Submit
        • C:\Users\Public\Documents\TASLoginBase.dll
          Filesize

          311KB

          MD5

          91e334cc8bae8f5b83fdfa66d1835f2e

          SHA1

          5c786df91a797dd2c6f80b07ff09f75db76ea3e6

          SHA256

          7e43b8f6627afe6f9e26f9f2429ec05ed971ffe522d239d54144750a4905aef5

          SHA512

          f23d6585eff6fd88f415c8214c81afb965be1012f0b6af3dffff0ca281b7b3ab456b4b6c76b77ff28de33bc217f80655d0e91c100ba8dd2100b1ab42f732ec97

          Download Submit
        • C:\Users\Public\Documents\TASLoginBase.dll
          Filesize

          311KB

          MD5

          91e334cc8bae8f5b83fdfa66d1835f2e

          SHA1

          5c786df91a797dd2c6f80b07ff09f75db76ea3e6

          SHA256

          7e43b8f6627afe6f9e26f9f2429ec05ed971ffe522d239d54144750a4905aef5

          SHA512

          f23d6585eff6fd88f415c8214c81afb965be1012f0b6af3dffff0ca281b7b3ab456b4b6c76b77ff28de33bc217f80655d0e91c100ba8dd2100b1ab42f732ec97

          Download Submit
        • C:\Users\Public\Documents\dllhosts.exe
          Filesize

          411KB

          MD5

          66557b2bd93e70a2804e983b279ab473

          SHA1

          4e58505689fd9643b5011880ce94b22cbfadf917

          SHA256

          a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31

          SHA512

          b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4

          Download Submit
        • C:\Users\Public\Documents\dllhosts.exe
          Filesize

          411KB

          MD5

          66557b2bd93e70a2804e983b279ab473

          SHA1

          4e58505689fd9643b5011880ce94b22cbfadf917

          SHA256

          a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31

          SHA512

          b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4

          Download Submit
        • C:\Users\Public\Documents\dllhosts.exe
          Filesize

          411KB

          MD5

          66557b2bd93e70a2804e983b279ab473

          SHA1

          4e58505689fd9643b5011880ce94b22cbfadf917

          SHA256

          a63c9e3f7256e38224f7256307d954d4a6baa9f023f6ac49d8cface7b2658e31

          SHA512

          b08d8b2872f4ebdbab7b15bd96f5d185f05030983c2d704497d30fe5f610874b5ec362f0e3e55800031edcd29b812d9b58214e76012a85df074310f36e0f33f4

          Download Submit
        • C:\Users\Public\Documents\k4.exe
          Filesize

          892KB

          MD5

          33e29221e2825001d32f78632217d250

          SHA1

          9122127fc91790a1edb78003e9b58a9b00355ed5

          SHA256

          65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

          SHA512

          01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

          Download Submit
        • C:\Users\Public\Documents\k4.exe
          Filesize

          892KB

          MD5

          33e29221e2825001d32f78632217d250

          SHA1

          9122127fc91790a1edb78003e9b58a9b00355ed5

          SHA256

          65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

          SHA512

          01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

          Download Submit
        • C:\Users\Public\Documents\k4.exe
          Filesize

          892KB

          MD5

          33e29221e2825001d32f78632217d250

          SHA1

          9122127fc91790a1edb78003e9b58a9b00355ed5

          SHA256

          65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

          SHA512

          01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

          Download Submit
        • C:\Users\Public\Documents\k4.exe
          Filesize

          892KB

          MD5

          33e29221e2825001d32f78632217d250

          SHA1

          9122127fc91790a1edb78003e9b58a9b00355ed5

          SHA256

          65d0b20a4dc4911fbb91683eb6488d3d3493fa4584bbdfb4e942f203bef0030d

          SHA512

          01d5c6ded3a83d81371e94fefb1debabb1d003c86ab3cf7145d28fb15fcfd4f8b763f6711f99c5afd9bf90f02a7af993efa5945d4f8bb6a3649b5fd86414ae93

          Download Submit
        • C:\Users\Public\Documents\sch.vbe
          Filesize

          179B

          MD5

          d569f44ce5792ee816b4182e3c7bc7da

          SHA1

          f16a402cd6030b5c7faa5c85ade3005d66d5232a

          SHA256

          59ff328647ccee11ad437e02b6e84c12511333553837b6fa270eefd21a3eccbf

          SHA512

          bb0f888ff00038d1787e6cce8b09b61761d93594cbfe08d2dbf650c1802938d6df7b4b854c1af97ad405fb3b1460aab339e636852d51dc6b6849d27a5af9560b

          Download Submit
        • C:\Users\Public\Documents\unzip.dat
          Filesize

          1KB

          MD5

          030bfec240cc95293c84c1b7d8888b48

          SHA1

          ceea3cebec2f467be1c8b356d8022dbe0285bc5c

          SHA256

          10df1c86ccea95c0d012135bbfe1b32cae4f13574883063a1d8c0312158ff77f

          SHA512

          ec54405365b094230acc6c81365ab5a893ad1121ba7120227a2d96aff4f9e3c1cab9683d7e6a8459b4c54e457a0eb49f9493f25fcfd094dc6d0421875200c910

          Download Submit
        • C:\Users\Public\Documents\unzip.exe
          Filesize

          164KB

          MD5

          75375c22c72f1beb76bea39c22a1ed68

          SHA1

          e1652b058195db3f5f754b7ab430652ae04a50b8

          SHA256

          8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

          SHA512

          1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

          Download Submit
        • C:\Users\Public\Documents\unzip.exe
          Filesize

          164KB

          MD5

          75375c22c72f1beb76bea39c22a1ed68

          SHA1

          e1652b058195db3f5f754b7ab430652ae04a50b8

          SHA256

          8d9b5190aace52a1db1ac73a65ee9999c329157c8e88f61a772433323d6b7a4a

          SHA512

          1b396e78e189185eefb8c6058aa7e6dfe1b8f2dff8babfe4ffbee93805467bf45760eea6efb8d9bb2040d0eaa56841d457b1976dcfe13ed67931ade01419f55a

          Download Submit
        • C:\Users\Public\Documents\unzip.lnk
          Filesize

          892B

          MD5

          3d55c02372fb69460b0f774b89130dba

          SHA1

          b50d58ef0fc2c9af80e3ecedfc76b2956ff28244

          SHA256

          67c8871cd1491fec17ad8eba0c13203d79096a58b76e4a4d2902b8d71928ac2e

          SHA512

          4d8850f4cb37aef07cf59396df6b55b6496b3660f70b5551f5582685e1968c1a09836ec886f6297ff8ea0114d237c829c3b7e6df635a06bbd89f4bbf20aa4080

          Download Submit
        • C:\Users\Public\Documents\update.lnk
          Filesize

          1KB

          MD5

          3af508a542bdfa6927737a2d91d74f40

          SHA1

          433f04e960f68ce05358af2d672a9b649de4e3ce

          SHA256

          e7e3e44142369b3a312005313f8569f2bcd45bcdc8ea9e141616654bcd090b60

          SHA512

          b35ad011ca3770c1a1e2a655a614e91ebd96ce29099969c727a69e77a390b91078512ce55883d7290e4dd46c5f04f0461b2833f568d23da1fc4d91ea4633d3bc

          Download Submit
        • C:\Users\Public\Documents\update.log
          Filesize

          539KB

          MD5

          158f06d8f8d8cd89aa08c372b86ea3c9

          SHA1

          789a99ad51b4d003b1766891af17008191417c7d

          SHA256

          ee1c21553f5bf755f23cf88b9fca4e16e73998b5044765c43644a48c16c2bee2

          SHA512

          d5c3ec2a2fa373f8369166d198147c106294b4fa3c7a62505ba774e0c1c1acf17c92391c07c0de2b54da837db393ceff79accbbdec74800a45378c05ba42de99

          Download Submit
        • memory/336-143-0x0000000000000000-mapping.dmp
          Download
        • memory/1292-157-0x0000000000000000-mapping.dmp
          Download
        • memory/1324-136-0x0000000000000000-mapping.dmp
          Download
        • memory/1644-146-0x0000000000000000-mapping.dmp
          Download
        • memory/1664-139-0x0000000000000000-mapping.dmp
          Download
        • memory/2136-175-0x0000000000000000-mapping.dmp
          Download
        • memory/2364-163-0x0000000000400000-0x0000000000547000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2364-174-0x0000000000400000-0x0000000000547000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2364-168-0x0000000010000000-0x000000001019F000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/2364-167-0x0000000000400000-0x0000000000547000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/2364-162-0x0000000000000000-mapping.dmp
          Download
        • memory/2364-166-0x0000000000400000-0x0000000000547000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/3104-161-0x0000000000400000-0x0000000000490000-memory.dmp
          Filesize

          576KB

          Download
        • memory/3104-151-0x0000000000000000-mapping.dmp
          Download
        • memory/3424-138-0x0000000000000000-mapping.dmp
          Download
        • memory/4576-140-0x0000000000000000-mapping.dmp
          Download
        • memory/4672-156-0x0000000000000000-mapping.dmp
          Download
        • memory/4952-133-0x0000000000000000-mapping.dmp
          Download
        • memory/5036-145-0x0000000000000000-mapping.dmp
          Download