Overview

overview

10

Static

static

7

e2fd0fe397...8d.exe

windows7-x64

8

e2fd0fe397...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-03-2023 03:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe

  • Size

    20KB

  • MD5

    9a2d73c4e432f7e5b79ca679dfaea411

  • SHA1

    00531b635ccb5f450aa9e2abaae904094b2576e5

  • SHA256

    e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d

  • SHA512

    d02dc5bf1cc399a3f944cd5cbed47984effc696cf31cf67c5bcae58ff3c7b937e61218cd03727d800776c98509123fead7f875b842d3d8e67758eba682b6f89e

  • SSDEEP

    384:6353Z9WzLE7FCFSHR2yU03QGHc4Je1dJqsNbeVvQkkrIaNJawcudoD7Ukalk:6phCSwmxc4Je1dT0IkQhnbcuyD7Ukal

Score
10/10
gh0stratpurplefoxratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe
    "C:\Users\Admin\AppData\Local\Temp\e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\ProgramData\homo\2.exe
      "C:\ProgramData\homo\2.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious use of SetWindowsHookEx
      PID:4020
    • C:\ProgramData\homo\test.exe
      "C:\ProgramData\homo\test.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3092
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c start C:\ProgramData\114514
        3⤵
        • Modifies registry class
        PID:4184
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4708
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"
      1⤵
      • Drops file in System32 directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3896

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\homo\2.exe
      Filesize

      1.2MB

      MD5

      ddc1266b1d6ae3b9cceec4078b91936e

      SHA1

      3fb80c7dac6e48f45306ba11fc95c3ad8e6bcd41

      SHA256

      8cef452d1f95a672b130e64fdb5b71cc1b1cdf4c0533791aa4ce65dffb256a41

      SHA512

      a0d5e3ceec16f9a75adf453ea4999a79615d4566fb6cb9dd80f94a286d00378407b429d515fa2499756e5b3a24af6f735e4063f5265768215f9b6158f88ed1d4

      Download Submit
    • C:\ProgramData\homo\2.exe
      Filesize

      1.2MB

      MD5

      ddc1266b1d6ae3b9cceec4078b91936e

      SHA1

      3fb80c7dac6e48f45306ba11fc95c3ad8e6bcd41

      SHA256

      8cef452d1f95a672b130e64fdb5b71cc1b1cdf4c0533791aa4ce65dffb256a41

      SHA512

      a0d5e3ceec16f9a75adf453ea4999a79615d4566fb6cb9dd80f94a286d00378407b429d515fa2499756e5b3a24af6f735e4063f5265768215f9b6158f88ed1d4

      Download Submit
    • C:\ProgramData\homo\2.exe
      Filesize

      1.2MB

      MD5

      ddc1266b1d6ae3b9cceec4078b91936e

      SHA1

      3fb80c7dac6e48f45306ba11fc95c3ad8e6bcd41

      SHA256

      8cef452d1f95a672b130e64fdb5b71cc1b1cdf4c0533791aa4ce65dffb256a41

      SHA512

      a0d5e3ceec16f9a75adf453ea4999a79615d4566fb6cb9dd80f94a286d00378407b429d515fa2499756e5b3a24af6f735e4063f5265768215f9b6158f88ed1d4

      Download Submit
    • C:\ProgramData\homo\test.exe
      Filesize

      208KB

      MD5

      918d059d9c6573de0fb710d7c62b39f8

      SHA1

      56d5754101a542d27bca93c1b008293ddb5b8048

      SHA256

      73273191ff57825b6a32c776e2ac29800aec5febc70ea64c3d5128abcf7b49df

      SHA512

      2b9436b060254485b71e7570705009269e03aa8e78b7cb6020986d781cf718fba89457944fce7d32a71df8b24a795e3bcfb4ed097078b732a5748c1f8238ba57

      Download Submit
    • C:\ProgramData\homo\test.exe
      Filesize

      208KB

      MD5

      918d059d9c6573de0fb710d7c62b39f8

      SHA1

      56d5754101a542d27bca93c1b008293ddb5b8048

      SHA256

      73273191ff57825b6a32c776e2ac29800aec5febc70ea64c3d5128abcf7b49df

      SHA512

      2b9436b060254485b71e7570705009269e03aa8e78b7cb6020986d781cf718fba89457944fce7d32a71df8b24a795e3bcfb4ed097078b732a5748c1f8238ba57

      Download Submit
    • C:\ProgramData\homo\test.exe
      Filesize

      208KB

      MD5

      918d059d9c6573de0fb710d7c62b39f8

      SHA1

      56d5754101a542d27bca93c1b008293ddb5b8048

      SHA256

      73273191ff57825b6a32c776e2ac29800aec5febc70ea64c3d5128abcf7b49df

      SHA512

      2b9436b060254485b71e7570705009269e03aa8e78b7cb6020986d781cf718fba89457944fce7d32a71df8b24a795e3bcfb4ed097078b732a5748c1f8238ba57

      Download Submit
    • memory/2144-133-0x0000000000400000-0x0000000000415000-memory.dmp
      Filesize

      84KB

      Download
    • memory/2144-163-0x0000000000400000-0x0000000000415000-memory.dmp
      Filesize

      84KB

      Download
    • memory/3896-172-0x0000000005970000-0x0000000006431000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4020-174-0x0000000010000000-0x0000000010191000-memory.dmp
      Filesize

      1.6MB

      Download