Overview

overview

10

Static

static

1

a1ee855e97...bf.exe

windows7-x64

8

a1ee855e97...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2023 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf.exe

  • Size

    802KB

  • MD5

    43dc1d7eeef9b4ca0d455404b12c34c8

  • SHA1

    2e618174d09b00abc16d34bff7b646e036adf253

  • SHA256

    a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf

  • SHA512

    b65a6542520ae094d8f9101d062339a997aa2eaed426e3aaa4c79145d97debf75062df334df4c02d874ebe15731e035bbf7b7cd0f55c248d4b6a45294c5c70c7

  • SSDEEP

    24576:Sny/f9uCOXP25JiBvuXwKhbBh4iv/IVVWX77Sj+ithPW1:XF0IJSmgaVhvv/IVKyj+d

Score
10/10
gh0stratpurplefoxaspackv2ratrootkittrojan

Malware Config

Extracted

Family

gh0strat

C2

190.92.242.47

Signatures

  • Detect PurpleFox Rootkit 2 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Downloads MZ/PE file
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf.exe
    "C:\Users\Admin\AppData\Local\Temp\a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4504
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Users\Admin\AppData\Roaming\Vdkqswy25A\music.exe
        "C:\Users\Admin\AppData\Roaming\Vdkqswy25A\music.exe"
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:2960
      • C:\Users\Admin\AppData\Local\Temp\_config.exe
        "C:\Users\Admin\AppData\Local\Temp\_config.exe"
        3⤵
        • Executes dropped EXE
        PID:2984
  • C:\Windows\helppane.exe
    C:\Windows\helppane.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4136
    • C:\Users\Admin\AppData\Local\Temp\_config.exe
      "C:\Users\Admin\AppData\Local\Temp\_config.exe" shell32.dll,ShellExec_RunDLL reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Vdkqswy25A" /f
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Vdkqswy25A" /f
        3⤵
          PID:4880

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
      Filesize

      1.1MB

      MD5

      4d4f8aea7be8e5f2372f6dbca75aa8ba

      SHA1

      5ca38dbc0188d1a93a043562f67cf4319ffdd24d

      SHA256

      75451351d739d060273d8f6985b42596e37fc7acc27130e44dee16c589c012e2

      SHA512

      78f35eeeac14b8a4aabff7909f8770f13397e7f892cc46f48575818ede272c2d2d40a9bd20466144cd0d9044713002205be72212187e231a966a109b8f761097

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
      Filesize

      1.1MB

      MD5

      4d4f8aea7be8e5f2372f6dbca75aa8ba

      SHA1

      5ca38dbc0188d1a93a043562f67cf4319ffdd24d

      SHA256

      75451351d739d060273d8f6985b42596e37fc7acc27130e44dee16c589c012e2

      SHA512

      78f35eeeac14b8a4aabff7909f8770f13397e7f892cc46f48575818ede272c2d2d40a9bd20466144cd0d9044713002205be72212187e231a966a109b8f761097

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe
      Filesize

      1.1MB

      MD5

      4d4f8aea7be8e5f2372f6dbca75aa8ba

      SHA1

      5ca38dbc0188d1a93a043562f67cf4319ffdd24d

      SHA256

      75451351d739d060273d8f6985b42596e37fc7acc27130e44dee16c589c012e2

      SHA512

      78f35eeeac14b8a4aabff7909f8770f13397e7f892cc46f48575818ede272c2d2d40a9bd20466144cd0d9044713002205be72212187e231a966a109b8f761097

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\VMProtectSDK32.dll
      Filesize

      98KB

      MD5

      29e0b67635a30d87d929bc1614eff68f

      SHA1

      180a56d7fb6473ae8449fea7f2e6f105e9e5bb0b

      SHA256

      b2dd017dd8bf60e5a439a202af9e4dbd8a4bf57d72e6dc7528484c6f34eadc8e

      SHA512

      68a8266a1a6f2b270e9dff6b553fff4f7557ed05496aa8007b29a3bacfcf9d4228175a34460ceb43a797e8e7f44d7b33088c67fd835e3e56c64e92868ef27c49

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\vmprotectsdk32.dll
      Filesize

      98KB

      MD5

      29e0b67635a30d87d929bc1614eff68f

      SHA1

      180a56d7fb6473ae8449fea7f2e6f105e9e5bb0b

      SHA256

      b2dd017dd8bf60e5a439a202af9e4dbd8a4bf57d72e6dc7528484c6f34eadc8e

      SHA512

      68a8266a1a6f2b270e9dff6b553fff4f7557ed05496aa8007b29a3bacfcf9d4228175a34460ceb43a797e8e7f44d7b33088c67fd835e3e56c64e92868ef27c49

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_config.exe
      Filesize

      82KB

      MD5

      cbbdef6c4d82eb4ff01ed43f1e641907

      SHA1

      722ba8786507f2cad599b11cdc4a139909f4f9f1

      SHA256

      37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

      SHA512

      6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_config.exe
      Filesize

      82KB

      MD5

      cbbdef6c4d82eb4ff01ed43f1e641907

      SHA1

      722ba8786507f2cad599b11cdc4a139909f4f9f1

      SHA256

      37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

      SHA512

      6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_config.exe
      Filesize

      82KB

      MD5

      cbbdef6c4d82eb4ff01ed43f1e641907

      SHA1

      722ba8786507f2cad599b11cdc4a139909f4f9f1

      SHA256

      37a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4

      SHA512

      6f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\_config.lnk
      Filesize

      2KB

      MD5

      1748623398aa1b75cf7243b95d5c6186

      SHA1

      32f1c83e77a8fede7a6eddd719aacdd05cf6a1ee

      SHA256

      650854637c0d79f65bebedc577d3c0971584f75bed3ff67a362b48d481c88de7

      SHA512

      623a1c19f56f9d7fe9707da617537855a906df26222514ce8b88e5765da0cf0c74c69f54d08ef806fcab4c3fdf6e12a36d81cedbacb57f78c9f4d4f19d00f280

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Vdkqswy25A\music.exe
      Filesize

      4.6MB

      MD5

      9665de160f7695ba54117e9e3619564c

      SHA1

      7b49f7051f16188b14bf073c8e770ebbd005bdea

      SHA256

      cc68b5edae8acaaf394ae0b92b6199f83630b9d66ba60152f0db0aa849cb0ece

      SHA512

      5e035593ca524999b4b8dd275d754ef52f38de24c251699ed5179f2fcf5c12e7a92e1aea67bc52d22954c324afec786c894643b5a1dd7f0f2bc331c3fe32968b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Vdkqswy25A\music.exe
      Filesize

      4.6MB

      MD5

      9665de160f7695ba54117e9e3619564c

      SHA1

      7b49f7051f16188b14bf073c8e770ebbd005bdea

      SHA256

      cc68b5edae8acaaf394ae0b92b6199f83630b9d66ba60152f0db0aa849cb0ece

      SHA512

      5e035593ca524999b4b8dd275d754ef52f38de24c251699ed5179f2fcf5c12e7a92e1aea67bc52d22954c324afec786c894643b5a1dd7f0f2bc331c3fe32968b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Vdkqswy25A\music.exe
      Filesize

      4.6MB

      MD5

      9665de160f7695ba54117e9e3619564c

      SHA1

      7b49f7051f16188b14bf073c8e770ebbd005bdea

      SHA256

      cc68b5edae8acaaf394ae0b92b6199f83630b9d66ba60152f0db0aa849cb0ece

      SHA512

      5e035593ca524999b4b8dd275d754ef52f38de24c251699ed5179f2fcf5c12e7a92e1aea67bc52d22954c324afec786c894643b5a1dd7f0f2bc331c3fe32968b

      Download Submit
    • memory/1424-151-0x0000000000400000-0x0000000000719000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1424-153-0x0000000000400000-0x0000000000719000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1424-193-0x0000000000400000-0x0000000000719000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1424-154-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1424-149-0x0000000000400000-0x0000000000719000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1424-150-0x0000000000400000-0x0000000000719000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1424-152-0x0000000000400000-0x0000000000719000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1424-190-0x0000000000400000-0x0000000000719000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2960-173-0x0000000000400000-0x000000000060E000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/2960-187-0x0000000000920000-0x000000000092E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2960-179-0x0000000010000000-0x0000000010192000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2960-175-0x0000000000400000-0x000000000060E000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/2960-172-0x0000000000400000-0x000000000060E000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/2960-194-0x0000000000400000-0x000000000060E000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/2960-195-0x0000000000920000-0x000000000092E000-memory.dmp
      Filesize

      56KB

      Download