Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
03-04-2023 14:50
General
-
Target
5284b41a942a7ce0db09733b3fae7fce6c786655925f1f3b00af0ea6dc962994.dll
-
Size
16KB
-
MD5
4b93403aa76bc215e41544050406b18f
-
SHA1
8667a7098d119e9da706a135836c4f3e55872f17
-
SHA256
5284b41a942a7ce0db09733b3fae7fce6c786655925f1f3b00af0ea6dc962994
-
SHA512
883a40659012ec0b4678edf576b30e4936725bf1d9d802a30aa8d91fd7e61b5d8987003fc10c20629a8c0894ae2815077f96b1a798523a193bc5e22c3178d3dd
-
SSDEEP
192:1OIt31YVamI3X3PGR6yIM402ZJZ8d9iiiiiiiTSNNVJ8im6XS+XSyyd:1V91fm4nPG57qjCdiwNVvSmSy
Malware Config
Signatures
-
Detect PurpleFox Rootkit 5 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 1 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Blocklisted process makes network request 8 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 11 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5284b41a942a7ce0db09733b3fae7fce6c786655925f1f3b00af0ea6dc962994.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5284b41a942a7ce0db09733b3fae7fce6c786655925f1f3b00af0ea6dc962994.dll,#12⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe C:\Users\Public\Downloads\1.JPG3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im hh.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im hh.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Public\Downloads\1.JPG" /ForceBootstrapPaint3D2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\bScreen.dllFilesize
399KB
MD507de1a5064bcc7a55fd5c6c59492b9a8
SHA1f38a752ed7303798d55d41b9cd938b6789261be5
SHA256011cc062733e526c3ac051e9bc02535499023e4d22d313477e50bd9ecc42a10d
SHA5129e595be498a8ef04f8700219cc5757b39a47d8e89da0c4c34f0addbcaa3386d6dd9fdb47a07dda5d0e7ee746e25317912d0daf23db85127ec5be1f93b6452b20
-
C:\Users\Public\Downloads\1.JPGFilesize
102KB
MD5e0e247b326e27324551e1514e6815f7d
SHA16bc8e157ab59c032fc5b28f5c573d462dcef54c2
SHA2560eee81df330948e743bba1bd68ef0b00febfd44cdd6d0ace41ca74cdafc5c39d
SHA512579efdd583953e398eab9160a7d2584a4db88c00213f3d7ce4b4cb3019fd603dca466704a20305e4fa8320bac2f3b99429295dab2ef843a1b308f3be7f998c4a
-
memory/2800-159-0x0000000002FF0000-0x000000000303F000-memory.dmpFilesize
316KB
-
memory/2800-240-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/2800-229-0x0000000003570000-0x00000000035E4000-memory.dmpFilesize
464KB
-
memory/2800-167-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/2800-164-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/2800-165-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/2800-163-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/2800-160-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/3780-151-0x000001FFA15A0000-0x000001FFA15A1000-memory.dmpFilesize
4KB
-
memory/3780-157-0x000001FFA1630000-0x000001FFA1631000-memory.dmpFilesize
4KB
-
memory/3780-156-0x000001FFA1630000-0x000001FFA1631000-memory.dmpFilesize
4KB
-
memory/3780-155-0x000001FFA1630000-0x000001FFA1631000-memory.dmpFilesize
4KB
-
memory/3780-154-0x000001FFA1630000-0x000001FFA1631000-memory.dmpFilesize
4KB
-
memory/3780-153-0x000001FFA15A0000-0x000001FFA15A1000-memory.dmpFilesize
4KB
-
memory/3780-149-0x000001FFA1520000-0x000001FFA1521000-memory.dmpFilesize
4KB
-
memory/3780-142-0x000001FF99260000-0x000001FF99270000-memory.dmpFilesize
64KB
-
memory/3780-138-0x000001FF98990000-0x000001FF989A0000-memory.dmpFilesize
64KB
