Overview

overview

10

Static

static

1

7346923522...89.exe

windows7-x64

10

7346923522...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-04-2023 20:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe

  • Size

    128KB

  • MD5

    365a35529ee435cddd9de32431afd12c

  • SHA1

    178ce858f68bb08e8bca4f9e2e8d2fe82ef3bf75

  • SHA256

    7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89

  • SHA512

    ffa8acf8161eac1861b963a160c58e7a92fde87485ab33812d3de8c8fcafdfefd0af5dab662191801c5b610b0c5b07fa17c4658df33575ca7a9a7e2c1fb74a2a

  • SSDEEP

    768:fbMwpn7mbSZseodBoPIvWChOdgOOfukK62dwLClrBjLJJt7qP+h4xATPqdfs2+ht:7p7mbS7tPfBjlXhkep45JPkqi0BURZ

Score
10/10
gh0stratpurplefoxratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe
    "C:\Users\Admin\AppData\Local\Temp\7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\ProgramData\homo\2.exe
      "C:\ProgramData\homo\2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5012
    • C:\ProgramData\homo\test.exe
      "C:\ProgramData\homo\test.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c start C:\ProgramData\114514
        3⤵
        • Modifies registry class
        PID:1892
    • C:\ProgramData\homo\ǧţ¹¤×÷̨_9.17.7.0.exe
      "C:\ProgramData\homo\ǧţ¹¤×÷̨_9.17.7.0.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4368
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"
      1⤵
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4212

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\homo\2.exe
      Filesize

      1.2MB

      MD5

      918c33c51930cc45c29cdea2a6e5598d

      SHA1

      3fb833638ed284de05f33ef4be292e51488da4e1

      SHA256

      fe0ff8ecdbfb96f47efa095af06ce0efce05a809e8b913a333986147b0cfb3fc

      SHA512

      7440b207f09d39c7b2fa2bb118a599fd2a45bb83ea646ad6ef54b2b2ad45ba663179b5a77a42b838f990ce333bf6841f1bab9056b35106261885a25ba911449c

      Download Submit
    • C:\ProgramData\homo\2.exe
      Filesize

      1.2MB

      MD5

      918c33c51930cc45c29cdea2a6e5598d

      SHA1

      3fb833638ed284de05f33ef4be292e51488da4e1

      SHA256

      fe0ff8ecdbfb96f47efa095af06ce0efce05a809e8b913a333986147b0cfb3fc

      SHA512

      7440b207f09d39c7b2fa2bb118a599fd2a45bb83ea646ad6ef54b2b2ad45ba663179b5a77a42b838f990ce333bf6841f1bab9056b35106261885a25ba911449c

      Download Submit
    • C:\ProgramData\homo\2.exe
      Filesize

      1.2MB

      MD5

      918c33c51930cc45c29cdea2a6e5598d

      SHA1

      3fb833638ed284de05f33ef4be292e51488da4e1

      SHA256

      fe0ff8ecdbfb96f47efa095af06ce0efce05a809e8b913a333986147b0cfb3fc

      SHA512

      7440b207f09d39c7b2fa2bb118a599fd2a45bb83ea646ad6ef54b2b2ad45ba663179b5a77a42b838f990ce333bf6841f1bab9056b35106261885a25ba911449c

      Download Submit
    • C:\ProgramData\homo\test.exe
      Filesize

      339KB

      MD5

      6818b874ffa381f146aa488c187d5da9

      SHA1

      81cef46615817f40621cf902fcc545219a654bb5

      SHA256

      2a0e91e311ac78cd5b780db471c2c189a35f73ec4bfd800d807962a6b4ef97b5

      SHA512

      34f4e409a7d3047416867f8321db158e7b93faf152ff79f80de5fd275ce5267941c001a84d2f86362135b3fef10600b5e4e1fcf74aa7df4892f634d50e19380a

      Download Submit
    • C:\ProgramData\homo\test.exe
      Filesize

      339KB

      MD5

      6818b874ffa381f146aa488c187d5da9

      SHA1

      81cef46615817f40621cf902fcc545219a654bb5

      SHA256

      2a0e91e311ac78cd5b780db471c2c189a35f73ec4bfd800d807962a6b4ef97b5

      SHA512

      34f4e409a7d3047416867f8321db158e7b93faf152ff79f80de5fd275ce5267941c001a84d2f86362135b3fef10600b5e4e1fcf74aa7df4892f634d50e19380a

      Download Submit
    • C:\ProgramData\homo\test.exe
      Filesize

      339KB

      MD5

      6818b874ffa381f146aa488c187d5da9

      SHA1

      81cef46615817f40621cf902fcc545219a654bb5

      SHA256

      2a0e91e311ac78cd5b780db471c2c189a35f73ec4bfd800d807962a6b4ef97b5

      SHA512

      34f4e409a7d3047416867f8321db158e7b93faf152ff79f80de5fd275ce5267941c001a84d2f86362135b3fef10600b5e4e1fcf74aa7df4892f634d50e19380a

      Download Submit
    • C:\ProgramData\homo\ǧţ¹¤×÷̨_9.17.7.0.exe
      Filesize

      63.4MB

      MD5

      582af090673ae579d335bca6f06f4ff4

      SHA1

      c143b0e57bcff41415f130fc11d234321c08fdf0

      SHA256

      7613a27c9a4186345412410868b441730e0e25ec70f0401c79ae9d0f3f03b74f

      SHA512

      fc7d309b37ea6fa573b130f6fcd25fab05a40b9787dad21ffaf67dbf0b3e5ed29f25e81996b06f51e73975022872e60c5055eee55b974a1c74d92b3617df4a8e

      Download Submit
    • C:\ProgramData\homo\ǧţ¹¤×÷̨_9.17.7.0.exe
      Filesize

      63.4MB

      MD5

      582af090673ae579d335bca6f06f4ff4

      SHA1

      c143b0e57bcff41415f130fc11d234321c08fdf0

      SHA256

      7613a27c9a4186345412410868b441730e0e25ec70f0401c79ae9d0f3f03b74f

      SHA512

      fc7d309b37ea6fa573b130f6fcd25fab05a40b9787dad21ffaf67dbf0b3e5ed29f25e81996b06f51e73975022872e60c5055eee55b974a1c74d92b3617df4a8e

      Download Submit
    • C:\ProgramData\homo\ǧţ¹¤×÷̨_9.17.7.0.exe
      Filesize

      63.4MB

      MD5

      582af090673ae579d335bca6f06f4ff4

      SHA1

      c143b0e57bcff41415f130fc11d234321c08fdf0

      SHA256

      7613a27c9a4186345412410868b441730e0e25ec70f0401c79ae9d0f3f03b74f

      SHA512

      fc7d309b37ea6fa573b130f6fcd25fab05a40b9787dad21ffaf67dbf0b3e5ed29f25e81996b06f51e73975022872e60c5055eee55b974a1c74d92b3617df4a8e

      Download Submit
    • memory/4212-180-0x0000000004BB0000-0x0000000005307000-memory.dmp
      Filesize

      7.3MB

      Download
    • memory/5012-181-0x0000000010000000-0x0000000010191000-memory.dmp
      Filesize

      1.6MB

      Download