Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
18-04-2023 01:21
General
-
Target
07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe
-
Size
132KB
-
MD5
1148d4f4f27067471f705cf7225a53ba
-
SHA1
fe93f393ab9bbb2ea02dd9145fffebfc6b02d4fb
-
SHA256
07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916
-
SHA512
78bc4d21ee5ce684108fee9bb0230af5c899e5fee38a1e4740249dc8a7350c6b5cf7b9c953953cf080b0bef5ecec77089cc5b4503dde42504ba04aa800728610
-
SSDEEP
1536:kgT/0TkbIjdWdPfBjlXhkep45JPkqi0BmVL:ku8TkbkdW7jlXhk1kqOV
Malware Config
Signatures
-
Detect PurpleFox Rootkit 1 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 1 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe"C:\Users\Admin\AppData\Local\Temp\07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\homo\2.exe"C:\ProgramData\homo\2.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\homo\test.exe"C:\ProgramData\homo\test.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\ProgramData\1145143⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"1⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD549e4f42ff5b6ddc6e59342894b4063be
SHA13adbe0b8cd2898800ebce17b62f7340e0de01f72
SHA2561dbfdfd1bf7f80d9c4530d602a7653c146804351c4bdd3dedfcc7d7d018184b9
SHA512e7921f62cb18a694569c4c4a49c547045f825e362f0351c796c789c412379c2d5357c2d4ad935f7075d6370eb6acda4ff4f78c815a60ceef03897b1aaef58c16
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD549e4f42ff5b6ddc6e59342894b4063be
SHA13adbe0b8cd2898800ebce17b62f7340e0de01f72
SHA2561dbfdfd1bf7f80d9c4530d602a7653c146804351c4bdd3dedfcc7d7d018184b9
SHA512e7921f62cb18a694569c4c4a49c547045f825e362f0351c796c789c412379c2d5357c2d4ad935f7075d6370eb6acda4ff4f78c815a60ceef03897b1aaef58c16
-
C:\ProgramData\homo\test.exeFilesize
306KB
MD5f8433adc6f530d8f757d621e4b2447e9
SHA1d853543836b4cd58c6da4cc8cde576f0a04ac613
SHA25685594116b61a6eaadb6331a8c7cb1d4d09f279dc62d94a1697b567a1377d24a5
SHA5127c1fb8b3ff88145d0d0abe17e53f1135b7cc655426b7a118ec836d91787529c7a4c3ad9bd89bb602d5168486504a61283abe4d614f134e9ab4f95d246c86f3f4
-
C:\ProgramData\homo\test.exeFilesize
306KB
MD5f8433adc6f530d8f757d621e4b2447e9
SHA1d853543836b4cd58c6da4cc8cde576f0a04ac613
SHA25685594116b61a6eaadb6331a8c7cb1d4d09f279dc62d94a1697b567a1377d24a5
SHA5127c1fb8b3ff88145d0d0abe17e53f1135b7cc655426b7a118ec836d91787529c7a4c3ad9bd89bb602d5168486504a61283abe4d614f134e9ab4f95d246c86f3f4
-
\ProgramData\homo\2.exeFilesize
1.2MB
MD549e4f42ff5b6ddc6e59342894b4063be
SHA13adbe0b8cd2898800ebce17b62f7340e0de01f72
SHA2561dbfdfd1bf7f80d9c4530d602a7653c146804351c4bdd3dedfcc7d7d018184b9
SHA512e7921f62cb18a694569c4c4a49c547045f825e362f0351c796c789c412379c2d5357c2d4ad935f7075d6370eb6acda4ff4f78c815a60ceef03897b1aaef58c16
-
\ProgramData\homo\2.exeFilesize
1.2MB
MD549e4f42ff5b6ddc6e59342894b4063be
SHA13adbe0b8cd2898800ebce17b62f7340e0de01f72
SHA2561dbfdfd1bf7f80d9c4530d602a7653c146804351c4bdd3dedfcc7d7d018184b9
SHA512e7921f62cb18a694569c4c4a49c547045f825e362f0351c796c789c412379c2d5357c2d4ad935f7075d6370eb6acda4ff4f78c815a60ceef03897b1aaef58c16
-
\ProgramData\homo\test.exeFilesize
306KB
MD5f8433adc6f530d8f757d621e4b2447e9
SHA1d853543836b4cd58c6da4cc8cde576f0a04ac613
SHA25685594116b61a6eaadb6331a8c7cb1d4d09f279dc62d94a1697b567a1377d24a5
SHA5127c1fb8b3ff88145d0d0abe17e53f1135b7cc655426b7a118ec836d91787529c7a4c3ad9bd89bb602d5168486504a61283abe4d614f134e9ab4f95d246c86f3f4
-
memory/560-145-0x0000000010000000-0x0000000010191000-memory.dmpFilesize
1.6MB
-
memory/1744-125-0x00000000026A0000-0x00000000026A1000-memory.dmpFilesize
4KB
-
memory/1744-130-0x00000000049A0000-0x0000000004A20000-memory.dmpFilesize
512KB
-
memory/1744-151-0x00000000026A0000-0x00000000026A1000-memory.dmpFilesize
4KB