Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
26-04-2023 09:53
General
-
Target
209b830eaa3deaf113291266d72d05ab83d8c9719a50dc0ea12202adc64a07c2.exe
-
Size
940KB
-
MD5
c6d42e472da07b2416d8cf3fc53c1d72
-
SHA1
14ce51b4db350ee4b4d27b8345ba9c54eb451e39
-
SHA256
209b830eaa3deaf113291266d72d05ab83d8c9719a50dc0ea12202adc64a07c2
-
SHA512
d6483329d18c460f2fe35deb88db54d4ddd15d3687b1528aabda3cbe8f1410e2ad8358a01daa6f709919411d04d92a05a037c125f7728d4b8f3736e6f35ce666
-
SSDEEP
24576:uyVctzwg4HziULzs2CVUaAupwS0Bj9CjIv9dVrG3h:uyCtzCTiwCJiKjInVr
Malware Config
Signatures
-
Detect PurpleFox Rootkit 6 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 6 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
VMProtect packed file 7 IoCs
Detects executables packed with VMProtect commercial packer.
-
Drops file in System32 directory 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\209b830eaa3deaf113291266d72d05ab83d8c9719a50dc0ea12202adc64a07c2.exe"C:\Users\Admin\AppData\Local\Temp\209b830eaa3deaf113291266d72d05ab83d8c9719a50dc0ea12202adc64a07c2.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\209B83~1.EXE > nul2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\GSkcsk.exeC:\Windows\SysWOW64\GSkcsk.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\GSkcsk.exeC:\Windows\SysWOW64\GSkcsk.exe -acsi2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\GSkcsk.exeFilesize
940KB
MD5c6d42e472da07b2416d8cf3fc53c1d72
SHA114ce51b4db350ee4b4d27b8345ba9c54eb451e39
SHA256209b830eaa3deaf113291266d72d05ab83d8c9719a50dc0ea12202adc64a07c2
SHA512d6483329d18c460f2fe35deb88db54d4ddd15d3687b1528aabda3cbe8f1410e2ad8358a01daa6f709919411d04d92a05a037c125f7728d4b8f3736e6f35ce666
-
C:\Windows\SysWOW64\GSkcsk.exeFilesize
940KB
MD5c6d42e472da07b2416d8cf3fc53c1d72
SHA114ce51b4db350ee4b4d27b8345ba9c54eb451e39
SHA256209b830eaa3deaf113291266d72d05ab83d8c9719a50dc0ea12202adc64a07c2
SHA512d6483329d18c460f2fe35deb88db54d4ddd15d3687b1528aabda3cbe8f1410e2ad8358a01daa6f709919411d04d92a05a037c125f7728d4b8f3736e6f35ce666
-
memory/1172-80-0x0000000010000000-0x00000000101A0000-memory.dmpFilesize
1.6MB
-
memory/1172-86-0x0000000000400000-0x0000000000683000-memory.dmpFilesize
2.5MB
-
memory/1272-78-0x0000000000400000-0x0000000000683000-memory.dmpFilesize
2.5MB
-
memory/1708-54-0x0000000000400000-0x0000000000683000-memory.dmpFilesize
2.5MB
-
memory/1708-56-0x0000000010000000-0x00000000101A0000-memory.dmpFilesize
1.6MB
-
memory/1708-64-0x0000000000400000-0x0000000000683000-memory.dmpFilesize
2.5MB
-
memory/1708-76-0x0000000000400000-0x0000000000683000-memory.dmpFilesize
2.5MB