Overview

overview

10

Static

static

3

087e18811c...f7.exe

windows7-x64

10

087e18811c...f7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2023 19:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe

  • Size

    24KB

  • MD5

    bd08bf688aa1a6d46c1675b57110dd7b

  • SHA1

    27ace7f22287839bf704f40581e18563b3ae7038

  • SHA256

    087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7

  • SHA512

    5666dec348b4dfae38b00cfd03fb4bef0824d5c0bdc7d87095bf1d777194f279c2b369356f4560dce40f5080322db7e96c12b095c59a1791f48ca9d6268b41f9

  • SSDEEP

    192:h0lkFwtXjJQoOLqeCamZWRmqyRmgP1oyn0wW0//093j5ZG/XNTMfNWnxcc:5StXlQoCqCk1qwr096/XNTMfNWnxj

Score
10/10
gh0stratpurplefoxratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe
    "C:\Users\Admin\AppData\Local\Temp\087e18811cbf2011123edb351edb631da3917f65371b046e4b70137deb08d2f7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\ProgramData\homo\2.exe
      "C:\ProgramData\homo\2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:776
    • C:\ProgramData\homo\test.exe
      "C:\ProgramData\homo\test.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c start C:\ProgramData\114514
        3⤵
        • Modifies registry class
        PID:4884
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4896
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"
      1⤵
      • Drops file in System32 directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4300

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\homo\2.exe
      Filesize

      1.8MB

      MD5

      0322daf8494af68b414ca24cd707d0f9

      SHA1

      f9d329623dc471a54f98cdafc239d20cab5a06bf

      SHA256

      6bedffa305d107e107084f21888de7bc0c6846d161949f1bb9aa61fa58d1f8de

      SHA512

      f9cbc7843d1e56f2991ccc98e9ca2d2b857f48ed4f280ca48b96bf4e4bc4e0cde012653c8dd36d5ab2a671d652a264102b29a7086fe1d236c990d21b43b8ede2

      Download Submit
    • C:\ProgramData\homo\2.exe
      Filesize

      1.8MB

      MD5

      0322daf8494af68b414ca24cd707d0f9

      SHA1

      f9d329623dc471a54f98cdafc239d20cab5a06bf

      SHA256

      6bedffa305d107e107084f21888de7bc0c6846d161949f1bb9aa61fa58d1f8de

      SHA512

      f9cbc7843d1e56f2991ccc98e9ca2d2b857f48ed4f280ca48b96bf4e4bc4e0cde012653c8dd36d5ab2a671d652a264102b29a7086fe1d236c990d21b43b8ede2

      Download Submit
    • C:\ProgramData\homo\2.exe
      Filesize

      1.8MB

      MD5

      0322daf8494af68b414ca24cd707d0f9

      SHA1

      f9d329623dc471a54f98cdafc239d20cab5a06bf

      SHA256

      6bedffa305d107e107084f21888de7bc0c6846d161949f1bb9aa61fa58d1f8de

      SHA512

      f9cbc7843d1e56f2991ccc98e9ca2d2b857f48ed4f280ca48b96bf4e4bc4e0cde012653c8dd36d5ab2a671d652a264102b29a7086fe1d236c990d21b43b8ede2

      Download Submit
    • C:\ProgramData\homo\test.exe
      Filesize

      194KB

      MD5

      51952555d3ecfd945774f0eec76b4089

      SHA1

      a834c93370c730cdec27e7b0cb60384c19635eb6

      SHA256

      fd765b9af9198ea8487d849d433806a29f2cffcd8a0b5bf841a129cda9d312dd

      SHA512

      35f58225f72b62eabb00018f4bf7786b35b87578e8101736d7f5b3352cd54a377e6859cf39d65c811e1a2ffa36a84c91a2a9211e67ae991ba084f71b85ae8993

      Download Submit
    • C:\ProgramData\homo\test.exe
      Filesize

      194KB

      MD5

      51952555d3ecfd945774f0eec76b4089

      SHA1

      a834c93370c730cdec27e7b0cb60384c19635eb6

      SHA256

      fd765b9af9198ea8487d849d433806a29f2cffcd8a0b5bf841a129cda9d312dd

      SHA512

      35f58225f72b62eabb00018f4bf7786b35b87578e8101736d7f5b3352cd54a377e6859cf39d65c811e1a2ffa36a84c91a2a9211e67ae991ba084f71b85ae8993

      Download Submit
    • C:\ProgramData\homo\test.exe
      Filesize

      194KB

      MD5

      51952555d3ecfd945774f0eec76b4089

      SHA1

      a834c93370c730cdec27e7b0cb60384c19635eb6

      SHA256

      fd765b9af9198ea8487d849d433806a29f2cffcd8a0b5bf841a129cda9d312dd

      SHA512

      35f58225f72b62eabb00018f4bf7786b35b87578e8101736d7f5b3352cd54a377e6859cf39d65c811e1a2ffa36a84c91a2a9211e67ae991ba084f71b85ae8993

      Download Submit
    • memory/776-169-0x0000000010000000-0x0000000010191000-memory.dmp
      Filesize

      1.6MB

      Download