Overview

overview

10

Static

static

3

3cdec22c48...91.exe

windows7-x64

10

3cdec22c48...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-08-2023 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3cdec22c48d661c8e7143f5b371ba05029766b184ab0c9ba19b28ee20598a791.exe

  • Size

    1.4MB

  • MD5

    79e9999e83c40de7f976d844caf26b41

  • SHA1

    0ec2e0948db6e410a74230e1278402f1497490c6

  • SHA256

    3cdec22c48d661c8e7143f5b371ba05029766b184ab0c9ba19b28ee20598a791

  • SHA512

    c67467bd41fca1aa1ce0ccdcc3824ccebc73778514f4b353a9143e2d7a20dfea751c1b9e99f0a2bff23d1134983bdeba34a9d206203a610e93fd20f7e56b7355

  • SSDEEP

    24576:GgZXoZUTVdt7Kzkec+SX18gEEg9gfAtXC2wc4q2B9O5+KUXaqGEKGe9RawiJqTW9:dv8SX18gE99gfAtAxl1rPGz9YwPBa

Score
10/10
gh0stratpurplefoxevasionratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Sets file to hidden 1 TTPs 3 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cdec22c48d661c8e7143f5b371ba05029766b184ab0c9ba19b28ee20598a791.exe
    "C:\Users\Admin\AppData\Local\Temp\3cdec22c48d661c8e7143f5b371ba05029766b184ab0c9ba19b28ee20598a791.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Public\Documents\zou\hhgg.exe
      "C:\Users\Public\Documents\zou\hhgg.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4528
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\Documents\zou\init.vbe"
        3⤵
          PID:4680
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\System32\cmd.exe /c attrib +r +s +h "C:\Windows._cfg" & attrib +r +s +h "C:\Windows._cfg\{DF4403DC-D2B3-468d-8028-E60D0CD32BBE}" & attrib +r +s +h "C:\Windows._cfg\{0D6ED85F-9713-4cb4-AC5B-2626B6BA97FE}"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1924
          • C:\Windows\SysWOW64\attrib.exe
            attrib +r +s +h "C:\Windows._cfg"
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:3132
          • C:\Windows\SysWOW64\attrib.exe
            attrib +r +s +h "C:\Windows._cfg\{DF4403DC-D2B3-468d-8028-E60D0CD32BBE}"
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:1932
          • C:\Windows\SysWOW64\attrib.exe
            attrib +r +s +h "C:\Windows._cfg\{0D6ED85F-9713-4cb4-AC5B-2626B6BA97FE}"
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:3664
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c timeout /t 2 /nobreak > NUL && echo 123 > "C:\Users\Public\Documents\zou\dyupdate.dll" && echo 000 > "C:\Users\Public\Documents\zou\dyupdate.dll" && echo ... > "C:\Users\Public\Documents\zou\dyupdate.dll" && del "C:\Users\Public\Documents\zou\dyupdate.dll" "C:\Users\Public\Documents\zou\hhgg.exe" > nul
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2948
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 2 /nobreak
            4⤵
            • Delays execution with timeout.exe
            PID:4980
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1788
      • C:\Windows\System32\fodhelper.exe
        "C:\Windows\System32\fodhelper.exe"
        1⤵
          PID:456
        • C:\Windows\system32\SystemSettingsAdminFlows.exe
          "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
          1⤵
            PID:3296
          • C:\Windows._cfg\{DF4403DC-D2B3-468d-8028-E60D0CD32BBE}\svchost.exe
            "C:\Windows._cfg\{DF4403DC-D2B3-468d-8028-E60D0CD32BBE}\svchost.exe"
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Enumerates connected drives
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3048
            • \??\c:\windows\SysWOW64\cmd.exe
              c:\windows\system32\cmd.exe /c "C:\Windows._cfg\{46D56453-4279-4fd6-9767-3C21557AE1B6}.cmd"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4768
              • C:\Windows\SysWOW64\tasklist.exe
                tasklist /fi "PID eq 3048"
                3⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:3228
              • C:\Windows\SysWOW64\findstr.exe
                findstr /i "svchost"
                3⤵
                  PID:4664
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 90
                  3⤵
                  • Delays execution with timeout.exe
                  PID:4496

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Public\Documents\zou\dyupdate.dll
              Filesize

              1.8MB

              MD5

              a0d9a6b3ae5caf74cfdc29848a66756d

              SHA1

              45c24398490bf7442b79527aeef847f4b2c1c119

              SHA256

              d674af06234a7cf196232e510bf93d8e5b7a6ec4e12ec70d328980a98ba460d4

              SHA512

              9e564a99efa50d08855d6b8f658430223d002a657af3e6864f782f232f66c75dc625b27ac978d7829b96aab4396a8249c57239c582a421181441fcadb68fb1ca

              Download Submit

            • C:\Users\Public\Documents\zou\dyupdate.dll
              Filesize

              1.8MB

              MD5

              a0d9a6b3ae5caf74cfdc29848a66756d

              SHA1

              45c24398490bf7442b79527aeef847f4b2c1c119

              SHA256

              d674af06234a7cf196232e510bf93d8e5b7a6ec4e12ec70d328980a98ba460d4

              SHA512

              9e564a99efa50d08855d6b8f658430223d002a657af3e6864f782f232f66c75dc625b27ac978d7829b96aab4396a8249c57239c582a421181441fcadb68fb1ca

              Download Submit

            • C:\Users\Public\Documents\zou\hhgg.exe
              Filesize

              398KB

              MD5

              cb1f2b5c91dd23a585fd2c233928b276

              SHA1

              def12cafb0b8ba0ace578d53f0ff7e868bea73f5

              SHA256

              0495073a7c2760c00edbba787e8dec323e2ee6464666994750b286dbb9b6d1ac

              SHA512

              9dad230d6b3746a638068df53faa9bf1ae714582a1d9ad606f86c2390060452191c8af36179fea2d8b9be5ecd5df7156fb0bef27e3b05cee98e7497375c77a86

              Download Submit

            • C:\Users\Public\Documents\zou\hhgg.exe
              Filesize

              398KB

              MD5

              cb1f2b5c91dd23a585fd2c233928b276

              SHA1

              def12cafb0b8ba0ace578d53f0ff7e868bea73f5

              SHA256

              0495073a7c2760c00edbba787e8dec323e2ee6464666994750b286dbb9b6d1ac

              SHA512

              9dad230d6b3746a638068df53faa9bf1ae714582a1d9ad606f86c2390060452191c8af36179fea2d8b9be5ecd5df7156fb0bef27e3b05cee98e7497375c77a86

              Download Submit

            • C:\Users\Public\Documents\zou\hhgg.exe
              Filesize

              398KB

              MD5

              cb1f2b5c91dd23a585fd2c233928b276

              SHA1

              def12cafb0b8ba0ace578d53f0ff7e868bea73f5

              SHA256

              0495073a7c2760c00edbba787e8dec323e2ee6464666994750b286dbb9b6d1ac

              SHA512

              9dad230d6b3746a638068df53faa9bf1ae714582a1d9ad606f86c2390060452191c8af36179fea2d8b9be5ecd5df7156fb0bef27e3b05cee98e7497375c77a86

              Download Submit

            • C:\Users\Public\Documents\zou\init.vbe
              Filesize

              1KB

              MD5

              6e440a127992644025b4a8b26d14acc4

              SHA1

              c6a8807cd2413df549bdced73924770f9e74bc7d

              SHA256

              b5eaa1fd72490157fcacc85e5987c8a744c91053e66f92799df8356644f61eb8

              SHA512

              d53f6beba4c64fbd30eac142e222b3eb680d3f660247802adb1439ac95e399107fb92612fac4380ab9c1e761b51b424de05dd6e056cdc5eef4fbf08736038c0c

              Download Submit

            • C:\Users\Public\Documents\zou\videotools.dll
              Filesize

              29KB

              MD5

              f59db332e9973bf3041ade789023ae5c

              SHA1

              67c0684f1891ba88613fb6a100bb64c98ab6af55

              SHA256

              8806f7e6deef2e789a5e4f7c5ef2f787a79ab243ab38703f8be5f1f7e188f517

              SHA512

              56b16bac7bbb13a2d5aac1796d13322c3c4f1ff47c28520cd9a39e489e56d824d5643a49bcbd9b4aee8ea0136423574498c00f159c5d4586df22e2541e84f037

              Download Submit

            • C:\Users\Public\Documents\zou\videotools.dll
              Filesize

              29KB

              MD5

              f59db332e9973bf3041ade789023ae5c

              SHA1

              67c0684f1891ba88613fb6a100bb64c98ab6af55

              SHA256

              8806f7e6deef2e789a5e4f7c5ef2f787a79ab243ab38703f8be5f1f7e188f517

              SHA512

              56b16bac7bbb13a2d5aac1796d13322c3c4f1ff47c28520cd9a39e489e56d824d5643a49bcbd9b4aee8ea0136423574498c00f159c5d4586df22e2541e84f037

              Download Submit

            • C:\Windows._cfg\{46D56453-4279-4fd6-9767-3C21557AE1B6}.cmd
              Filesize

              251B

              MD5

              2d899a53bdd8980999d3d63ace3201f7

              SHA1

              ab41fac1d036b4b9a7ee7416f131a58b7e181d60

              SHA256

              2d62c0e55ff5a6d840c32229fbf312d048ac462eff1f616bad37fd09e63443b7

              SHA512

              1e9f189af88ac072a2ccc2908fc0b140bee20bf3060a20937500792413345fb40dfd07dfd0724e1164fd8d339026141f637f27f4b4de8890c4522a3c71073f62

              Download Submit

            • C:\Windows._cfg\{DF4403DC-D2B3-468d-8028-E60D0CD32BBE}\dyupdate.dll
              Filesize

              1.8MB

              MD5

              a0d9a6b3ae5caf74cfdc29848a66756d

              SHA1

              45c24398490bf7442b79527aeef847f4b2c1c119

              SHA256

              d674af06234a7cf196232e510bf93d8e5b7a6ec4e12ec70d328980a98ba460d4

              SHA512

              9e564a99efa50d08855d6b8f658430223d002a657af3e6864f782f232f66c75dc625b27ac978d7829b96aab4396a8249c57239c582a421181441fcadb68fb1ca

              Download Submit

            • C:\Windows._cfg\{DF4403DC-D2B3-468d-8028-E60D0CD32BBE}\dyupdate.dll
              Filesize

              1.8MB

              MD5

              a0d9a6b3ae5caf74cfdc29848a66756d

              SHA1

              45c24398490bf7442b79527aeef847f4b2c1c119

              SHA256

              d674af06234a7cf196232e510bf93d8e5b7a6ec4e12ec70d328980a98ba460d4

              SHA512

              9e564a99efa50d08855d6b8f658430223d002a657af3e6864f782f232f66c75dc625b27ac978d7829b96aab4396a8249c57239c582a421181441fcadb68fb1ca

              Download Submit

            • C:\Windows._cfg\{DF4403DC-D2B3-468d-8028-E60D0CD32BBE}\svchost.exe
              Filesize

              398KB

              MD5

              cb1f2b5c91dd23a585fd2c233928b276

              SHA1

              def12cafb0b8ba0ace578d53f0ff7e868bea73f5

              SHA256

              0495073a7c2760c00edbba787e8dec323e2ee6464666994750b286dbb9b6d1ac

              SHA512

              9dad230d6b3746a638068df53faa9bf1ae714582a1d9ad606f86c2390060452191c8af36179fea2d8b9be5ecd5df7156fb0bef27e3b05cee98e7497375c77a86

              Download Submit

            • C:\Windows._cfg\{DF4403DC-D2B3-468d-8028-E60D0CD32BBE}\svchost.exe
              Filesize

              398KB

              MD5

              cb1f2b5c91dd23a585fd2c233928b276

              SHA1

              def12cafb0b8ba0ace578d53f0ff7e868bea73f5

              SHA256

              0495073a7c2760c00edbba787e8dec323e2ee6464666994750b286dbb9b6d1ac

              SHA512

              9dad230d6b3746a638068df53faa9bf1ae714582a1d9ad606f86c2390060452191c8af36179fea2d8b9be5ecd5df7156fb0bef27e3b05cee98e7497375c77a86

              Download Submit

            • memory/3048-199-0x0000000002E00000-0x0000000002F92000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3048-203-0x00000000029D0000-0x0000000002A05000-memory.dmp

              Filesize

              212KB

              Download

            • memory/3048-202-0x0000000002E00000-0x0000000002F92000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3048-195-0x00000000029D0000-0x0000000002A05000-memory.dmp

              Filesize

              212KB

              Download

            • memory/3048-204-0x0000000002E00000-0x0000000002F92000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3048-198-0x0000000002A30000-0x0000000002AAA000-memory.dmp

              Filesize

              488KB

              Download

            • memory/4528-179-0x00000000032C0000-0x00000000032F5000-memory.dmp

              Filesize

              212KB

              Download

            • memory/4528-190-0x00000000032C0000-0x00000000032F5000-memory.dmp

              Filesize

              212KB

              Download

            • memory/4528-157-0x00000000032C0000-0x00000000032F5000-memory.dmp

              Filesize

              212KB

              Download

            • memory/4528-156-0x0000000001650000-0x000000000166F000-memory.dmp

              Filesize

              124KB

              Download