Analysis
-
max time kernel
2s -
max time network
3s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
23/08/2023, 05:56
Static task
static1
Behavioral task
behavioral1
Sample
219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd.exe
Resource
win7-20230712-en
General
-
Target
219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd.exe
-
Size
4.9MB
-
MD5
288e2d33efe92c021914340925ea7157
-
SHA1
5520b83a25eae4f092108e48a19150c87494ae24
-
SHA256
219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd
-
SHA512
7d1e36eb3231ad3d4a315e9e05adf4cadca144bde81fdc0f506b72bb0820ac97ba475c78c3b049a1bc204080eb64010dd39ee9444bd6f85fa6fc0417f4495403
-
SSDEEP
49152:oQZAdVyVT9n/Gg0P+WhoBQObXsPNIULkmp1/j6AeXZG7wmpvGF1IP9z5WuHC4O8w:BGdVyVT9nOgmhVObXsPN5kiQaZ56
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2808-63-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2808-61-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral1/memory/2808-62-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2808-63-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2808-61-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2924-71-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Executes dropped EXE 2 IoCs
pid Process 2808 svchost.exe 2924 TXPlatforn.exe -
Loads dropped DLL 1 IoCs
pid Process 2296 219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd.exe -
resource yara_rule behavioral1/memory/2808-59-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2808-62-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2808-63-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2808-61-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2924-71-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2296 219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd.exe 2296 219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2808 2296 219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd.exe 28 PID 2296 wrote to memory of 2808 2296 219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd.exe 28 PID 2296 wrote to memory of 2808 2296 219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd.exe 28 PID 2296 wrote to memory of 2808 2296 219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd.exe 28 PID 2296 wrote to memory of 2808 2296 219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd.exe 28 PID 2296 wrote to memory of 2808 2296 219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd.exe 28 PID 2296 wrote to memory of 2808 2296 219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd.exe"C:\Users\Admin\AppData\Local\Temp\219f240faea311a26df9689248069e174368e819cf1156a2afb8ab6e42d735bd.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵PID:2820
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵PID:2976
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208