Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2023, 05:58
Static task
static1
Behavioral task
behavioral1
Sample
03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
Resource
win7-20230712-en
General
-
Target
03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
-
Size
1.7MB
-
MD5
ba699310acdeb6522a2cf3959654b765
-
SHA1
cf1911e70346e725d22badc8a4a99dcc52b88633
-
SHA256
03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40
-
SHA512
785c43135e51d8693d17ef6322c7310f5b3bdccfd817c6a4d4fcd4c32421a19759bac4e9c64e49e2cbe20b4aa88bde7513f5b3583b68084e8c228c0ccb472159
-
SSDEEP
24576:dQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cV7wT824v/4CFcKOHF:dQZAdVyVT9n/Gg0P+Who6wTh4RKHF
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4468-140-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4468-141-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2896-149-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2896-150-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4468-155-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2896-162-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2976-166-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2976-169-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2976-170-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
resource yara_rule behavioral2/memory/4468-140-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4468-139-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4468-141-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2896-149-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2896-150-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x000600000002320c-157.dat family_gh0strat behavioral2/memory/4468-155-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2896-162-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2976-166-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2976-169-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2976-170-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 5 IoCs
pid Process 4468 svchost.exe 2896 TXPlatforn.exe 5064 svchos.exe 2976 TXPlatforn.exe 3772 HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe -
Loads dropped DLL 1 IoCs
pid Process 5064 svchos.exe -
resource yara_rule behavioral2/memory/4468-137-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4468-140-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4468-139-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4468-141-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2896-146-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2896-149-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2896-150-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4468-155-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2896-162-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2976-166-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2976-169-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2976-170-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\240616562.txt svchos.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 864 5064 WerFault.exe 84 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2092 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4224 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe 4224 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2976 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4468 svchost.exe Token: SeLoadDriverPrivilege 2976 TXPlatforn.exe Token: 33 2976 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2976 TXPlatforn.exe Token: 33 2976 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2976 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4224 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe 4224 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4224 wrote to memory of 4468 4224 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe 82 PID 4224 wrote to memory of 4468 4224 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe 82 PID 4224 wrote to memory of 4468 4224 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe 82 PID 4468 wrote to memory of 3300 4468 svchost.exe 85 PID 4468 wrote to memory of 3300 4468 svchost.exe 85 PID 4468 wrote to memory of 3300 4468 svchost.exe 85 PID 4224 wrote to memory of 5064 4224 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe 84 PID 4224 wrote to memory of 5064 4224 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe 84 PID 4224 wrote to memory of 5064 4224 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe 84 PID 2896 wrote to memory of 2976 2896 TXPlatforn.exe 86 PID 2896 wrote to memory of 2976 2896 TXPlatforn.exe 86 PID 2896 wrote to memory of 2976 2896 TXPlatforn.exe 86 PID 3300 wrote to memory of 2092 3300 cmd.exe 90 PID 3300 wrote to memory of 2092 3300 cmd.exe 90 PID 3300 wrote to memory of 2092 3300 cmd.exe 90 PID 4224 wrote to memory of 3772 4224 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe 92 PID 4224 wrote to memory of 3772 4224 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe 92 PID 4224 wrote to memory of 3772 4224 03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe"C:\Users\Admin\AppData\Local\Temp\03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2092
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:5064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 2283⤵
- Program crash
PID:864
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exeC:\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe2⤵
- Executes dropped EXE
PID:3772
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5064 -ip 50641⤵PID:4340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
Filesize317KB
MD5ff83181fdff4572e4d21d3273b02e9f2
SHA104cba441a09e9cb3dbfbc80039bc7fad57bd4791
SHA256a87637db46b2076a44ca7399eb4d87a2fe0113147aa403b3b9c8ac7d365432f1
SHA5126f290a48f56e13db394ddb4f59e452dabe18130b90281a220f3c25a0595b4cd898c92dfa8a4c11c442ce371f67f3d52aeaa188c39858979b33ff803f4b388291
-
C:\Users\Admin\AppData\Local\Temp\HD_03d73ef8b5ccf2a6d9825ca507d07259b5ecb50f6f56393e5b19ed34484b4d40.exe
Filesize317KB
MD5ff83181fdff4572e4d21d3273b02e9f2
SHA104cba441a09e9cb3dbfbc80039bc7fad57bd4791
SHA256a87637db46b2076a44ca7399eb4d87a2fe0113147aa403b3b9c8ac7d365432f1
SHA5126f290a48f56e13db394ddb4f59e452dabe18130b90281a220f3c25a0595b4cd898c92dfa8a4c11c442ce371f67f3d52aeaa188c39858979b33ff803f4b388291
-
Filesize
1.4MB
MD55cedaff71e6e0bc0f5bff7aead2023ad
SHA12a0576b588d433ebf297ae148a8e162eeca88e43
SHA25639b2856c0f880da2e36f2e2ef8d6b5d1a18fef13385ee7b60fc2be159c3ec3bc
SHA512c580055258e8609a5fdb07d2d0167c9919f7e13af761549bf752074770853db4a7d84df13a51e268f610d917fe41b4232c6d4cf7bb5b8bd28860ba8ce4dfe20d
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD5fb82e07cb3a53c242a0cdb5ef98ac031
SHA1e5014296741d987b542475a0447f76980f00ae34
SHA2568e8d0e73220e80394e41886dce54b03a21c049bc19e4fbe392c90ea37028527b
SHA5121af7476c5ffac9c53ec2d7a6da03175ba624d1e33015d447b11c2d55a74ff0639c5ebd80529575dd034d4771e8c2af9ecd9f5da7e9cc74761b78caddce8ff6dd
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208