Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2023, 05:59
Static task
static1
Behavioral task
behavioral1
Sample
db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
Resource
win7-20230712-en
General
-
Target
db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
-
Size
1.7MB
-
MD5
3464eb3eb4650b9bdcfa0d0eea6ca068
-
SHA1
755c1bf6eb3e548e6f8def56f3860e2ee7bad48e
-
SHA256
db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990
-
SHA512
58a82f92a7d98f92bf437c8c56d3b1d3f1c094788526cb1350d0a64b4f4ca162d42b6b3d6d1961dce221431f41e3e0de93ef27a7db91832959cb354a6db7cfd3
-
SSDEEP
49152:dQZAdVyVT9n/Gg0P+Who6wTh4yEQncvij:GGdVyVT9nOgmhXwTh4fQV
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2172-140-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2172-139-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2172-141-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4240-162-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4240-163-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2172-164-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4240-171-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4200-215-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4200-218-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4200-220-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
resource yara_rule behavioral2/memory/2172-140-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2172-139-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2172-141-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x00060000000231f6-154.dat family_gh0strat behavioral2/memory/4240-162-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4240-163-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2172-164-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4240-171-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4200-215-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4200-218-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4200-220-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 5 IoCs
pid Process 2172 svchost.exe 4240 TXPlatforn.exe 1204 svchos.exe 216 HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe 4200 TXPlatforn.exe -
Loads dropped DLL 1 IoCs
pid Process 1204 svchos.exe -
resource yara_rule behavioral2/memory/2172-137-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2172-140-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2172-139-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2172-141-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/files/0x00060000000231f5-160.dat upx behavioral2/memory/216-161-0x0000000000400000-0x0000000000546000-memory.dmp upx behavioral2/memory/4240-162-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4240-163-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2172-164-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4240-171-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/files/0x00060000000231f5-182.dat upx behavioral2/memory/216-214-0x0000000000400000-0x0000000000546000-memory.dmp upx behavioral2/memory/4240-150-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4200-215-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4200-218-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4200-220-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\240612640.txt svchos.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5052 1204 WerFault.exe 83 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1696 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1392 db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe 1392 db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4200 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2172 svchost.exe Token: SeLoadDriverPrivilege 4200 TXPlatforn.exe Token: 33 4200 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4200 TXPlatforn.exe Token: 33 4200 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4200 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1392 db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe 1392 db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1392 wrote to memory of 2172 1392 db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe 81 PID 1392 wrote to memory of 2172 1392 db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe 81 PID 1392 wrote to memory of 2172 1392 db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe 81 PID 1392 wrote to memory of 1204 1392 db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe 83 PID 1392 wrote to memory of 1204 1392 db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe 83 PID 1392 wrote to memory of 1204 1392 db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe 83 PID 1392 wrote to memory of 216 1392 db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe 91 PID 1392 wrote to memory of 216 1392 db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe 91 PID 1392 wrote to memory of 216 1392 db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe 91 PID 2172 wrote to memory of 4992 2172 svchost.exe 86 PID 2172 wrote to memory of 4992 2172 svchost.exe 86 PID 2172 wrote to memory of 4992 2172 svchost.exe 86 PID 4240 wrote to memory of 4200 4240 TXPlatforn.exe 87 PID 4240 wrote to memory of 4200 4240 TXPlatforn.exe 87 PID 4240 wrote to memory of 4200 4240 TXPlatforn.exe 87 PID 4992 wrote to memory of 1696 4992 cmd.exe 92 PID 4992 wrote to memory of 1696 4992 cmd.exe 92 PID 4992 wrote to memory of 1696 4992 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe"C:\Users\Admin\AppData\Local\Temp\db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:1696
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1204 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 4643⤵
- Program crash
PID:5052
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exeC:\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe2⤵
- Executes dropped EXE
PID:216
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1204 -ip 12041⤵PID:4156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD55cedaff71e6e0bc0f5bff7aead2023ad
SHA12a0576b588d433ebf297ae148a8e162eeca88e43
SHA25639b2856c0f880da2e36f2e2ef8d6b5d1a18fef13385ee7b60fc2be159c3ec3bc
SHA512c580055258e8609a5fdb07d2d0167c9919f7e13af761549bf752074770853db4a7d84df13a51e268f610d917fe41b4232c6d4cf7bb5b8bd28860ba8ce4dfe20d
-
C:\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
Filesize260KB
MD59d5599e6ebd2fddc068bfa56b2117649
SHA137613d93a85431bc74b6fbf123247c8f686a2a25
SHA2567fab28fb1682255b9b13d68e5987e8e2660bad8f1fc1e450d5b63564de77aae3
SHA512094f1b29b09668ecd34719fd62c682684e28c7f52d64aaa8472431f3a9792f74d72da03ad395a4ac2f4ff2205d2f10caf4cc3c8bd6478955a7121bf7d26b7742
-
C:\Users\Admin\AppData\Local\Temp\HD_db90bba81fb096a26ed09cdf0285ac77d81e3c607ff53d7b5b82f84c39f8e990.exe
Filesize260KB
MD59d5599e6ebd2fddc068bfa56b2117649
SHA137613d93a85431bc74b6fbf123247c8f686a2a25
SHA2567fab28fb1682255b9b13d68e5987e8e2660bad8f1fc1e450d5b63564de77aae3
SHA512094f1b29b09668ecd34719fd62c682684e28c7f52d64aaa8472431f3a9792f74d72da03ad395a4ac2f4ff2205d2f10caf4cc3c8bd6478955a7121bf7d26b7742
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD5fb82e07cb3a53c242a0cdb5ef98ac031
SHA1e5014296741d987b542475a0447f76980f00ae34
SHA2568e8d0e73220e80394e41886dce54b03a21c049bc19e4fbe392c90ea37028527b
SHA5121af7476c5ffac9c53ec2d7a6da03175ba624d1e33015d447b11c2d55a74ff0639c5ebd80529575dd034d4771e8c2af9ecd9f5da7e9cc74761b78caddce8ff6dd
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208