Analysis
-
max time kernel
1s -
max time network
3s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
23/08/2023, 05:59
Static task
static1
Behavioral task
behavioral1
Sample
347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed.exe
Resource
win7-20230712-en
General
-
Target
347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed.exe
-
Size
2.4MB
-
MD5
ff94a31988a0a656e6f0725a60462c9f
-
SHA1
e675c5d648186193d428072a4760a94738a682ec
-
SHA256
347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed
-
SHA512
b36527c81ab20393f92ed945f26065ab6e86cb69d90035994092d3be7db36f321e5b883c9cbfc32a93a67f2f452293ed0e2faa3662173e578cb694cadf986b77
-
SSDEEP
49152:/QZAdVyVT9n/Gg0P+WhoactbU446gfIKYpxqtYW+0Cc:4GdVyVT9nOgmhLMbU44Wq/3C
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2804-62-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2804-63-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral1/memory/2804-62-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2804-63-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2364-71-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Executes dropped EXE 2 IoCs
pid Process 2804 svchost.exe 2364 TXPlatforn.exe -
Loads dropped DLL 1 IoCs
pid Process 1752 347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed.exe -
resource yara_rule behavioral1/memory/2804-59-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2804-62-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2804-63-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2364-71-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2804 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1752 347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed.exe 1752 347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1752 wrote to memory of 2804 1752 347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed.exe 28 PID 1752 wrote to memory of 2804 1752 347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed.exe 28 PID 1752 wrote to memory of 2804 1752 347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed.exe 28 PID 1752 wrote to memory of 2804 1752 347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed.exe 28 PID 1752 wrote to memory of 2804 1752 347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed.exe 28 PID 1752 wrote to memory of 2804 1752 347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed.exe 28 PID 1752 wrote to memory of 2804 1752 347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed.exe"C:\Users\Admin\AppData\Local\Temp\347c415b6388f9023525e571e31e2f060b3aa891574c9131b1b5aa517bbef7ed.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵PID:2956
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
PID:2364
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208