Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/08/2023, 18:18

General

  • Target

    7128580d3d4567ddc2e96c15a99582c91340495b3e4efc6d52eedd9094c1397c.exe

  • Size

    1.4MB

  • MD5

    8dd7ae6334517d6fa71f79dce4099b90

  • SHA1

    bda6cd7b2fed8c81dff306a60a0d8c2330989c2d

  • SHA256

    7128580d3d4567ddc2e96c15a99582c91340495b3e4efc6d52eedd9094c1397c

  • SHA512

    b87f390e6eaf976819a847b47196663ee63cc6e4f18f5895e93c934df5d9c15ca1b458491993ba3f5c4b5f8c5a9c08c74de81b52058ec23f8e26b3a5612f54cb

  • SSDEEP

    24576:F39WaOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:598HPkVOBTK

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7128580d3d4567ddc2e96c15a99582c91340495b3e4efc6d52eedd9094c1397c.exe
    "C:\Users\Admin\AppData\Local\Temp\7128580d3d4567ddc2e96c15a99582c91340495b3e4efc6d52eedd9094c1397c.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5016

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/5016-0-0x0000000010000000-0x000000001019F000-memory.dmp

          Filesize

          1.6MB