Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230824-en -
resource tags
arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system -
submitted
28/08/2023, 20:18
Static task
static1
Behavioral task
behavioral1
Sample
1a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7.exe
Resource
win7-20230824-en
General
-
Target
1a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7.exe
-
Size
940KB
-
MD5
7b2958136f4aa21d2a1555aa8da063f1
-
SHA1
4a82339804bd3deb28fd657c3b8c2b6d3e2b91fe
-
SHA256
1a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7
-
SHA512
7bb2baeb40fde36920133d304f2ed9a0d48ded5d404c104681b70b2496c5ecab8c3b24fd89760d344f5d167f56e6bbc6d3a2f1c30c713126cfe9017ecb5dabdc
-
SSDEEP
24576:2i2Tro2H2HESq2eWJ6MQjySjyirk4umUua9Yv79AQ:2xTc2H2tFvduySxrkEUuRAQ
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2172-9-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2172-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2172-20-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2080-24-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral1/memory/2172-9-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2172-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2080-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2172-20-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2080-24-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Executes dropped EXE 3 IoCs
pid Process 2172 RVN.exe 2080 TXPlatforn.exe 524 TXPlatforn.exe -
Loads dropped DLL 2 IoCs
pid Process 516 1a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7.exe 2080 TXPlatforn.exe -
resource yara_rule behavioral1/memory/2172-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2172-9-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2172-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2080-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2172-20-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2080-24-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2064 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2172 RVN.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 516 1a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 516 wrote to memory of 2172 516 1a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7.exe 29 PID 516 wrote to memory of 2172 516 1a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7.exe 29 PID 516 wrote to memory of 2172 516 1a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7.exe 29 PID 516 wrote to memory of 2172 516 1a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7.exe 29 PID 516 wrote to memory of 2172 516 1a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7.exe 29 PID 516 wrote to memory of 2172 516 1a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7.exe 29 PID 516 wrote to memory of 2172 516 1a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7.exe 29 PID 2172 wrote to memory of 1704 2172 RVN.exe 32 PID 2172 wrote to memory of 1704 2172 RVN.exe 32 PID 2172 wrote to memory of 1704 2172 RVN.exe 32 PID 2172 wrote to memory of 1704 2172 RVN.exe 32 PID 2080 wrote to memory of 524 2080 TXPlatforn.exe 34 PID 2080 wrote to memory of 524 2080 TXPlatforn.exe 34 PID 2080 wrote to memory of 524 2080 TXPlatforn.exe 34 PID 2080 wrote to memory of 524 2080 TXPlatforn.exe 34 PID 2080 wrote to memory of 524 2080 TXPlatforn.exe 34 PID 2080 wrote to memory of 524 2080 TXPlatforn.exe 34 PID 2080 wrote to memory of 524 2080 TXPlatforn.exe 34 PID 1704 wrote to memory of 2064 1704 cmd.exe 35 PID 1704 wrote to memory of 2064 1704 cmd.exe 35 PID 1704 wrote to memory of 2064 1704 cmd.exe 35 PID 1704 wrote to memory of 2064 1704 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7.exe"C:\Users\Admin\AppData\Local\Temp\1a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2064
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
PID:524
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
940KB
MD57b2958136f4aa21d2a1555aa8da063f1
SHA14a82339804bd3deb28fd657c3b8c2b6d3e2b91fe
SHA2561a400900418c14bddf041f95cf06f22e4634745c55eca1251d8be8f0eebca8a7
SHA5127bb2baeb40fde36920133d304f2ed9a0d48ded5d404c104681b70b2496c5ecab8c3b24fd89760d344f5d167f56e6bbc6d3a2f1c30c713126cfe9017ecb5dabdc
-
Filesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
Filesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
Filesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
Filesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
Filesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
Filesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
Filesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
Filesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4