Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
07/10/2023, 17:59
General
-
Target
eb858c884f6be11acb83f39a645481882f6a9d554995a059320609321b4d068b.exe
-
Size
1.3MB
-
MD5
cb56cc60deb3a2343bed628135c1f4fb
-
SHA1
d9274628e0f6071df8b93e309330262f6f4ebd53
-
SHA256
eb858c884f6be11acb83f39a645481882f6a9d554995a059320609321b4d068b
-
SHA512
2c9cdac55425a31441d0d42c83ce229d694692bc6edafbada5fda2a488b3d092ff4fc93b67d7cab4b432a97749e38e995defd187ecdba3ad63149ab3cb6fadaa
-
SSDEEP
24576:W89tv9/7JtDElDEExIecl1erdg0MCiVWhR/Poh:W89XJt4HIZ/Gg0P+Whe
Malware Config
Signatures
-
Detect PurpleFox Rootkit 8 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 9 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb858c884f6be11acb83f39a645481882f6a9d554995a059320609321b4d068b.exe"C:\Users\Admin\AppData\Local\Temp\eb858c884f6be11acb83f39a645481882f6a9d554995a059320609321b4d068b.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QQ.exeC:\Users\Admin\AppData\Local\Temp\\QQ.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\QQ.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.11⤵
- Runs ping.exe
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5cb56cc60deb3a2343bed628135c1f4fb
SHA1d9274628e0f6071df8b93e309330262f6f4ebd53
SHA256eb858c884f6be11acb83f39a645481882f6a9d554995a059320609321b4d068b
SHA5122c9cdac55425a31441d0d42c83ce229d694692bc6edafbada5fda2a488b3d092ff4fc93b67d7cab4b432a97749e38e995defd187ecdba3ad63149ab3cb6fadaa
-
Filesize
377KB
MD53d6e7db5800f1dadb016cbf989749e3c
SHA17c09c438a352cbc4de5d7279bf07d36e8f6cbfef
SHA256bb43f73ddd5d04adcd723061ccf3a535387fa439aba0039d39a72f5d6ae3062b
SHA512a98392c694a662a243581bc07582bffa9f425c4bd9acf2a68c19fbe95ee64f95ed4ca3100802736f67eea809a95fbf4f5e357800d3fa21f9d57b1f8d07d1462c
-
Filesize
377KB
MD53d6e7db5800f1dadb016cbf989749e3c
SHA17c09c438a352cbc4de5d7279bf07d36e8f6cbfef
SHA256bb43f73ddd5d04adcd723061ccf3a535387fa439aba0039d39a72f5d6ae3062b
SHA512a98392c694a662a243581bc07582bffa9f425c4bd9acf2a68c19fbe95ee64f95ed4ca3100802736f67eea809a95fbf4f5e357800d3fa21f9d57b1f8d07d1462c
-
Filesize
377KB
MD53d6e7db5800f1dadb016cbf989749e3c
SHA17c09c438a352cbc4de5d7279bf07d36e8f6cbfef
SHA256bb43f73ddd5d04adcd723061ccf3a535387fa439aba0039d39a72f5d6ae3062b
SHA512a98392c694a662a243581bc07582bffa9f425c4bd9acf2a68c19fbe95ee64f95ed4ca3100802736f67eea809a95fbf4f5e357800d3fa21f9d57b1f8d07d1462c
-
Filesize
377KB
MD53d6e7db5800f1dadb016cbf989749e3c
SHA17c09c438a352cbc4de5d7279bf07d36e8f6cbfef
SHA256bb43f73ddd5d04adcd723061ccf3a535387fa439aba0039d39a72f5d6ae3062b
SHA512a98392c694a662a243581bc07582bffa9f425c4bd9acf2a68c19fbe95ee64f95ed4ca3100802736f67eea809a95fbf4f5e357800d3fa21f9d57b1f8d07d1462c
-
Filesize
377KB
MD53d6e7db5800f1dadb016cbf989749e3c
SHA17c09c438a352cbc4de5d7279bf07d36e8f6cbfef
SHA256bb43f73ddd5d04adcd723061ccf3a535387fa439aba0039d39a72f5d6ae3062b
SHA512a98392c694a662a243581bc07582bffa9f425c4bd9acf2a68c19fbe95ee64f95ed4ca3100802736f67eea809a95fbf4f5e357800d3fa21f9d57b1f8d07d1462c
-
Filesize
377KB
MD53d6e7db5800f1dadb016cbf989749e3c
SHA17c09c438a352cbc4de5d7279bf07d36e8f6cbfef
SHA256bb43f73ddd5d04adcd723061ccf3a535387fa439aba0039d39a72f5d6ae3062b
SHA512a98392c694a662a243581bc07582bffa9f425c4bd9acf2a68c19fbe95ee64f95ed4ca3100802736f67eea809a95fbf4f5e357800d3fa21f9d57b1f8d07d1462c
-
Filesize
377KB
MD53d6e7db5800f1dadb016cbf989749e3c
SHA17c09c438a352cbc4de5d7279bf07d36e8f6cbfef
SHA256bb43f73ddd5d04adcd723061ccf3a535387fa439aba0039d39a72f5d6ae3062b
SHA512a98392c694a662a243581bc07582bffa9f425c4bd9acf2a68c19fbe95ee64f95ed4ca3100802736f67eea809a95fbf4f5e357800d3fa21f9d57b1f8d07d1462c
-
Filesize
377KB
MD53d6e7db5800f1dadb016cbf989749e3c
SHA17c09c438a352cbc4de5d7279bf07d36e8f6cbfef
SHA256bb43f73ddd5d04adcd723061ccf3a535387fa439aba0039d39a72f5d6ae3062b
SHA512a98392c694a662a243581bc07582bffa9f425c4bd9acf2a68c19fbe95ee64f95ed4ca3100802736f67eea809a95fbf4f5e357800d3fa21f9d57b1f8d07d1462c
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB