Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
17-11-2023 18:54
General
-
Target
c92b78a713a565438268b38961afb6afcd83d186dad635a242b562e8f1d8a599.exe
-
Size
15.4MB
-
MD5
3907b481feb88a9c7454e45fdfea29f0
-
SHA1
6b756215b35568bde687c8e2299ad2213bebb830
-
SHA256
c92b78a713a565438268b38961afb6afcd83d186dad635a242b562e8f1d8a599
-
SHA512
8ecee6c65c47114ae98a87d1e4fc691e28bd77f5755e9efe3ed1778885c8d6f6f6b6eb37537f7896ef4e5ae4cf2cd0a90aebd78d4eb3b6399900a38414e9210c
-
SSDEEP
393216:PPLvIfjMVueqs57PE5/9K0Ln5z3pHnEwfO43q2:PP8faueh5Gw0Dd31TO462
Malware Config
Signatures
-
Detect PurpleFox Rootkit 6 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 8 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c92b78a713a565438268b38961afb6afcd83d186dad635a242b562e8f1d8a599.exe"C:\Users\Admin\AppData\Local\Temp\c92b78a713a565438268b38961afb6afcd83d186dad635a242b562e8f1d8a599.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\SJervices\winhlp64.exe"C:\Program Files\Common Files\SJervices\winhlp64.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files\Common Files\SJervices\winhlp64.exe"C:\Program Files\Common Files\SJervices\winhlp64.exe"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
410KB
MD56b095d4de2a49276e91c0b98041f412b
SHA108329285e41b7cba66c4800d7a079273219685dc
SHA256712d1669f272f6476926ef2f982e0673cd0dd0b3279d9b3ebf5fef012d7fae9e
SHA512d0b804b523c42d418fb21f844cb197ce966fb4189bb909eca7aa9890f3c101b7b895bfae1e8afd41a2daf9a55806f520c489988a0096ea2bd504444564139d74
-
Filesize
410KB
MD56b095d4de2a49276e91c0b98041f412b
SHA108329285e41b7cba66c4800d7a079273219685dc
SHA256712d1669f272f6476926ef2f982e0673cd0dd0b3279d9b3ebf5fef012d7fae9e
SHA512d0b804b523c42d418fb21f844cb197ce966fb4189bb909eca7aa9890f3c101b7b895bfae1e8afd41a2daf9a55806f520c489988a0096ea2bd504444564139d74
-
Filesize
410KB
MD56b095d4de2a49276e91c0b98041f412b
SHA108329285e41b7cba66c4800d7a079273219685dc
SHA256712d1669f272f6476926ef2f982e0673cd0dd0b3279d9b3ebf5fef012d7fae9e
SHA512d0b804b523c42d418fb21f844cb197ce966fb4189bb909eca7aa9890f3c101b7b895bfae1e8afd41a2daf9a55806f520c489988a0096ea2bd504444564139d74
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB