Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/03/2024, 19:22

General

  • Target

    219a97e35a4b944dd9a20b576a0eaf3319311baea2660b39e8d9d3f23bb3dab0.exe

  • Size

    3.0MB

  • MD5

    2f3c7d4ec1da2c6493c09888bfe71485

  • SHA1

    5918bf4c034086919780ff7bdb08a4e9060af4f8

  • SHA256

    219a97e35a4b944dd9a20b576a0eaf3319311baea2660b39e8d9d3f23bb3dab0

  • SHA512

    de7fb82afecee8ecd5ad21e3972c47d4319a9d6adef559c313d4591c2a0df6a3ff419ba4771a3055971246508a71ba053a3e0cf4fbab795cf6f61b21e8709fb7

  • SSDEEP

    49152:yCwsbCANnKXferL7Vwe/Gg0P+Wh6H1V7V3:Vws2ANnKXOaeOgmh6DV

Malware Config

Signatures

  • Detect PurpleFox Rootkit 10 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 3 IoCs
  • Program crash 3 IoCs
  • Runs net.exe
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\219a97e35a4b944dd9a20b576a0eaf3319311baea2660b39e8d9d3f23bb3dab0.exe
    "C:\Users\Admin\AppData\Local\Temp\219a97e35a4b944dd9a20b576a0eaf3319311baea2660b39e8d9d3f23bb3dab0.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Users\Admin\AppData\Local\Temp\R.exe
      C:\Users\Admin\AppData\Local\Temp\\R.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:1640
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 448
        3⤵
        • Program crash
        PID:4532
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 456
        3⤵
        • Program crash
        PID:1460
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 384
        3⤵
        • Program crash
        PID:1916
    • C:\Users\Admin\AppData\Local\Temp\N.exe
      C:\Users\Admin\AppData\Local\Temp\\N.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4064
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2724
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:1948
    • C:\Users\Admin\AppData\Local\Temp\HD_219a97e35a4b944dd9a20b576a0eaf3319311baea2660b39e8d9d3f23bb3dab0.exe
      C:\Users\Admin\AppData\Local\Temp\HD_219a97e35a4b944dd9a20b576a0eaf3319311baea2660b39e8d9d3f23bb3dab0.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c net user administrator /active:yes
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3584
        • C:\Windows\system32\net.exe
          net user administrator /active:yes
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1264
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 user administrator /active:yes
            5⤵
              PID:2320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1640 -ip 1640
      1⤵
        PID:2008
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1640 -ip 1640
        1⤵
          PID:2916
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1640 -ip 1640
          1⤵
            PID:4872
          • C:\Windows\SysWOW64\TXPlatfor.exe
            C:\Windows\SysWOW64\TXPlatfor.exe -auto
            1⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3120
            • C:\Windows\SysWOW64\TXPlatfor.exe
              C:\Windows\SysWOW64\TXPlatfor.exe -acsi
              2⤵
              • Drops file in Drivers directory
              • Sets service image path in registry
              • Executes dropped EXE
              • Suspicious behavior: LoadsDriver
              • Suspicious use of AdjustPrivilegeToken
              PID:800

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\HD_219a97e35a4b944dd9a20b576a0eaf3319311baea2660b39e8d9d3f23bb3dab0.exe

                  Filesize

                  417KB

                  MD5

                  1ef58af2eba7d4ab2361dddfc69a2e9b

                  SHA1

                  d196bb066ff884b158284745dba977cac37d5f82

                  SHA256

                  ccaa770e15e82faa815257e2f1e62e007d7631e06c9685e5222e68f645a70671

                  SHA512

                  0fa358b9005b11661dc0dbe5f00022741484e351bc763dc800f47aa79af75d12fc3df9497ce0359a45b9e4e3ff192084f6c5959d3420714975fcb6f94685e286

                • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

                  Filesize

                  2.6MB

                  MD5

                  274fe01eb0f4cd402c3cfdeda4b30715

                  SHA1

                  72db93e86caaadf2f28e5265ebfbc2ea6ba9e705

                  SHA256

                  843743adaef60d2f490d2702487f7687ffa36524d11ad89feed31bbddfd21d40

                  SHA512

                  6d71d57566f436c6e1242421070bca8c62ba95a7ccfc73ae5efef54f93482b3e3b742bda361b7c713a5e5158f11310401341bd1ddd4f011ba33f77c5e9543798

                • C:\Users\Admin\AppData\Local\Temp\N.exe

                  Filesize

                  377KB

                  MD5

                  4a36a48e58829c22381572b2040b6fe0

                  SHA1

                  f09d30e44ff7e3f20a5de307720f3ad148c6143b

                  SHA256

                  3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

                  SHA512

                  5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

                • C:\Users\Admin\AppData\Local\Temp\R.exe

                  Filesize

                  941KB

                  MD5

                  8dc3adf1c490211971c1e2325f1424d2

                  SHA1

                  4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

                  SHA256

                  bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

                  SHA512

                  ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

                • C:\Windows\SysWOW64\240596437.txt

                  Filesize

                  899KB

                  MD5

                  0ba4d881f2d214fc46f9ca56363174b7

                  SHA1

                  90bb42833d24013a4616efd6c834611f31656215

                  SHA256

                  ad4d220292193f2fa18f48937ff18299da449c3082a952776c16c75224443f23

                  SHA512

                  4cf549c6e4481667a2b0b059ce11a57d50f86de09bff8c90ff7c8f17d33781c2bc8a03928bb9be8de0d92f8656b4c6b256314e82aa41f27141ec0a1be673d5cf

                • memory/800-51-0x0000000010000000-0x00000000101B6000-memory.dmp

                  Filesize

                  1.7MB

                • memory/800-48-0x0000000010000000-0x00000000101B6000-memory.dmp

                  Filesize

                  1.7MB

                • memory/800-45-0x0000000010000000-0x00000000101B6000-memory.dmp

                  Filesize

                  1.7MB

                • memory/2168-52-0x00007FF7F8DE0000-0x00007FF7F8EE6000-memory.dmp

                  Filesize

                  1.0MB

                • memory/2168-35-0x00007FF7F8DE0000-0x00007FF7F8EE6000-memory.dmp

                  Filesize

                  1.0MB

                • memory/3120-24-0x0000000010000000-0x00000000101B6000-memory.dmp

                  Filesize

                  1.7MB

                • memory/3120-32-0x0000000010000000-0x00000000101B6000-memory.dmp

                  Filesize

                  1.7MB

                • memory/3120-22-0x0000000010000000-0x00000000101B6000-memory.dmp

                  Filesize

                  1.7MB

                • memory/3120-23-0x0000000010000000-0x00000000101B6000-memory.dmp

                  Filesize

                  1.7MB

                • memory/3120-20-0x0000000010000000-0x00000000101B6000-memory.dmp

                  Filesize

                  1.7MB

                • memory/4064-25-0x0000000010000000-0x00000000101B6000-memory.dmp

                  Filesize

                  1.7MB

                • memory/4064-15-0x0000000010000000-0x00000000101B6000-memory.dmp

                  Filesize

                  1.7MB

                • memory/4064-14-0x0000000010000000-0x00000000101B6000-memory.dmp

                  Filesize

                  1.7MB

                • memory/4064-12-0x0000000010000000-0x00000000101B6000-memory.dmp

                  Filesize

                  1.7MB