Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/03/2024, 18:59

General

  • Target

    af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe

  • Size

    4.2MB

  • MD5

    82f3a31589f7c97dc321e173cf81b529

  • SHA1

    80c8362b7bdf48e32643844ac591293f5ae44a06

  • SHA256

    af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4

  • SHA512

    89bbab807f0ce49d864e98efc4c2dde01551dbf17b8319280448cad7e55ff08233595d729feef95792c2e502068368d425d3995ad1a9d9bae6a10220ac426bd6

  • SSDEEP

    49152:yCwsbCANnKXferL7Vwe/Gg0P+Wh61aQZYKDgtXEsB6n20iMOgzf4+NrWkS:Vws2ANnKXOaeOgmh+aQlDgt0I6SkAL

Malware Config

Signatures

  • Detect PurpleFox Rootkit 9 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Drops file in Drivers directory 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe
    "C:\Users\Admin\AppData\Local\Temp\af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Users\Admin\AppData\Local\Temp\R.exe
      C:\Users\Admin\AppData\Local\Temp\\R.exe
      2⤵
      • Sets DLL path for service in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:5028
    • C:\Users\Admin\AppData\Local\Temp\N.exe
      C:\Users\Admin\AppData\Local\Temp\\N.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:3788
    • C:\Users\Admin\AppData\Local\Temp\HD_af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe
      C:\Users\Admin\AppData\Local\Temp\HD_af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1680
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
    1⤵
      PID:316
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\SysWOW64\Remote Data.exe
        "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240616718.txt",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2736
    • C:\Windows\SysWOW64\TXPlatfor.exe
      C:\Windows\SysWOW64\TXPlatfor.exe -auto
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SysWOW64\TXPlatfor.exe
        C:\Windows\SysWOW64\TXPlatfor.exe -acsi
        2⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:1612

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

            Filesize

            1.8MB

            MD5

            fff93c6a66f8435ef2fc0de3b20bdbd8

            SHA1

            b9925ae416bfd0c6b5e7a732481616907810c85f

            SHA256

            b582dc03302114d4c9664331e9ff2b3dc65fdecef3a04e576f76f20399486358

            SHA512

            6ad1f9694f2a88286b8f4aa4635828076d1d6f2cdbfd55bca57d86ea14f4a1c3a3c3af336a70f8c30e662f8001cc4cd711f18bc27818b62944205d12db253a74

          • C:\Users\Admin\AppData\Local\Temp\HD_af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe

            Filesize

            1.6MB

            MD5

            bc4e1792f96273a2ea24cf974e2976a0

            SHA1

            525849644ae952b0e551a13b7ae4f0726d297dcc

            SHA256

            f2200da66535a40c8b5c9f16f4fe3ca9494713dbfdec60a66f92c0d022f48351

            SHA512

            a90cbd10547200ab3c88dcf625de256fb589682ae825967deca9b5721da2df8b67f05d60f58e32d02d7d13661f80c219d5dc2971b9ec87e41e00942c87e9c414

          • C:\Users\Admin\AppData\Local\Temp\N.exe

            Filesize

            377KB

            MD5

            4a36a48e58829c22381572b2040b6fe0

            SHA1

            f09d30e44ff7e3f20a5de307720f3ad148c6143b

            SHA256

            3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

            SHA512

            5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

          • C:\Users\Admin\AppData\Local\Temp\R.exe

            Filesize

            941KB

            MD5

            8dc3adf1c490211971c1e2325f1424d2

            SHA1

            4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

            SHA256

            bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

            SHA512

            ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

          • C:\Users\Admin\AppData\Local\Temp\nsh8B78.tmp\System.dll

            Filesize

            11KB

            MD5

            fccff8cb7a1067e23fd2e2b63971a8e1

            SHA1

            30e2a9e137c1223a78a0f7b0bf96a1c361976d91

            SHA256

            6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

            SHA512

            f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

          • C:\Windows\SysWOW64\240616718.txt

            Filesize

            899KB

            MD5

            3edbd82d593fd1db910ce0a8d72c5092

            SHA1

            0145d09fab7a5b93fc24c29e105ce7ec1b050e67

            SHA256

            465c3763f291b781febbbdec11d810821fca7419313d4ba0da4476a83bed6477

            SHA512

            e04cf0386293fab701eb97e38ff6b56fa875fd87d69eb2e2f3e1a471b844d11f33fa446faf5cbbab668a579cf56a30392511a54475ee789da3500f79550101f5

          • C:\Windows\SysWOW64\Remote Data.exe

            Filesize

            60KB

            MD5

            889b99c52a60dd49227c5e485a016679

            SHA1

            8fa889e456aa646a4d0a4349977430ce5fa5e2d7

            SHA256

            6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

            SHA512

            08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

          • C:\Windows\SysWOW64\TXPlatfor.exe

            Filesize

            324KB

            MD5

            3dd05c3964fbd4bf6c381b327793ae98

            SHA1

            3fe6d0395c1ab55dd18176d48b9d167333fa3ed8

            SHA256

            69535b39177f8add51660252155571391d9199ff164d23666b5d9236273d6df8

            SHA512

            c0012395f96dd4c1a1666b4ecda642d6e10305a7e432bec93ca8249dc69a6936f819dc2471a29b15cdb312f44d067e2a20a67a0b1641bfd9076307e482754174

          • memory/1512-29-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/1512-28-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/1512-30-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/1512-26-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/1512-36-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/1612-44-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/1612-42-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/1612-47-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/4552-32-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/4552-21-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/4552-19-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB

          • memory/4552-17-0x0000000010000000-0x00000000101B6000-memory.dmp

            Filesize

            1.7MB