Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18/03/2024, 18:59
Static task
static1
Behavioral task
behavioral1
Sample
af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe
Resource
win7-20240221-en
General
-
Target
af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe
-
Size
4.2MB
-
MD5
82f3a31589f7c97dc321e173cf81b529
-
SHA1
80c8362b7bdf48e32643844ac591293f5ae44a06
-
SHA256
af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4
-
SHA512
89bbab807f0ce49d864e98efc4c2dde01551dbf17b8319280448cad7e55ff08233595d729feef95792c2e502068368d425d3995ad1a9d9bae6a10220ac426bd6
-
SSDEEP
49152:yCwsbCANnKXferL7Vwe/Gg0P+Wh61aQZYKDgtXEsB6n20iMOgzf4+NrWkS:Vws2ANnKXOaeOgmh+aQlDgt0I6SkAL
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4552-19-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4552-21-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1512-28-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1512-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4552-32-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1512-36-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1612-42-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1612-44-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1612-47-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
resource yara_rule behavioral2/files/0x000700000002321b-5.dat family_gh0strat behavioral2/memory/4552-19-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4552-21-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1512-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1512-28-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1512-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4552-32-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1512-36-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1612-42-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1612-44-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1612-47-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240616718.txt" R.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatfor.exe -
Executes dropped EXE 6 IoCs
pid Process 5028 R.exe 4552 N.exe 1512 TXPlatfor.exe 1612 TXPlatfor.exe 1680 HD_af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe 2736 Remote Data.exe -
Loads dropped DLL 4 IoCs
pid Process 5028 R.exe 3056 svchost.exe 1680 HD_af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe 2736 Remote Data.exe -
resource yara_rule behavioral2/memory/4552-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4552-19-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4552-21-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1512-26-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1512-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1512-28-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1512-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4552-32-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1512-36-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1612-42-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1612-44-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1612-47-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\Remote Data.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Remote Data.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatfor.exe N.exe File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe N.exe File created C:\Windows\SysWOW64\240616718.txt R.exe File opened for modification C:\Windows\SysWOW64\ini.ini R.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023222-40.dat nsis_installer_1 behavioral2/files/0x0007000000023222-40.dat nsis_installer_2 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3788 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2632 af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe 2632 af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1612 TXPlatfor.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4552 N.exe Token: SeLoadDriverPrivilege 1612 TXPlatfor.exe Token: 33 1612 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 1612 TXPlatfor.exe Token: 33 1612 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 1612 TXPlatfor.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2632 af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe 2632 af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2632 wrote to memory of 5028 2632 af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe 89 PID 2632 wrote to memory of 5028 2632 af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe 89 PID 2632 wrote to memory of 5028 2632 af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe 89 PID 2632 wrote to memory of 4552 2632 af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe 93 PID 2632 wrote to memory of 4552 2632 af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe 93 PID 2632 wrote to memory of 4552 2632 af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe 93 PID 1512 wrote to memory of 1612 1512 TXPlatfor.exe 95 PID 1512 wrote to memory of 1612 1512 TXPlatfor.exe 95 PID 1512 wrote to memory of 1612 1512 TXPlatfor.exe 95 PID 4552 wrote to memory of 1408 4552 N.exe 96 PID 4552 wrote to memory of 1408 4552 N.exe 96 PID 4552 wrote to memory of 1408 4552 N.exe 96 PID 2632 wrote to memory of 1680 2632 af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe 97 PID 2632 wrote to memory of 1680 2632 af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe 97 PID 2632 wrote to memory of 1680 2632 af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe 97 PID 1408 wrote to memory of 3788 1408 cmd.exe 99 PID 1408 wrote to memory of 3788 1408 cmd.exe 99 PID 1408 wrote to memory of 3788 1408 cmd.exe 99 PID 3056 wrote to memory of 2736 3056 svchost.exe 100 PID 3056 wrote to memory of 2736 3056 svchost.exe 100 PID 3056 wrote to memory of 2736 3056 svchost.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe"C:\Users\Admin\AppData\Local\Temp\af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:5028
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:3788
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exeC:\Users\Admin\AppData\Local\Temp\HD_af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵PID:316
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Remote Data.exe"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240616718.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736
-
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5fff93c6a66f8435ef2fc0de3b20bdbd8
SHA1b9925ae416bfd0c6b5e7a732481616907810c85f
SHA256b582dc03302114d4c9664331e9ff2b3dc65fdecef3a04e576f76f20399486358
SHA5126ad1f9694f2a88286b8f4aa4635828076d1d6f2cdbfd55bca57d86ea14f4a1c3a3c3af336a70f8c30e662f8001cc4cd711f18bc27818b62944205d12db253a74
-
C:\Users\Admin\AppData\Local\Temp\HD_af3ab2b4bd07de7727bdb1041f85583b6fb021ee6f0cde0613768ab75749bee4.exe
Filesize1.6MB
MD5bc4e1792f96273a2ea24cf974e2976a0
SHA1525849644ae952b0e551a13b7ae4f0726d297dcc
SHA256f2200da66535a40c8b5c9f16f4fe3ca9494713dbfdec60a66f92c0d022f48351
SHA512a90cbd10547200ab3c88dcf625de256fb589682ae825967deca9b5721da2df8b67f05d60f58e32d02d7d13661f80c219d5dc2971b9ec87e41e00942c87e9c414
-
Filesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
Filesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
Filesize
11KB
MD5fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
Filesize
899KB
MD53edbd82d593fd1db910ce0a8d72c5092
SHA10145d09fab7a5b93fc24c29e105ce7ec1b050e67
SHA256465c3763f291b781febbbdec11d810821fca7419313d4ba0da4476a83bed6477
SHA512e04cf0386293fab701eb97e38ff6b56fa875fd87d69eb2e2f3e1a471b844d11f33fa446faf5cbbab668a579cf56a30392511a54475ee789da3500f79550101f5
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
324KB
MD53dd05c3964fbd4bf6c381b327793ae98
SHA13fe6d0395c1ab55dd18176d48b9d167333fa3ed8
SHA25669535b39177f8add51660252155571391d9199ff164d23666b5d9236273d6df8
SHA512c0012395f96dd4c1a1666b4ecda642d6e10305a7e432bec93ca8249dc69a6936f819dc2471a29b15cdb312f44d067e2a20a67a0b1641bfd9076307e482754174