Overview

overview

10

Static

static

3

8e478acd30...81.exe

windows7-x64

10

8e478acd30...81.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e478acd30f38ace1a377aba33339a20e830f40ed65b2e4d6498f98355179481.exe

  • Size

    2.4MB

  • MD5

    1e15caca642135edaa526a9731822f30

  • SHA1

    bb4d87756cb4fd75cc920fa8c3d94c505a88ffa6

  • SHA256

    8e478acd30f38ace1a377aba33339a20e830f40ed65b2e4d6498f98355179481

  • SHA512

    cb775fdcd3e94bec4e79007e5f2ca3e89f512f48169332231e5927d9cce1b0b53e26a06cccdf180ec7a4876b97298282d8dae6f276ab7d787c52e449eca6e4a4

  • SSDEEP

    49152:9CwsbCANnKXferL7Vwe/Gg0P+WhbYF7R2L:Aws2ANnKXOaeOgmhgR2L

Score
10/10
gh0stratpurplefoxpersistenceratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 9 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e478acd30f38ace1a377aba33339a20e830f40ed65b2e4d6498f98355179481.exe
    "C:\Users\Admin\AppData\Local\Temp\8e478acd30f38ace1a377aba33339a20e830f40ed65b2e4d6498f98355179481.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Users\Admin\AppData\Local\Temp\R.exe
      C:\Users\Admin\AppData\Local\Temp\\R.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:2024
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 460
        3⤵
        • Program crash
        PID:5104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 396
        3⤵
        • Program crash
        PID:3464
    • C:\Users\Admin\AppData\Local\Temp\N.exe
      C:\Users\Admin\AppData\Local\Temp\\N.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3340
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1488
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:2292
    • C:\Users\Admin\AppData\Local\Temp\HD_8e478acd30f38ace1a377aba33339a20e830f40ed65b2e4d6498f98355179481.exe
      C:\Users\Admin\AppData\Local\Temp\HD_8e478acd30f38ace1a377aba33339a20e830f40ed65b2e4d6498f98355179481.exe
      2⤵
      • Executes dropped EXE
      PID:2228
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2024 -ip 2024
    1⤵
      PID:3788
    • C:\Windows\SysWOW64\TXPlatfor.exe
      C:\Windows\SysWOW64\TXPlatfor.exe -auto
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\SysWOW64\TXPlatfor.exe
        C:\Windows\SysWOW64\TXPlatfor.exe -acsi
        2⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:3132
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2024 -ip 2024
      1⤵
        PID:5032
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:696

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Remote System Discovery

        1
        T1018

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\HD_8e478acd30f38ace1a377aba33339a20e830f40ed65b2e4d6498f98355179481.exe
          Filesize

          15KB

          MD5

          e90da043972903bbbc17c0266cbdcb2c

          SHA1

          50e57c7aec913c9847e07e9ca831bfa9d23760ff

          SHA256

          f374d5c3d59bb4d0967c355c0a6a8e723072481925ea3d8b536694affed58ff7

          SHA512

          99d65e9f8e068c29c19005155fca17b5666bfd75a576eda39724df77262c5d674989f74147d9b11c89989535e62d6b4352e45ec5235bd7750e196483c4d2d742

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
          Filesize

          2.4MB

          MD5

          32fc7958be0c55a4e59f59423ff580fe

          SHA1

          92be6dcfaa1428120ca91e0b9a3a1e4d1e3ae3c5

          SHA256

          221cca3d86bd76e048b250e5f8c869bf462d9d4fe665af832ad794866ad0ee01

          SHA512

          ea842038fdd19a3e5ed93686a234847f6048300865fadb328a335f52dc5d35f2f3568b0164eda543c7616df8ac3905041091daeec09b4d38446762fa2723e3a2

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\N.exe
          Filesize

          377KB

          MD5

          4a36a48e58829c22381572b2040b6fe0

          SHA1

          f09d30e44ff7e3f20a5de307720f3ad148c6143b

          SHA256

          3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

          SHA512

          5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\R.exe
          Filesize

          941KB

          MD5

          8dc3adf1c490211971c1e2325f1424d2

          SHA1

          4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

          SHA256

          bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

          SHA512

          ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\RCXA0D1.tmp
          Filesize

          2.4MB

          MD5

          48d44bcd79a65e37eca5cbb365ea2287

          SHA1

          4cd05672362059e0023274a37a32f59667ca762c

          SHA256

          096d5ad8df647a1e76c79cbb1b4ff6af11c76aab1e94063eb40da3fea6093119

          SHA512

          5b1140bbbbe72f59f87f21b40b7aeddbe101cace1c03047fbea77b7dd2c240ec99924e8de0809e7efe572af00e51cf2715754aa31d9b196ba3bca7271903b7bd

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\X.ico
          Filesize

          69KB

          MD5

          e33fb6d686b1a8b171349572c5a33f67

          SHA1

          29f24fe536adf799b69b63c83efadc1bce457a54

          SHA256

          020c8e0963f89f4b14538b7d69e83c6fec44a29bbbd52fbb6deb2be5c697f450

          SHA512

          cf1f1d6a9efe53f84e5b4a8246b87c0b96496716605d1b00352d9aae30e664d3d2cbadebf598b4e690a9feef0b5785887a4e643cc5f68938ca744af1d3539e55

          Download Submit
        • C:\Windows\SysWOW64\240645984.txt
          Filesize

          899KB

          MD5

          2a1a064db626d51d8e53f0e2589191cd

          SHA1

          464473c402a773ca2c811454d68117e01cc9dc08

          SHA256

          1627875b535a41ce0d66d538d52d4b9cc0125a2a39f7eeec270227a0828f8337

          SHA512

          eb45d3bec0d0aa92f70bf9e7ba47c8280c072a59571dd2ba31a209cb3404dff6bdeb09b54e74bdbdf4639347ece39b17c568b0c5c45e0a752f320a4db36c3758

          Download Submit
        • memory/2368-25-0x0000000010000000-0x00000000101B6000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/2368-24-0x0000000010000000-0x00000000101B6000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/2368-21-0x0000000010000000-0x00000000101B6000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/2368-34-0x0000000010000000-0x00000000101B6000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/3132-54-0x0000000010000000-0x00000000101B6000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/3132-51-0x0000000010000000-0x00000000101B6000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/3132-38-0x0000000010000000-0x00000000101B6000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/3340-14-0x0000000010000000-0x00000000101B6000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/3340-32-0x0000000010000000-0x00000000101B6000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/3340-15-0x0000000010000000-0x00000000101B6000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/3340-16-0x0000000010000000-0x00000000101B6000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/3340-12-0x0000000010000000-0x00000000101B6000-memory.dmp
          Filesize

          1.7MB

          Download