Overview

overview

10

Static

static

3

c3036a3246...74.exe

windows7-x64

10

c3036a3246...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2024 12:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74.exe

  • Size

    3.9MB

  • MD5

    68ae6ccb3c5a879ea7d350372fe1f637

  • SHA1

    fda8df32fac91f400aebc9f1f12fe2b7874c41c4

  • SHA256

    c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74

  • SHA512

    aa8741fba30bfe5a1c6e7fe357d719f67b66c1348f0f6072b2cc96d0b4cccf5f982a0979aa5b46bb2c7a9310d6904cc5f0357ecd6b053b607946704ab6ad7fdc

  • SSDEEP

    98304:Yws2ANlKXOaeOgmhIFValfyCwwDK4F0Fc:O0XbeO75OK

Score
10/10
gh0stratpurplefoxsalitybackdoorevasionpersistenceratrootkittrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Detect PurpleFox Rootkit 7 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 9 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 9 IoCs
  • UPX packed file 40 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1064
    • C:\Users\Admin\AppData\Local\Temp\c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74.exe
      "C:\Users\Admin\AppData\Local\Temp\c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74.exe"
      1⤵
      • Modifies firewall policy service
      • UAC bypass
      • Windows security bypass
      • Loads dropped DLL
      • Windows security modification
      • Checks whether UAC is enabled
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2824
      • C:\Users\Admin\AppData\Local\Temp\R.exe
        C:\Users\Admin\AppData\Local\Temp\\R.exe
        2⤵
        • Sets DLL path for service in the registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        PID:2056
      • C:\Users\Admin\AppData\Local\Temp\N.exe
        C:\Users\Admin\AppData\Local\Temp\\N.exe
        2⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2452
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 2 127.0.0.1
            4⤵
            • Runs ping.exe
            PID:2808
      • C:\Users\Admin\AppData\Local\Temp\HD_c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74.exe
        C:\Users\Admin\AppData\Local\Temp\HD_c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2420
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
      1⤵
        PID:2912
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\SysWOW64\Remote Data.exe
          "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259396231.txt",MainThread
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2180
      • C:\Windows\SysWOW64\TXPlatfor.exe
        C:\Windows\SysWOW64\TXPlatfor.exe -auto
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\SysWOW64\TXPlatfor.exe
          C:\Windows\SysWOW64\TXPlatfor.exe -acsi
          2⤵
          • Drops file in Drivers directory
          • Sets service image path in registry
          • Executes dropped EXE
          • Suspicious behavior: LoadsDriver
          • Suspicious use of AdjustPrivilegeToken
          PID:2544

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Replication Through Removable Media

      1
      T1091

      Execution

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Defense Evasion

      Modify Registry

      7
      T1112

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      3
      T1562

      Disable or Modify Tools

      3
      T1562.001

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Replication Through Removable Media

      1
      T1091

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\0F7669BB_Rar\c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74.exe
        Filesize

        3.9MB

        MD5

        b460f9a898a55bbc6f3bfc7906669425

        SHA1

        e5c8109b55c134e9707707ccbc80bedc410cea1b

        SHA256

        92c4bb6c17cd83c620ed45e8c273319a89e6cd93ef89333d4ba6df326ee60aa7

        SHA512

        2dee9b38c3f68c0ef80605158ebe61abb09ee70942d858dc05862de68568411424ad147a25f1c778f20fe81f3eb437567ba82d5af2b201123a6bf8cc9cb329df

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\HD_c3036a32460ece48445924f49c350e3efb7e136fe6b6f569320bea45fc383f74.exe
        Filesize

        1.3MB

        MD5

        9af4ff55c1c5aefe42bc22a6283f3c86

        SHA1

        629b290a8ee422211eb513d5fc91efcbb0d0f8ff

        SHA256

        eb9e892b792b8057aba8aa8a012ae18993011e261558e86eac5b5e835bfeb332

        SHA512

        3fd9c94ec4d2ca17b1a360a4d0f878ebc69655b91f645a294fb42908eaf4cae9b2daba2eb0f747b8904a4b77992ecf90666a5d79c2b3ba77127176d331e14f5e

        Download Submit
      • C:\Windows\SysWOW64\Remote Data.exe
        Filesize

        43KB

        MD5

        51138beea3e2c21ec44d0932c71762a8

        SHA1

        8939cf35447b22dd2c6e6f443446acc1bf986d58

        SHA256

        5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

        SHA512

        794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

        Download Submit
      • C:\viesli.exe
        Filesize

        100KB

        MD5

        6d56c17d9225d879df6ac6d3620c7673

        SHA1

        a7cf36521900945e7a90a94c08afecacd4df134a

        SHA256

        bcc98c90a584abde8bbe27aedfec2cf7d614705ea6d1ab253cb01c31054a870f

        SHA512

        706b050a8861a4c1c7bf0abcfd4af45c7bacb61cf74a603fb02c0e93c5ba02f1eb832323f22386e29154afba11724b759c29e6474b66932c148d25019fe5860a

        Download Submit
      • \Users\Admin\AppData\Local\Temp\N.exe
        Filesize

        377KB

        MD5

        4a36a48e58829c22381572b2040b6fe0

        SHA1

        f09d30e44ff7e3f20a5de307720f3ad148c6143b

        SHA256

        3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

        SHA512

        5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

        Download Submit
      • \Users\Admin\AppData\Local\Temp\R.exe
        Filesize

        941KB

        MD5

        8dc3adf1c490211971c1e2325f1424d2

        SHA1

        4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

        SHA256

        bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

        SHA512

        ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

        Download Submit
      • \Windows\SysWOW64\259396231.txt
        Filesize

        899KB

        MD5

        4a61f73a7faca57a57d183a51ab9f9f4

        SHA1

        707abccbce3da5b06cb8fc4e590e9c0559505c5e

        SHA256

        b174d3a954d9acd730dbf6f472fd0b4033de2bd964b701abab3507fae637d55b

        SHA512

        714a5abbf6c03c361e2cf8f5da35142258296cf77743793fe9dbba877e54d9b45d8c710499bb6639a27068a7a6ad1aaec865030615db846d6d251a9d77231364

        Download Submit
      • memory/1064-10-0x00000000002B0000-0x00000000002B2000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2544-70-0x0000000010000000-0x00000000101B6000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2544-73-0x0000000010000000-0x00000000101B6000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2544-68-0x0000000010000000-0x00000000101B6000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2620-48-0x0000000010000000-0x00000000101B6000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2632-33-0x0000000010000000-0x00000000101B6000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2632-49-0x0000000010000000-0x00000000101B6000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2632-31-0x0000000010000000-0x00000000101B6000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2632-34-0x0000000010000000-0x00000000101B6000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2632-35-0x0000000010000000-0x00000000101B6000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2824-8-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-86-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-40-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-28-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-16-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-15-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-24-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-0-0x0000000000400000-0x00000000006CC000-memory.dmp
        Filesize

        2.8MB

        Download
      • memory/2824-23-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-74-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-75-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-76-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-19-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-84-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-85-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-39-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-88-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-90-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-94-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-96-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-98-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-99-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-100-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-102-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-104-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-106-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-108-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-110-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-112-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-4-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-118-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/2824-1-0x00000000021A0000-0x000000000322E000-memory.dmp
        Filesize

        16.6MB

        Download