Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
23-05-2024 04:25
General
-
Target
6dae8bbe922676dcb5839ea8fb42f8bd3ba3f2f0e6302cba32222fbf541cea82.exe
-
Size
1.9MB
-
MD5
df3ac06c1b759ad41c20383ca10ec63f
-
SHA1
bbddca776095e1af7c8fe8a8baf997bab68a3334
-
SHA256
6dae8bbe922676dcb5839ea8fb42f8bd3ba3f2f0e6302cba32222fbf541cea82
-
SHA512
c60f5bd53da3c5213a221830b60143ee0ab1030a481d33744ae623702e3b6c0796f0b937530fd2c3c6f3488eb081e4efe02530292c4eba9e664db830e8df0300
-
SSDEEP
24576:MQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVuXARE9GyUUvse86ksW8oTdpPU:MQZAdVyVT9n/Gg0P+WhoZQRyjBdWxC
Malware Config
Signatures
-
Detect PurpleFox Rootkit 11 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 12 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 3 IoCs
-
UPX packed file 13 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 6 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dae8bbe922676dcb5839ea8fb42f8bd3ba3f2f0e6302cba32222fbf541cea82.exe"C:\Users\Admin\AppData\Local\Temp\6dae8bbe922676dcb5839ea8fb42f8bd3ba3f2f0e6302cba32222fbf541cea82.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\HD_6dae8bbe922676dcb5839ea8fb42f8bd3ba3f2f0e6302cba32222fbf541cea82.exeC:\Users\Admin\AppData\Local\Temp\HD_6dae8bbe922676dcb5839ea8fb42f8bd3ba3f2f0e6302cba32222fbf541cea82.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240596953.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_6dae8bbe922676dcb5839ea8fb42f8bd3ba3f2f0e6302cba32222fbf541cea82.exeFilesize
692KB
MD53eee57121f38dc0850d6755bb79e5548
SHA1941c64830fa289689cec890ab7102b410e167eb1
SHA25642f9c63910a7ab4d8a298092c8174eacd6de9717a02aa4835141266c2655b6d4
SHA5122cf34a4e80b163e8269bd260eee22a234996b88994c504788c612b44dc3727145d98064b5b0e6e8948256915d89a860ae30095c67cfe084ca9f5f527c23dbecb
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.3MB
MD534cf886127070bff0085b7892108cc8a
SHA118cb3cc85beb31bacdbabc8b100ae230a6311060
SHA256585c6c204f5f446be9a66d6c1bf6381136cafe3006c023957f957110aa402fd9
SHA51265d81afbe7a55f58e36028a2dca83a7ee86e6f7d75ccb02a08df34070c5cd2d0bfc361341f249777ed68ed7fc5af7d05d8f5a8ca9fb412f7c44986331c613f9f
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeFilesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
C:\Windows\SysWOW64\240596953.txtFilesize
50KB
MD592b07019c00e59e994cb6f08e76ad04c
SHA1564b3e028be110ec98154c8efba677104cb6c31e
SHA256bffbd8b8506988de5a28c31db778dd3e2a80422f74c5456fc6348dffab774aa5
SHA51208cdf0380a378cd569a5fb629271f63a4dd9f30500e9abe83b0095b94aa93bc3dec3594977310a43d31cab70d4396170de7871c913c61629bc2382f0eaa3d0dd
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
memory/1904-93-0x0000000002540000-0x0000000002541000-memory.dmpFilesize
4KB
-
memory/1904-92-0x0000000000210000-0x0000000000344000-memory.dmpFilesize
1.2MB
-
memory/3144-15-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3144-32-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3144-17-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3144-16-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3144-13-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4212-5-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4212-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4212-10-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4212-6-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4636-46-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4636-70-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4636-33-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4636-27-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB