Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
24-05-2024 02:26
General
-
Target
1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe
-
Size
12.1MB
-
MD5
320a85f96d37a11e753425e694a27307
-
SHA1
c6c892b3993e384ca6747233bb6722350aa40ad3
-
SHA256
1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4
-
SHA512
717d072dc382abb00f12461f3e5b666936d6330dd1669df56987d5b73859fbd9b50959951a7f03005457b542cb49baa7fc52b9dbfbd01a39980385186ebcad0d
-
SSDEEP
196608:BKXbeO7yL9YE0SCI4rbECIwBbiL4c7NxIYaK+GutOHpDRw0nptlVOmpFEMSesg:S7yhYn/8Ch1vnGutMpDDnpnVVp6fesg
Malware Config
Signatures
-
Detect PurpleFox Rootkit 5 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 6 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 11 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 23 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 33 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 4 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 32 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe"C:\Users\Admin\AppData\Local\Temp\1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exeC:\Users\Admin\AppData\Local\Temp\HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe"C:\Users\Admin\AppData\Local\Temp\._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\System32\PING.EXE" www.baidu.com -n 24⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe--host_id 3 --verify_key NJXWU4ZEh8Ut --product "C:\Users\Admin\AppData\Local\Temp\._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exe" --version 2014.05.177624⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\System32\PING.EXE" www.baidu.com -n 24⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXE"C:\Windows\System32\PING.EXE" www.baidu.com -n 24⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\MyMacro\binding.exeC:\Users\Admin\AppData\Roaming\MyMacro\binding.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Remote Data.exe"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259423625.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
2.5MB
MD5acec13aa01bc10d2ca43979c01aa1a72
SHA1da28ccda34fd599f50a72ee3efd7c4e8a63c1579
SHA256142abca126fc1ba2c7f3633872a28828a4042107f6145a158a7eab99238d24bb
SHA5127f2d24fa49703f97a1a6ea0d80cef14aba2bb095358bf836ceb95477954110711157fef7afda97eaef5922e33b19ba7937847165304bedac410cff5f8def67e2
-
C:\Users\Admin\AppData\Local\Temp\QMLog\20240524.logFilesize
324B
MD5d5184ceb6948daacc7686a6e2208b7c8
SHA151a75e525d881506b9d717c04517603c262ed167
SHA256d28aa7c448f27c9121925931469f774da20acd0d2e1834d49d159baa2f4b4abe
SHA5125744ca3ab5686e6e24d843f8b2d1a8593da6bbee2f015bad1c32dcb223293071bfe4619c7ef1f6fe79f490bf19f45d58c4c351315fc4eb9075dba971954d085a
-
C:\Users\Admin\AppData\Local\Temp\macA2B5.tmpFilesize
358B
MD514739f7d86ebc59524d1f379b32397f0
SHA1884acc0579970c637f02370b5fafabdbb4c1c1cf
SHA2561f4978fd9ab8cdbafb5f8457b97b0feb4217d19d9fea49af9caa6bd46b58f9f1
SHA512f2e7650ecce616ab0fac4c832f67322f78021cbe2e4a08d117f9a2c2aefc0d31114914570bb5a36a077d62e1b29f67fb5e2e25ec05bc231ed62955d8de4c4e52
-
C:\Users\Admin\AppData\Local\Temp\vULb3Uqr.xlsmFilesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exeFilesize
7.2MB
MD5bf194c1f69ea179613a00c300a537fd6
SHA1d88ca448d3cb748f0bb8488cf2779adafb19170c
SHA256774dd36da750db779d107b39e7f6f6f4c6f0766b2722d8d234971639d6e16fbf
SHA51259e2ef379bafe0a4bc62bcf299776f1a837e0e86ef42651cd8c309a13e4a3d434a7cd4f844bb7346669a84a8d905b44e5ab9da9de557d11ef6e74210306039c4
-
C:\Windows\SysWOW64\Remote Data.exeFilesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
\Users\Admin\AppData\Local\Temp\._cache_HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exeFilesize
8.9MB
MD5b36e16fa438970508f45003f96db3fad
SHA17c603bf2a00da0873eaa28306a0242dfdb2ff6b6
SHA25622ac8239eb13919b2df924d2fd401a0f680aa04344fb1d736529d7459ef871c7
SHA512bca069aa983df6924f1f2a9f21bc7644d5c0540af521f34d5a8eabdc1ea78f85a5188ca7794a2ae3bfce9734bbe7b8c15cead12d91e4c52cef3ef4337c041623
-
\Users\Admin\AppData\Local\Temp\HD_1ca73cd5afdea64c01d33f652c47a9c6c3ee446fd5dd49bd6e8ff96fd89772d4.exeFilesize
9.7MB
MD51ecb6542eeece9094ae447f5ad6a9323
SHA1e91a40252e966f1defe12e5483de56ca0867c19e
SHA256a653a6264fc3618cb11792861e56703a268b6873033ad777d4f708ad73471b94
SHA51211135e11fc6c53b87e3eef6b1bf47c75506c8f1617f3146c64c94cbd27e54568a5081b4d87aab806329864c330fc49c3d950055ecf5aa8e932c17858883aa2b5
-
\Users\Admin\AppData\Local\Temp\N.exeFilesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
\Users\Admin\AppData\Local\Temp\R.exeFilesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
\Users\Admin\AppData\Roaming\MyMacro\binding.exeFilesize
1.7MB
MD56abd36f782e36bcf9e90a3230d6ca97f
SHA13c3d5760a8db6c66f4c5b8c31cbf2613a8a7d6b9
SHA25613652dae4ec58de8a20da51c7455f34144554b91d25ac1c72bec9cbe361ca752
SHA51205463e3c0028e8e39787465e4529ad22c9c64c2a29701c4673f983b50852573aa3c197c2307fdf58d9ab514cca06f058cc17a8b53d28e76957792be7ac1acce6
-
\Users\Admin\AppData\Roaming\MyMacro\cfgdll.dllFilesize
59KB
MD5b35416c2b3e818894df95608b76934f7
SHA1bbdd1c0f49e9ce54e9312f5edfead76d343c21cf
SHA2568147481d1c93da5ce5de7ff7a72a45756d45ea1f27d27bb8c9944642f42549a3
SHA51292382562761b36b4ed2ec0bba832c66c8f720e190630596ff830a047a498889e7a0f3628d1a3ffac066b06ccd8c2d3840e82b4304b636e1b1ee434910c6f0bdf
-
\Users\Admin\AppData\Roaming\MyMacro\qdisp.dllFilesize
303KB
MD5014c01cd6522778e1e15be0e696dfe0c
SHA1c908376fcc4525ec5c4b35d289ef1361ea5cb2d9
SHA256259eaf1ddc9bf610d11a22413853b3d4386fc5a8412c6e602c74eb43f1a32d46
SHA5123b8d040b4a6e879ecf3bafba336b2fc8d793d4f6931902faf87e8f64faf6eca7f1f21485794cffe16c7d0ea907b9f6db93df0b4bae8cb3684733e95608523fd9
-
\Windows\SysWOW64\259423625.txtFilesize
899KB
MD59e1d97f2afa28a34ee6776f5974192e4
SHA1a2ba1ae20079a7e6b5fe61e1e3a7f0b092799bd6
SHA25691c160408144ae6cdaff8f7a2a5060dc7c9c6d1123e448c6becdbee309ee1d36
SHA512c5b8f7d07e22d46a29db600a9a2af4ed9fd16d87cdd9c7b9c7e05f1da08092049861c7a6844dd6051e80f280bda4b23d2a4d0c72095d0dd1752bf3621da9b61e
-
memory/1272-209-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1272-258-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1272-267-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1272-154-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1272-278-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1272-276-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1272-261-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1272-273-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1272-270-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1272-216-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1272-197-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1272-220-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1272-202-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1272-206-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1272-204-0x0000000000400000-0x0000000000B31000-memory.dmpFilesize
7.2MB
-
memory/1360-203-0x0000000004E10000-0x0000000005541000-memory.dmpFilesize
7.2MB
-
memory/1360-152-0x0000000004E10000-0x0000000005541000-memory.dmpFilesize
7.2MB
-
memory/1360-153-0x0000000004E10000-0x0000000005541000-memory.dmpFilesize
7.2MB
-
memory/1800-169-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1876-201-0x0000000000400000-0x0000000000DB0000-memory.dmpFilesize
9.7MB
-
memory/1876-196-0x0000000000400000-0x0000000000DB0000-memory.dmpFilesize
9.7MB
-
memory/1876-257-0x0000000000400000-0x0000000000DB0000-memory.dmpFilesize
9.7MB
-
memory/2524-41-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2524-49-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2524-54-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2556-20-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2556-21-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2556-18-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2572-102-0x0000000000400000-0x0000000000DB0000-memory.dmpFilesize
9.7MB