Resubmissions
23-05-2024 18:26
240523-w3nh9sbg96 10Analysis
-
max time kernel
112s -
max time network
107s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
24-05-2024 16:19
General
-
Target
d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca.exe
-
Size
7.2MB
-
MD5
880814a8c2304729007fa0a008587dc5
-
SHA1
1adc9fc4d58e6271f1db89187e3918bd36147887
-
SHA256
d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca
-
SHA512
500dfa0d04dee632f0f6733f244e52126c5ff671c459d9705cb9507acbdaa262fbc474d72dc6459d0ce254662e8c2ca7d7afb68ca60a938a1352a9e2252e158e
-
SSDEEP
98304:9ws2ANnKXOaeOgmhM3nsmtk2aTigPzUYm9uALfprsQunQf7UORs:nKXbeO7QLKsuAdty
Malware Config
Signatures
-
Detect PurpleFox Rootkit 7 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 8 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 3 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 6 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca.exe"C:\Users\Admin\AppData\Local\Temp\d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca.exeC:\Users\Admin\AppData\Local\Temp\HD_d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_HD_d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca.exe"C:\Users\Admin\AppData\Local\Temp\._cache_HD_d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Remote Data.exe"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240613078.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\._cache_HD_d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca.exeFilesize
4.0MB
MD596113d3800f5cea8e3a72c8bc7d3654b
SHA13da1635bd56696823613550c1d10d7da0f3be98b
SHA256b144ccd363e6968c615a3cea7933576cf43f84805f240d0795b4ea8a8560fe03
SHA512009ee98e9df8031d7abda144c0eb56dec89f042b40d9ec7a81672e045fdf92097ee79af024f090716a1328af540edd89e670c4a98728d4afd323cce4aaffe4ea
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
2.4MB
MD52141968d005daf36443149f1763ce4f2
SHA10faa7199e05ddd06c1f1e2c3bad8f70fac7eec9a
SHA25679787aa1625449ae9c27027d04ae249b9a80515f10ba9c18183f729252fa062f
SHA512fb18dcf00cf8455ba1841a508342a977a1963bbc8511b4dc593c45d35ced4c9347f761c7e1c864775942093a25df1eab7d5fd0716a96a866f283f36fa3d7feee
-
C:\Users\Admin\AppData\Local\Temp\HD_d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca.exeFilesize
4.7MB
MD5dbb91b7a30bb67cefad505fd0ac7daab
SHA1cf47b812e6f4eb028a2fd5ed06cd4fddcd01f518
SHA256d814e3a71b711a6b598d1fb95c005d15b8a016f748d17a621b404fe0f681b419
SHA5121d36e9f24e1d0b2903276e859dfa87c179d6450e7345d3a6e35786e3a319a6676d7e85b7db012c1630b025702689ad7237b237481fc761532c51a87c3ff88300
-
C:\Users\Admin\AppData\Local\Temp\N.exeFilesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
C:\Users\Admin\AppData\Local\Temp\R.exeFilesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
C:\Users\Admin\AppData\Local\Temp\d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca.exeFilesize
7.2MB
MD5880814a8c2304729007fa0a008587dc5
SHA11adc9fc4d58e6271f1db89187e3918bd36147887
SHA256d34b300dea4cb02902be18e5ffac2d219948671c06052ae1b8b4e3301c255dca
SHA512500dfa0d04dee632f0f6733f244e52126c5ff671c459d9705cb9507acbdaa262fbc474d72dc6459d0ce254662e8c2ca7d7afb68ca60a938a1352a9e2252e158e
-
C:\Users\Admin\AppData\Local\Temp\ztVLQEcN.xlsmFilesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
C:\Windows\SysWOW64\Remote Data.exeFilesize
59KB
MD5f57886ace1ab4972b0308f69b1a0029c
SHA1519b2a981cb522ed2b0901f9871f9aa9781a6cd5
SHA2562be981b3686ee5e725583f5936f5f0a0992723cad784457f91d9d1d5a15a0852
SHA512c2b3f016a8c3993771cd5709e469c9dedfa1dd35047691de5e853e2ad0ac025ec210fc6cb662c82d08f62e2c889e5060e796414a4eaf6a6c1719cdd7e5debdf8
-
\Windows\SysWOW64\240613078.txtFilesize
899KB
MD5d764da8d35f6cbb6b6a3c2c888a8cc7c
SHA147fe21d09cf0794fdb3dabd2ae86c415ac3f8b9c
SHA256fd1264d692197b901d66a19b0534facd3600fd30e23ebb68315992fa3e9699e5
SHA512b51b3be2669d14d865449677047b1cbf6758f9c67067b4539e1836ab0349247fec21b838321e7a20d46211b7da0a00a98ea95c9750554959dbfa9e2e6f406e56
-
memory/656-27-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/656-25-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/656-28-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/788-170-0x00007FFE5D4F0000-0x00007FFE5D500000-memory.dmpFilesize
64KB
-
memory/788-168-0x00007FFE5D4F0000-0x00007FFE5D500000-memory.dmpFilesize
64KB
-
memory/788-337-0x000001DDC77A0000-0x000001DDC78A5000-memory.dmpFilesize
1.0MB
-
memory/788-171-0x00007FFE5D4F0000-0x00007FFE5D500000-memory.dmpFilesize
64KB
-
memory/788-169-0x00007FFE5D4F0000-0x00007FFE5D500000-memory.dmpFilesize
64KB
-
memory/788-174-0x00007FFE5A250000-0x00007FFE5A260000-memory.dmpFilesize
64KB
-
memory/788-175-0x00007FFE5A250000-0x00007FFE5A260000-memory.dmpFilesize
64KB
-
memory/788-321-0x000001DDC77A0000-0x000001DDC78A5000-memory.dmpFilesize
1.0MB
-
memory/1304-366-0x0000000000400000-0x00000000008C3000-memory.dmpFilesize
4.8MB
-
memory/1304-320-0x0000000000400000-0x00000000008C3000-memory.dmpFilesize
4.8MB
-
memory/3020-44-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3020-40-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3020-36-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4224-19-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4224-20-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4224-17-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4692-136-0x0000000000400000-0x00000000008C3000-memory.dmpFilesize
4.8MB