Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
25-05-2024 15:35
General
-
Target
a94f166fb8f1288968754f523ccddc215b3c4061402f4ee7a4010f857a9039f7.exe
-
Size
3.4MB
-
MD5
a3d9224595dbb786b7b95e54a2216523
-
SHA1
0fc7cd5136febce9d4ce47ca17713d8eff53a0ff
-
SHA256
a94f166fb8f1288968754f523ccddc215b3c4061402f4ee7a4010f857a9039f7
-
SHA512
4b46c340b36a7feb185e02a5c3a8f396218c03178296cefb03115223f8b68dcf292d5b1c8e47bc3ddcaff03e19ac0851265119619fdddfdd4b0aa358dc0107c2
-
SSDEEP
49152:o09XJt4HIN2H2tFvduySXwXChnNRiecnAssQZj3Fl+s8KuqGaX0ToIBAUZLYu:NZJt4HINy2LkX0UnNnssQZ0JBAUZLB
Malware Config
Signatures
-
Detect PurpleFox Rootkit 7 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 7 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 10 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a94f166fb8f1288968754f523ccddc215b3c4061402f4ee7a4010f857a9039f7.exe"C:\Users\Admin\AppData\Local\Temp\a94f166fb8f1288968754f523ccddc215b3c4061402f4ee7a4010f857a9039f7.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_a94f166fb8f1288968754f523ccddc215b3c4061402f4ee7a4010f857a9039f7.exeC:\Users\Admin\AppData\Local\Temp\HD_a94f166fb8f1288968754f523ccddc215b3c4061402f4ee7a4010f857a9039f7.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 2883⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.2MB
MD5300e285b5507dbfb049b50d83a5525f9
SHA1246f78d78e691731482d59603ee6fa64e321cb1e
SHA25657e2d14098470bd98ac87c1bb7f991b2167d9c8a857fe70715ae34d7f74641c4
SHA512a08e7e098d489220737fa24488516ac4aa100712be0371bb72be23623fd275b0a3d684585944237cabb5450ac07f68ea6c354f9b9ae3bf1c7da45ac3a261c86a
-
C:\Windows\SysWOW64\TXPlatforn.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
\Users\Admin\AppData\Local\Temp\HD_a94f166fb8f1288968754f523ccddc215b3c4061402f4ee7a4010f857a9039f7.exeFilesize
2.3MB
MD5110c2472b8f8901f054d8167180ae9c0
SHA116a74bdfe1bfc5a6159b361ea720d9c52a8afc03
SHA2567d2df37006d0544d5e54ae31d74d6afa03ea0b836f4c9725cbd8845d229a8304
SHA5129f90b578ca45b30b19251c43bd73d8fd64e8d933f43064ab978e546961e1906ab802b89f3295522c2661343ab0bcc0ac601b45bcf5f8412289a4b496ce74aff9
-
memory/1956-8-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1956-12-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1956-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1956-5-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2616-35-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2616-43-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2616-32-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2888-31-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB