Overview

overview

10

Static

static

3

2024-05-25...id.exe

windows7-x64

10

2024-05-25...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe

  • Size

    14.0MB

  • MD5

    58ed8e68a96f66291f5ee1dabe5629d1

  • SHA1

    14a50a50dcd67986cf489af3e8bdc9b44dae8f00

  • SHA256

    508a7e5c5be104649c9124bb5b26de46f2b99a6481041e7462212d6d5db32f96

  • SHA512

    ca5195e7869b8af11c2258f10cc5aa306085a345838982545d7e5a3e818049dacd7dc3c7ecc6c0ca3e718586254a24f7ef09921d1441e95745ea7dad177d2ff7

  • SSDEEP

    393216:j7IFUO++TLjEEElpFlpclpclp6lp6lp5e9nN6zYcJqUejs6F:f2TLWzJ8jsy

Score
10/10
gh0stratpurplefoxpersistenceratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 10 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 12 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • UPX dump on OEP (original entry point) 13 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\\svchost.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5012
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3448
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:3832
    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:4192
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 448
        3⤵
        • Program crash
        PID:3724
    • C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe
      C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://support.qq.com/products/285647/faqs/88645
        3⤵
          PID:2424
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -auto
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Windows\SysWOW64\TXPlatforn.exe
        C:\Windows\SysWOW64\TXPlatforn.exe -acsi
        2⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:2592
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4192 -ip 4192
      1⤵
        PID:2588
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4292 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:2556
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5052 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
          1⤵
            PID:32
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4896 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
            1⤵
              PID:2540
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5552 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
              1⤵
                PID:4584
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5876 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:908
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
                  1⤵
                    PID:3148
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5216 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
                    1⤵
                      PID:1012

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files\VideoLAN\VLC\vlc.exe
                      Filesize

                      2.5MB

                      MD5

                      1c34fddc55b02a9eec4cc8acc8e64e62

                      SHA1

                      5b4a1f0293115182651fb7f66a74aa79442e8ba0

                      SHA256

                      f942af9efc956e0b9fd5832cbd1cb6bdd83266a64f3fbe8b9bc773dce26d6cd9

                      SHA512

                      3e4001a8392971fb12111dfda63e20e7bf35a2047f1eae91b3bc56513481624d7806a4a6c52d73f037a73df9eba311696ed209daad1202884608b5ccd4cd2512

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\HD_2024-05-25_58ed8e68a96f66291f5ee1dabe5629d1_icedid.exe
                      Filesize

                      12.5MB

                      MD5

                      ab5e6b6b4d64a08b7daeca9e8cbfc0a1

                      SHA1

                      929aac76bbde2bc56ba4b644895b44efc63c68d5

                      SHA256

                      5b142673c19eed6f5b7023eeaba3585784f6d46da8746d5c2604a1a1b1f7f409

                      SHA512

                      6523f5d8d6dd9aa8a8793e856c4629b5d664659f1193123a890e74ca86dc90e60099bcbd7d3f69f93bff5b14808eda3c3ebb9808de3bbd68d513645a9a071441

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
                      Filesize

                      1.5MB

                      MD5

                      6e63c6b990dce1307432d21aa52ec946

                      SHA1

                      3c14653ed90f7201e7acd329a31a4050aae01998

                      SHA256

                      21d91ffeea7893738543006d409964139aae06428e7ccae1e73555ff4c81f44e

                      SHA512

                      989e55bc8ef4f05f945ebe44db3a9701a195d1ba35c2cdf848ab1205d61fc4035593bd753377cd2f4125f7801276520accb297e633cd32d1cd1faceb6e9130d4

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\RCXD88.tmp
                      Filesize

                      1.5MB

                      MD5

                      9cfddc9d5e1bbf49874c66ee874809c5

                      SHA1

                      4570d8194145d28dad4ce9e5f67d5bd6fc7b479f

                      SHA256

                      bd491bed574cb94d089e1bce4b6bd0fb17ab7cb05340f03c135a6cf9eaea248b

                      SHA512

                      98a5fbf77bb0c8093c071885e4ec78b6e8d4fcb24280cfad5ec38460a7699b7a315b8e22a69a21038c7ef64877db6fbb6c96332f621428281f995299c0b4e849

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\X.ico
                      Filesize

                      69KB

                      MD5

                      e33fb6d686b1a8b171349572c5a33f67

                      SHA1

                      29f24fe536adf799b69b63c83efadc1bce457a54

                      SHA256

                      020c8e0963f89f4b14538b7d69e83c6fec44a29bbbd52fbb6deb2be5c697f450

                      SHA512

                      cf1f1d6a9efe53f84e5b4a8246b87c0b96496716605d1b00352d9aae30e664d3d2cbadebf598b4e690a9feef0b5785887a4e643cc5f68938ca744af1d3539e55

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
                      Filesize

                      93KB

                      MD5

                      3b377ad877a942ec9f60ea285f7119a2

                      SHA1

                      60b23987b20d913982f723ab375eef50fafa6c70

                      SHA256

                      62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

                      SHA512

                      af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                      Filesize

                      377KB

                      MD5

                      a4329177954d4104005bce3020e5ef59

                      SHA1

                      23c29e295e2dbb8454012d619ca3f81e4c16e85a

                      SHA256

                      6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

                      SHA512

                      81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

                      Download Submit
                    • C:\Windows\SysWOW64\240668140.txt
                      Filesize

                      50KB

                      MD5

                      90ddc22d46131dc52afa92fff0a8abd5

                      SHA1

                      e1a502bee584903b4370f703f5db2026e5ff93e9

                      SHA256

                      1786b75f1d97156af64c7d37f3968b8e39a8ba4fca1092102b6fb3f192a7ff9d

                      SHA512

                      fa9302fe8644dab2f955132323d6ca19a18a47436e088dccdb3617eaae6fe9370e7ae483224960243810622c649d038cb6bf503104983b280bb3f8977c0f8d20

                      Download Submit
                    • memory/2592-37-0x0000000010000000-0x00000000101B6000-memory.dmp
                      Filesize

                      1.7MB

                      Download
                    • memory/2592-48-0x0000000010000000-0x00000000101B6000-memory.dmp
                      Filesize

                      1.7MB

                      Download
                    • memory/2592-39-0x0000000010000000-0x00000000101B6000-memory.dmp
                      Filesize

                      1.7MB

                      Download
                    • memory/3040-44-0x0000000010000000-0x0000000010116000-memory.dmp
                      Filesize

                      1.1MB

                      Download
                    • memory/4460-18-0x0000000010000000-0x00000000101B6000-memory.dmp
                      Filesize

                      1.7MB

                      Download
                    • memory/4460-22-0x0000000010000000-0x00000000101B6000-memory.dmp
                      Filesize

                      1.7MB

                      Download
                    • memory/4460-21-0x0000000010000000-0x00000000101B6000-memory.dmp
                      Filesize

                      1.7MB

                      Download
                    • memory/4460-43-0x0000000010000000-0x00000000101B6000-memory.dmp
                      Filesize

                      1.7MB

                      Download
                    • memory/4460-20-0x0000000010000000-0x00000000101B6000-memory.dmp
                      Filesize

                      1.7MB

                      Download
                    • memory/5012-9-0x0000000010000000-0x00000000101B6000-memory.dmp
                      Filesize

                      1.7MB

                      Download
                    • memory/5012-42-0x0000000010000000-0x00000000101B6000-memory.dmp
                      Filesize

                      1.7MB

                      Download
                    • memory/5012-8-0x0000000010000000-0x00000000101B6000-memory.dmp
                      Filesize

                      1.7MB

                      Download
                    • memory/5012-7-0x0000000010000000-0x00000000101B6000-memory.dmp
                      Filesize

                      1.7MB

                      Download
                    • memory/5012-5-0x0000000010000000-0x00000000101B6000-memory.dmp
                      Filesize

                      1.7MB

                      Download