Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 19:05
Static task
static1
Behavioral task
behavioral1
Sample
910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe
Resource
win7-20240221-en
General
-
Target
910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe
-
Size
1.2MB
-
MD5
8aba8ab36bd1a735b9fc3e2b2d011424
-
SHA1
a3d37028ad95b1721b6f927a82fcc124ec60f0a1
-
SHA256
910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381
-
SHA512
74c6cbeb683cc773e04c9dcc1c43720c5bb6abcbb63e3d32c141594eebcab76c8ae83387aac5011aee628866099fefca74826c65fb38a35c0fdd263ccf7c1762
-
SSDEEP
24576:D09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+vQa:D09XJt4HIN2H2tFvduySJ
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4196-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4196-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4196-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3536-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3536-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4428-29-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3536-22-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4428-31-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4428-36-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4428-38-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 10 IoCs
Processes:
resource yara_rule behavioral2/memory/4196-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4196-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4196-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3536-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3536-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4428-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3536-22-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4428-31-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4428-36-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4428-38-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 4 IoCs
Processes:
RVN.exeTXPlatforn.exeTXPlatforn.exeHD_910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exepid process 4196 RVN.exe 3536 TXPlatforn.exe 4428 TXPlatforn.exe 3032 HD_910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe -
Processes:
resource yara_rule behavioral2/memory/4196-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4196-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4196-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4196-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3536-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3536-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3536-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4428-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3536-22-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4428-31-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4428-36-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4428-38-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
RVN.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 5 IoCs
Processes:
910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exedescription ioc process File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exepid process 1332 910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe 1332 910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 4428 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RVN.exeTXPlatforn.exedescription pid process Token: SeIncBasePriorityPrivilege 4196 RVN.exe Token: SeLoadDriverPrivilege 4428 TXPlatforn.exe Token: 33 4428 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4428 TXPlatforn.exe Token: 33 4428 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4428 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exepid process 1332 910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe 1332 910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exeRVN.exeTXPlatforn.execmd.exedescription pid process target process PID 1332 wrote to memory of 4196 1332 910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe RVN.exe PID 1332 wrote to memory of 4196 1332 910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe RVN.exe PID 1332 wrote to memory of 4196 1332 910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe RVN.exe PID 4196 wrote to memory of 2128 4196 RVN.exe cmd.exe PID 4196 wrote to memory of 2128 4196 RVN.exe cmd.exe PID 4196 wrote to memory of 2128 4196 RVN.exe cmd.exe PID 3536 wrote to memory of 4428 3536 TXPlatforn.exe TXPlatforn.exe PID 3536 wrote to memory of 4428 3536 TXPlatforn.exe TXPlatforn.exe PID 3536 wrote to memory of 4428 3536 TXPlatforn.exe TXPlatforn.exe PID 1332 wrote to memory of 3032 1332 910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe HD_910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe PID 1332 wrote to memory of 3032 1332 910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe HD_910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe PID 2128 wrote to memory of 2376 2128 cmd.exe PING.EXE PID 2128 wrote to memory of 2376 2128 cmd.exe PING.EXE PID 2128 wrote to memory of 2376 2128 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe"C:\Users\Admin\AppData\Local\Temp\910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exeC:\Users\Admin\AppData\Local\Temp\HD_910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_910ffd7bcaeedc8e4c1c07055e7577dd4dc7e50a75268d9651ee4101654e8381.exeFilesize
34KB
MD5a315c4cd7a75dbf18d179d12e5884e35
SHA14c2a6ddc976a907da8ce30e149aab7523e3adf1e
SHA25624112cfc6106563a77265d8115a69e0482bc948bfc78895816f64b2a1cc88ffa
SHA512a12a806c3116de0107c4cb8e6fb72a2535ffaeb15f3835964142d4ffc7f7d31ed67dc50a384906e24855a67cf017b9bb2d557dfed76872bfbc86ad4c9d985adb
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.2MB
MD518e6c646d468eb671e80c5ce640c9218
SHA1f9b5f2fd8bd22284109fbcaf51dbf2271ee4fec0
SHA25692c8af069a8d200040157688997cf1a1bac0b3ed335d56f2c29b343984218a9f
SHA512ccb3462fc43645d311ac089e279b7c6175810cc78a16f111670614e9736a34fdab859e4550ca3bd70dcf0266966dd3871f0f694c5c34b95011d0a32f6f364d53
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
memory/3032-94-0x00007FFEFB090000-0x00007FFEFBA31000-memory.dmpFilesize
9.6MB
-
memory/3032-44-0x00007FFEFB090000-0x00007FFEFBA31000-memory.dmpFilesize
9.6MB
-
memory/3032-40-0x0000000001EB0000-0x0000000001EB8000-memory.dmpFilesize
32KB
-
memory/3032-39-0x00007FFEFB090000-0x00007FFEFBA31000-memory.dmpFilesize
9.6MB
-
memory/3032-37-0x000000001CA90000-0x000000001CB2C000-memory.dmpFilesize
624KB
-
memory/3032-33-0x000000001D030000-0x000000001D4FE000-memory.dmpFilesize
4.8MB
-
memory/3032-30-0x00007FFEFB345000-0x00007FFEFB346000-memory.dmpFilesize
4KB
-
memory/3536-22-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3536-16-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3536-17-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3536-13-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4196-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4196-10-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4196-6-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4196-5-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4428-29-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4428-31-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4428-36-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4428-38-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB