Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
26-05-2024 04:05
General
-
Target
6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe
-
Size
3.0MB
-
MD5
dbdcba579712bb10c7a344394d555a70
-
SHA1
46f76cc72521de1bf792e1f354e35cadf67a7171
-
SHA256
6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3
-
SHA512
5b788f8aabbbcae5e0105bb899b378669cbfc39b6d49b09c6510b28e3e2941dfb01ce9309eac267a55ad62303aac155bdfed6b24300672ab12e83538a7e2662c
-
SSDEEP
98304:2oo0b+Djihd+BbSiXnnxxwoax6JBAUZL+:zCa7+BusxLJVy
Malware Config
Signatures
-
Detect PurpleFox Rootkit 5 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 6 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 2 IoCs
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 12 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe"C:\Users\Admin\AppData\Local\Temp\6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\»ª¸ç0528.exeC:\Users\Admin\AppData\Local\Temp\»ª¸ç0528.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\0528~1.EXE > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\1.exeC:\1.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 5723⤵
- Program crash
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\1.exeFilesize
2.0MB
MD5bafb857b13d2ef0c14597e0b714c3ab4
SHA16d89ab8e303db39f5cd55f643fa1449a554bab49
SHA25659656c9826aeb3a543064724e4f091469ac04429c80db9416b389c0f48f47c5f
SHA512c6fd61482b03b3ac6c9a7815825fcc974986c8bf6dfaeb6466ad591c32957f5e6cdbe6aba23f995989a5b3fa180292b54c81c55bfe74e0dddd7a6065936a4043
-
\Users\Admin\AppData\Local\Temp\»ª¸ç0528.exeFilesize
357KB
MD51e7965a5200d61cbfccedf12a04a6076
SHA11c0038a124ccd9ba4f1e1857f15ea32b06cb107d
SHA2566f2da003627c0287fbd5666fbc2e55f15dcbbd536937fa7d5df0b0c0df5fb787
SHA512e6268c7314f48b4e11f3f222243bb326aed62cd3d334fa4f32e7e760063fa2937f3ea1900d90cd2f97a4b5f0cc512b1fe43b28162f5f27d2b7728aee7bc51db3
-
memory/1924-11-0x0000000000400000-0x0000000000543000-memory.dmpFilesize
1.3MB
-
memory/1924-13-0x0000000010000000-0x00000000101A0000-memory.dmpFilesize
1.6MB
-
memory/1924-29-0x0000000000400000-0x0000000000543000-memory.dmpFilesize
1.3MB
-
memory/2408-33-0x0000000010000000-0x00000000101A0000-memory.dmpFilesize
1.6MB
-
memory/2408-53-0x0000000000400000-0x0000000000543000-memory.dmpFilesize
1.3MB
-
memory/2812-5-0x0000000002270000-0x00000000023B3000-memory.dmpFilesize
1.3MB
-
memory/3036-32-0x0000000000400000-0x0000000000543000-memory.dmpFilesize
1.3MB