Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
26-05-2024 04:14
General
-
Target
73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
-
Size
1.5MB
-
MD5
affef89f172cffe917c2b42dc69638e6
-
SHA1
50836283636ff872201ee06780c939eaeed43eab
-
SHA256
73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c
-
SHA512
9dde0b203eabaf711af813df895a7577e6e1e967710410c652d35138a741053a4c84119412b170fbd6494a277b565b77bb6efa9aebd8a6036fbc568b175b98c8
-
SSDEEP
24576:509tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+qDVD:509XJt4HIN2H2tFvduyS8VD
Malware Config
Signatures
-
Detect PurpleFox Rootkit 11 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 12 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 3 IoCs
-
UPX packed file 14 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe"C:\Users\Admin\AppData\Local\Temp\73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exeC:\Users\Admin\AppData\Local\Temp\HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://qqgame.qq.com/download.shtml3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5340b298bd483bf2fabeec522658aa17e
SHA121ec7afaf44f7f23da448d2e51a579b73a5b0d74
SHA256d8ecbcda64957b9dd2ee7bf0047f3d0c0d0c42162b6f646559ff6b24614e61b2
SHA512e509ec2dabe99d35f5fe02b89e542d6eb182e73a165ab76475d978b4911d3eb48abbc6a8ce27506e8eb681f9e5e54a01d044a3b10e12319b9e8ccdd216fbba69
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5fb71637202090867edb28a6aab3721ea
SHA1058ad723e3e4ebf5cc004a77ce01674256d61f67
SHA256fcab13dd7601406e5be6b89e158f26edbe959164d8d5ec39fe0c5c9dcc3dc90d
SHA512c235332c91285bb011c7f93d9647657108b3b000e9d60bff5e2f9af53b7878d090b9feef631b1b1ef4fadf9daf28c33467c79fa651ddb98952fda9a5bf3b82a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5a8c39b93b4af096cc1b27d1a299bf5bd
SHA1ec16c58320b612862201bb6f627ed10830dedd48
SHA256544bf5dfd74e0c52d6ae0d76eb419d5a633277d81b00a5efa5c06a81c6bbc37a
SHA512ac00dfe290ce0b65d828936b7ddeab5027c7cc76f8d46c52ebe82b782c3861a7464e85fd0124d66b935198b76b175ea4a12b93f72ec6b29a03bd5c8057ade1fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD55e383e8abaf814c0e406d6c23d8a1371
SHA1ceb33589dafe473cc0ae8ddc87d20714063010bd
SHA2568643925dbc13b621f701e88cba489be751c1772a7de0fdd55b97b1ae349275ec
SHA5123576cf1257dc9caf2e5c0e001f8a0e7e27379391d2b7f2d75ec123384598e3f702ce43abeb58cbc60e4f52c8f775d5df545b7d7b9afbbee0d73991e9ef1e84d2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57d7e1f561edd558eff3deeb396f4f39f
SHA1c356bbf03c1dfa5ff5d4bf636733f3571e01870e
SHA25675d5399283d42c60980abafc5e012ac703632ff99bf5ce188f3f9e54f792d3a0
SHA512b3ad2378c28026e459cc164de4ecca15308841865a468b1c41da247b4375355c925fe169389f5acbc91a5bf63aab92609f6433781f638101f85e57066a6d3543
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56408d7f1f81f44e0a199e68f4e024f34
SHA13bffbc14696bdaf20190aea72d6ac42fa26b54ff
SHA256b66a0abb317b342009e2edf015eb997cc7eeac9902479628545c8397a28d02c8
SHA51279fcab7c76d6cf6a3b98e3a04c786fabf00e04ef2891322733d514f9a1f615cc47172153f6dafa35ec2fe6edde44726a24f95f5eca12461b0993e8bfd880e8cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5fcc3d18f707ceae0b3c902d5f69cde51
SHA1c2e1d99704548eff1cffe8889be4d0d8873b90ca
SHA256a8d1681cfed05278dc7be1abc696680b0c6fe5e8004614ca14294676253109a4
SHA5127aaf8747c8e86bcf129581c70f975e1e75fd30786f40973cb8bbd1aae1788b81d4ab9c7e8437a473abd81d18cbd79effd76e8338480cedd86844dbdfbd32da52
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54e98b57f2a5dfac5b171297395095625
SHA19b15df66d53dfb5769105839782bdb34d5498dcf
SHA256902cb228850a7b2066005035a90178c522a448492d8f14f35b4c314453c603c8
SHA512ff1d2aad9664e54d68941af03c201a5c5d588581f70d4c158cf9565ef0b7a71ac2733ba0327f2dbd84d977b5e290b5cedf608a6da2fcdebd19b90c7002e99a21
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD566c0147bf448f46f909c9b8a1d6456f9
SHA18fa624737325d92255683ee5c3ca62a010ba128f
SHA2569e95694a518cd41a8dd493e0fcac974fc517c80e5331a8cbf2c3500d538e6a3b
SHA512707a7bb18a9f335a0c56ac5b2f5082fefefe21f14ae97f63d0ce9a5e434ca9558bb2818c567be8893f291cc58f6ac6f1dde4696576fca679b440d83a9eb10fb1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5dbbec85b561b4f53c09949e9bfd73f18
SHA1bc0016f7de04f6171c779ae0c269e9c0d9882826
SHA256f58845c70bf1a127b900418c82b77d4983eb7c3d56d1d60be5b53a5c21f72d0c
SHA5123013c5de97ded36d05925c4aa746a84250388d487bc285e9abdefb1f7904ec128aa9949dda845aed3a85fbdc791823e98016591e06840902f29a85e1a5a49cdf
-
C:\Users\Admin\AppData\Local\Temp\Cab3CF3.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exeFilesize
198KB
MD526ad88629608fbdd06212a4ca11362d1
SHA18aa8791c5d18b8192623380082e044ab5f5bf99b
SHA2565b0493551e2be141fa80d7ee577b40406606a27410a7b326401569df70eec878
SHA51282d60898a8955f5c107dbac7108120cd432752cc1b267bc59c9be2a1eff6c0f6172ef31af49d8f24a287c97ad4521eeec26992091678b7334aa03a5d56180d7f
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.3MB
MD54e652dd88fdd5275e3ff16afdbc08980
SHA11a0c5b5db2c39c129d50e5f508b217a8902fcd06
SHA25690c346a9569f31486503d534e261af23b0f6c39f28d49f1d0eb42425d2cceae0
SHA512bcb5c448f82365052a1c098379203e1481755b0cedf32ef6ae3015a898b0338fda3f6cf6e09666bc552ae5a8790e7fee753daae7c9066416b4667fde683f6e6a
-
C:\Users\Admin\AppData\Local\Temp\Tar3CF2.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
memory/2260-21-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2260-8-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2260-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2260-9-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2260-5-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2764-29-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2764-73-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2764-26-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2764-28-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2764-38-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2764-35-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2764-30-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2972-25-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2972-20-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB