Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
26-05-2024 04:56
General
-
Target
5bace5af1fcf0476db0d6c4dd8588e90456d7b7b7dc17b9e283c768baa70995e.exe
-
Size
2.1MB
-
MD5
deaaf235691b14ce4ca5439bfc3e74b0
-
SHA1
3120e7b8ab25f20538a086f07c9e6ac97c2d831c
-
SHA256
5bace5af1fcf0476db0d6c4dd8588e90456d7b7b7dc17b9e283c768baa70995e
-
SHA512
daa820e090eef91d01243fb92848626c1ba42007eff7a8def48ad7b0f2a1201d7b7922c6a69c97025270cca9415e4f0aa1566f5701c9fdadb19b1ecbd14bbf32
-
SSDEEP
49152:eQZAdVyVT9n/Gg0P+WhoPpeD5dyWRudqIqfovfK2ZPItx2apeapelI:PGdVyVT9nOgmhnD5dyWRudqIqf7XtUva
Malware Config
Signatures
-
Detect PurpleFox Rootkit 10 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 11 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 3 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 6 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5bace5af1fcf0476db0d6c4dd8588e90456d7b7b7dc17b9e283c768baa70995e.exe"C:\Users\Admin\AppData\Local\Temp\5bace5af1fcf0476db0d6c4dd8588e90456d7b7b7dc17b9e283c768baa70995e.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\HD_5bace5af1fcf0476db0d6c4dd8588e90456d7b7b7dc17b9e283c768baa70995e.exeC:\Users\Admin\AppData\Local\Temp\HD_5bace5af1fcf0476db0d6c4dd8588e90456d7b7b7dc17b9e283c768baa70995e.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240602906.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_5bace5af1fcf0476db0d6c4dd8588e90456d7b7b7dc17b9e283c768baa70995e.exeFilesize
645KB
MD500eae789b0aab1b0fbd23b830fbf1064
SHA1e4e5fd089f6ae17c83f073cf91edc9db8189980d
SHA2567addb2269266ac471a690802cab54539b40c2ae5b31e2120fdcf8dfb0ed15dc7
SHA51223a0e06b39f8b5a932ae5b8f60704ba265332b341ac8bab5b74b2f31f04ce8c7fe6f77278d70c7685cfa894ab0e25a70d89990f5f643b54c07337f90fa5943fb
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.4MB
MD5a2072b32defd8278306f695b936616d5
SHA1403b5092f3a97fdca87e735b2b66096c8164b63c
SHA2563412d481c411c8604eb6475e9b142bbbd22a97565ff8ade77939876145d3bf39
SHA51256a89e5003cd1dd8155ef805809b7798fbb66f7b746a6abd38a7062696e21f4513e3f4a895eb6f502872f331f11f88848a41517206cdb2735232cecba0b914f8
-
C:\Users\Admin\AppData\Local\Temp\X.icoFilesize
71KB
MD5fb44f7af2882d222b600539171f54c1d
SHA10c5a1a0b1620a55a0f194464227be25a2f0347e1
SHA256f2a78e76259bc8fd4ab6af7b4e16dfb49a10643308aca3d14c09e61ac0ebd487
SHA51221e906473f64303c4c8d55213ccb84f4a803c11fb5eef34ce3194adfb391ccbcc91e7c399556c7a4e4f3d33b9b19524d4499ec771ee8e1a10df26ea7cc2dcb67
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeFilesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
C:\Windows\SysWOW64\240602906.txtFilesize
50KB
MD56c8e7fbfc6628dcd2f096202d6f3286d
SHA19924f2bb0499439d61d9dc3ab168416b9d0d1420
SHA2565231a120de78f130d1025290c3a6c075e1bcc8c2a5cc4d4731852e33785b78e7
SHA512f326d5367beea57abc9ed53eec6bbf571fd86837b9e55959c6c01044edcdde5c2aa19317c8cd174e823785c4c226993055df6fd66afca537442b85168c256422
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
memory/1856-13-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1856-15-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1856-16-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1856-17-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1856-29-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2828-47-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2828-36-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2828-42-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4508-4-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4508-10-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4508-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4508-6-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB