Overview

overview

10

Static

static

3

cbdf429298...1e.exe

windows7-x64

10

cbdf429298...1e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cbdf429298f272cd8248f68f0ecce4d97170a93698a4a9a145b745488f4c491e.exe

  • Size

    1.5MB

  • MD5

    3232dd1fe39974d4c420656906861e77

  • SHA1

    ef342366eeb045f7ffe20cf1fb1bcf80350836d0

  • SHA256

    cbdf429298f272cd8248f68f0ecce4d97170a93698a4a9a145b745488f4c491e

  • SHA512

    44c37b7b9e0371cd85359fb66e0f2cab4cbec427d9c239b12f041f81f3c742de2a86e2a2db20368d45fe605840947b9f70ecccccbc7db557b3e7482d4e400c4a

  • SSDEEP

    24576:F09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+ygWDVD:F09XJt4HIN2H2tFvduySAg2VD

Score
10/10
gh0stratpurplefoxpersistenceratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 9 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 9 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cbdf429298f272cd8248f68f0ecce4d97170a93698a4a9a145b745488f4c491e.exe
    "C:\Users\Admin\AppData\Local\Temp\cbdf429298f272cd8248f68f0ecce4d97170a93698a4a9a145b745488f4c491e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Local\Temp\RVN.exe
      C:\Users\Admin\AppData\Local\Temp\\RVN.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:1644
    • C:\Users\Admin\AppData\Local\Temp\HD_cbdf429298f272cd8248f68f0ecce4d97170a93698a4a9a145b745488f4c491e.exe
      C:\Users\Admin\AppData\Local\Temp\HD_cbdf429298f272cd8248f68f0ecce4d97170a93698a4a9a145b745488f4c491e.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://qqgame.qq.com/download.shtml
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3008
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1808
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    252B

    MD5

    f1334d427bb80d324fc7b53373b153e6

    SHA1

    e18f8f8f642437182789d94dd3e85dffa1ca95d9

    SHA256

    ade1d57ec5f20ae30c25f70d90a62a4c7e8cd89c4df6eb1527848a446a939498

    SHA512

    cc26e717544cd49e94a8e99323643be920d2fc731aa8d0d916686cd5e3660bee8956977109b5a5c8bfdb1dff40af37864730a6b8baa922a688f17159c94f37e3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e6aab726a12816426bb0c9565874fae8

    SHA1

    62e26113856624e7618c8360dbd2cfedb7c179ae

    SHA256

    892db43c84ed117437ef3b05a5312961c01fdb4086a62d4ad41759075c6849b4

    SHA512

    ba4b419454031650094f4c0e9f6ede99c4d2b369afbdec2521b1c2ee927997fc7e306ebc2d130e178164b2be90e18987eac9a56ab6289cbcae1b93e02a0f5c92

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7f9743d32951c55813da19952b3837da

    SHA1

    eb0e1452203231df31b6ad5ef7c095ff768884d7

    SHA256

    213b3226db8561f43abb8b50e333f11fe9b3977125c8556ab2b7f7a46468a3ab

    SHA512

    9ad38bf7adb743db2a5b4094b7edaf18f88ea873730804719df87df36409c93ddc6bcc41d0366ebbd698155da5198da09221e7f43958c24706905d2a54e306fb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    1ccf7bfefe6e2a4eadc98ffcc032cc1a

    SHA1

    1f7212fbcb32186cd47fdd474b7bf2214f496750

    SHA256

    037df5bcad62883e293677bb9afe4f8fc1948509b02e922b6d0f6c8ddf4eb318

    SHA512

    1669290705ce71eaa46e01b605c6a9479e237d5433ec1e51517aec3799357649e5a91f28e0a0ca7eb12d3861aae849b69f3fe0f36b87b14bcf282848e46be8c1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    8c9a4a625c61577b6b7a4def91769b26

    SHA1

    b1acf8e88b8b14b23f7d16bb191405761c080bd3

    SHA256

    71b009078c8c3743981c1ca45d5f78ca635ce01bacc20ee4a3abc307903cfd50

    SHA512

    425a62c587f9ccce2ec990ae249de1730e1fdbac1c3d765b9f1626c096cbd1748e77a9cae81431cf2bd37b2ee88cfaee05a89fe79449de13a9abc8244cc8f29d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    cb3fda8410eaccae4c97d611647023e3

    SHA1

    b65d3821d553f2571cd8923056d33d4e595352a9

    SHA256

    af5bc10b98013dfb6f4c861437c7204bb9a8815d4dbadcd2b8347c6d01815d84

    SHA512

    e93a3d9f3fdc928121320b718c0bd8a674e69af4f23efd469a11f307c5dcb4455bc6639be638e984b5338e7967c026aa0e7b3964c9b3447e965b3396fd25bea4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    310b28d245dc7088690d44f93164d09c

    SHA1

    63d99abc9cec7aa53fa7b0dc1abad0a18d992c89

    SHA256

    e1a00388eeb4ee7975572ca7290b40532414853492aa156470f2efb060254f24

    SHA512

    7ae168d4ca6cce6bd49f039f9f3a0691d947deb31f4f3dcde844942d334ee17da96bfb7d40b022d6212b5df201ab9a854e96f1e837ad0323cf71abbecbcaef33

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    24c898f2b0366e03b90e11a73ae3fe83

    SHA1

    54037957086838453eaefc2dfeff1516d6d90040

    SHA256

    d06d439f1ed4c1b9f982d43cdeb8151ce236668c368899518e3c4ed4aef2c301

    SHA512

    561c6e2ba4004596cea2e3098f68c8ca99db32d9f690cd961c6a2431567b18e8c42333897c8e14815e95e0dd848538f75f20b7cfb50abd60e43c5a5a43bfc0fd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    efbdc4302c8efad9092c06fa74696753

    SHA1

    037da5260a9bdd5c5e8a62f4c230b2ee07d52e70

    SHA256

    ad27051a74518052265c3b17a176ce1f287fe272c05b46a84542d69ad24d914d

    SHA512

    a7ff0e6aa9223e0ad795f5d0e8df7847c9cd1c9f427a403f56952bccdd4fa3cdc99737d929b939dbed8867b5e749d2c21249aacd935c155e62de140878a524b3

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6a253ee87eb8e00ca5a1f47c0e4634dd

    SHA1

    02382b30675c8f70e6ff346c5cb231e0af86502e

    SHA256

    3f0b6127364770a8d70ab599cfc6197e2fdc83640c8650dfc879844407747bc9

    SHA512

    30e59ba790174c918c1c0378da028c94965be17fc31fc12e532680cb8a96d1f7c8304fbb38efbda624eecc9764982b5a8a50a49724a062f846ca1a226ce044d8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    a71da3587615c2f84967c3762cefb8c9

    SHA1

    305f4db514e7be999544222fe7941148545f8b06

    SHA256

    288e144bff8d041f43fd5f5f2b974b1aefc787d9ff8bb2803eaefdd93a8f36e3

    SHA512

    46f2f9ce07f40f445d6a5209aafe32f45dd6df366dc56645f6873ce292e89cabca5029e85cfd8240e760ffa4908155fc746f7e7330ea0722c151a9a08ccee7a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab39F4.tmp
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
    Filesize

    1.3MB

    MD5

    50baf78c236743c8796ad40ab83d2196

    SHA1

    41027a7ce66ca2e22dc03ddc3bb03c2759153fd7

    SHA256

    1530502e8e91f41dc93bda3887e776c859ca4a9904ccccadc9456d65aa556ba7

    SHA512

    c6172cbc61bb08d00e5c4aa8a44fff670816fd96f956949f1a6bde62d6e5d5764a24c694fac8ec32fdfd11df6652f0851d246959b609a7b149d505d82af6b27a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RVN.exe
    Filesize

    377KB

    MD5

    80ade1893dec9cab7f2e63538a464fcc

    SHA1

    c06614da33a65eddb506db00a124a3fc3f5be02e

    SHA256

    57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

    SHA512

    fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar39F7.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\HD_cbdf429298f272cd8248f68f0ecce4d97170a93698a4a9a145b745488f4c491e.exe
    Filesize

    198KB

    MD5

    26ad88629608fbdd06212a4ca11362d1

    SHA1

    8aa8791c5d18b8192623380082e044ab5f5bf99b

    SHA256

    5b0493551e2be141fa80d7ee577b40406606a27410a7b326401569df70eec878

    SHA512

    82d60898a8955f5c107dbac7108120cd432752cc1b267bc59c9be2a1eff6c0f6172ef31af49d8f24a287c97ad4521eeec26992091678b7334aa03a5d56180d7f

    Download Submit

  • memory/2384-7-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2384-8-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2384-22-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2384-9-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2384-5-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2632-33-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2632-24-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2940-72-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2940-37-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2940-34-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download