Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
26-05-2024 07:02
General
-
Target
cbdf429298f272cd8248f68f0ecce4d97170a93698a4a9a145b745488f4c491e.exe
-
Size
1.5MB
-
MD5
3232dd1fe39974d4c420656906861e77
-
SHA1
ef342366eeb045f7ffe20cf1fb1bcf80350836d0
-
SHA256
cbdf429298f272cd8248f68f0ecce4d97170a93698a4a9a145b745488f4c491e
-
SHA512
44c37b7b9e0371cd85359fb66e0f2cab4cbec427d9c239b12f041f81f3c742de2a86e2a2db20368d45fe605840947b9f70ecccccbc7db557b3e7482d4e400c4a
-
SSDEEP
24576:F09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+ygWDVD:F09XJt4HIN2H2tFvduySAg2VD
Malware Config
Signatures
-
Detect PurpleFox Rootkit 9 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 9 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 3 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cbdf429298f272cd8248f68f0ecce4d97170a93698a4a9a145b745488f4c491e.exe"C:\Users\Admin\AppData\Local\Temp\cbdf429298f272cd8248f68f0ecce4d97170a93698a4a9a145b745488f4c491e.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_cbdf429298f272cd8248f68f0ecce4d97170a93698a4a9a145b745488f4c491e.exeC:\Users\Admin\AppData\Local\Temp\HD_cbdf429298f272cd8248f68f0ecce4d97170a93698a4a9a145b745488f4c491e.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://qqgame.qq.com/download.shtml3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3008 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCCFilesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCCFilesize
252B
MD5f1334d427bb80d324fc7b53373b153e6
SHA1e18f8f8f642437182789d94dd3e85dffa1ca95d9
SHA256ade1d57ec5f20ae30c25f70d90a62a4c7e8cd89c4df6eb1527848a446a939498
SHA512cc26e717544cd49e94a8e99323643be920d2fc731aa8d0d916686cd5e3660bee8956977109b5a5c8bfdb1dff40af37864730a6b8baa922a688f17159c94f37e3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5e6aab726a12816426bb0c9565874fae8
SHA162e26113856624e7618c8360dbd2cfedb7c179ae
SHA256892db43c84ed117437ef3b05a5312961c01fdb4086a62d4ad41759075c6849b4
SHA512ba4b419454031650094f4c0e9f6ede99c4d2b369afbdec2521b1c2ee927997fc7e306ebc2d130e178164b2be90e18987eac9a56ab6289cbcae1b93e02a0f5c92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57f9743d32951c55813da19952b3837da
SHA1eb0e1452203231df31b6ad5ef7c095ff768884d7
SHA256213b3226db8561f43abb8b50e333f11fe9b3977125c8556ab2b7f7a46468a3ab
SHA5129ad38bf7adb743db2a5b4094b7edaf18f88ea873730804719df87df36409c93ddc6bcc41d0366ebbd698155da5198da09221e7f43958c24706905d2a54e306fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD51ccf7bfefe6e2a4eadc98ffcc032cc1a
SHA11f7212fbcb32186cd47fdd474b7bf2214f496750
SHA256037df5bcad62883e293677bb9afe4f8fc1948509b02e922b6d0f6c8ddf4eb318
SHA5121669290705ce71eaa46e01b605c6a9479e237d5433ec1e51517aec3799357649e5a91f28e0a0ca7eb12d3861aae849b69f3fe0f36b87b14bcf282848e46be8c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD58c9a4a625c61577b6b7a4def91769b26
SHA1b1acf8e88b8b14b23f7d16bb191405761c080bd3
SHA25671b009078c8c3743981c1ca45d5f78ca635ce01bacc20ee4a3abc307903cfd50
SHA512425a62c587f9ccce2ec990ae249de1730e1fdbac1c3d765b9f1626c096cbd1748e77a9cae81431cf2bd37b2ee88cfaee05a89fe79449de13a9abc8244cc8f29d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5cb3fda8410eaccae4c97d611647023e3
SHA1b65d3821d553f2571cd8923056d33d4e595352a9
SHA256af5bc10b98013dfb6f4c861437c7204bb9a8815d4dbadcd2b8347c6d01815d84
SHA512e93a3d9f3fdc928121320b718c0bd8a674e69af4f23efd469a11f307c5dcb4455bc6639be638e984b5338e7967c026aa0e7b3964c9b3447e965b3396fd25bea4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5310b28d245dc7088690d44f93164d09c
SHA163d99abc9cec7aa53fa7b0dc1abad0a18d992c89
SHA256e1a00388eeb4ee7975572ca7290b40532414853492aa156470f2efb060254f24
SHA5127ae168d4ca6cce6bd49f039f9f3a0691d947deb31f4f3dcde844942d334ee17da96bfb7d40b022d6212b5df201ab9a854e96f1e837ad0323cf71abbecbcaef33
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD524c898f2b0366e03b90e11a73ae3fe83
SHA154037957086838453eaefc2dfeff1516d6d90040
SHA256d06d439f1ed4c1b9f982d43cdeb8151ce236668c368899518e3c4ed4aef2c301
SHA512561c6e2ba4004596cea2e3098f68c8ca99db32d9f690cd961c6a2431567b18e8c42333897c8e14815e95e0dd848538f75f20b7cfb50abd60e43c5a5a43bfc0fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5efbdc4302c8efad9092c06fa74696753
SHA1037da5260a9bdd5c5e8a62f4c230b2ee07d52e70
SHA256ad27051a74518052265c3b17a176ce1f287fe272c05b46a84542d69ad24d914d
SHA512a7ff0e6aa9223e0ad795f5d0e8df7847c9cd1c9f427a403f56952bccdd4fa3cdc99737d929b939dbed8867b5e749d2c21249aacd935c155e62de140878a524b3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56a253ee87eb8e00ca5a1f47c0e4634dd
SHA102382b30675c8f70e6ff346c5cb231e0af86502e
SHA2563f0b6127364770a8d70ab599cfc6197e2fdc83640c8650dfc879844407747bc9
SHA51230e59ba790174c918c1c0378da028c94965be17fc31fc12e532680cb8a96d1f7c8304fbb38efbda624eecc9764982b5a8a50a49724a062f846ca1a226ce044d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD5a71da3587615c2f84967c3762cefb8c9
SHA1305f4db514e7be999544222fe7941148545f8b06
SHA256288e144bff8d041f43fd5f5f2b974b1aefc787d9ff8bb2803eaefdd93a8f36e3
SHA51246f2f9ce07f40f445d6a5209aafe32f45dd6df366dc56645f6873ce292e89cabca5029e85cfd8240e760ffa4908155fc746f7e7330ea0722c151a9a08ccee7a9
-
C:\Users\Admin\AppData\Local\Temp\Cab39F4.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.3MB
MD550baf78c236743c8796ad40ab83d2196
SHA141027a7ce66ca2e22dc03ddc3bb03c2759153fd7
SHA2561530502e8e91f41dc93bda3887e776c859ca4a9904ccccadc9456d65aa556ba7
SHA512c6172cbc61bb08d00e5c4aa8a44fff670816fd96f956949f1a6bde62d6e5d5764a24c694fac8ec32fdfd11df6652f0851d246959b609a7b149d505d82af6b27a
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
C:\Users\Admin\AppData\Local\Temp\Tar39F7.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
\Users\Admin\AppData\Local\Temp\HD_cbdf429298f272cd8248f68f0ecce4d97170a93698a4a9a145b745488f4c491e.exeFilesize
198KB
MD526ad88629608fbdd06212a4ca11362d1
SHA18aa8791c5d18b8192623380082e044ab5f5bf99b
SHA2565b0493551e2be141fa80d7ee577b40406606a27410a7b326401569df70eec878
SHA51282d60898a8955f5c107dbac7108120cd432752cc1b267bc59c9be2a1eff6c0f6172ef31af49d8f24a287c97ad4521eeec26992091678b7334aa03a5d56180d7f
-
memory/2384-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2384-8-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2384-22-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2384-9-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2384-5-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2632-33-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2632-24-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2940-72-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2940-37-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2940-34-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB