Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
26-05-2024 11:06
General
-
Target
47693bfe4cfbb84f7d582b50cdb43f13791d1b2b7996f2c342091814bbdd7f82.exe
-
Size
9.5MB
-
MD5
b0f7d9f58ea4a05269b88f330c82a500
-
SHA1
2bf8eb173b1959b54f5d2b52f504341f8b6fcde7
-
SHA256
47693bfe4cfbb84f7d582b50cdb43f13791d1b2b7996f2c342091814bbdd7f82
-
SHA512
2a89db94e60cd2ccb58ab1dcf3d9397ff9ff9912f825c57ff9e8f8a791927a541116070708823ce08cde1cfaf829649b826abb312fad2e240a25ac25b6a14fbb
-
SSDEEP
98304:3GdVyVT9nOgmhrluL5dyWRudqIqf7mR31gvfTn5IGAW8ZZWAIxnqODAMLwJBAUZr:EWT9nO7Gol7S70wAJWAW1UJVr
Malware Config
Signatures
-
Detect PurpleFox Rootkit 11 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 12 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 3 IoCs
-
UPX packed file 13 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 6 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\47693bfe4cfbb84f7d582b50cdb43f13791d1b2b7996f2c342091814bbdd7f82.exe"C:\Users\Admin\AppData\Local\Temp\47693bfe4cfbb84f7d582b50cdb43f13791d1b2b7996f2c342091814bbdd7f82.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\HD_47693bfe4cfbb84f7d582b50cdb43f13791d1b2b7996f2c342091814bbdd7f82.exeC:\Users\Admin\AppData\Local\Temp\HD_47693bfe4cfbb84f7d582b50cdb43f13791d1b2b7996f2c342091814bbdd7f82.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 9123⤵
- Program crash
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240596828.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4920 -ip 49201⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_47693bfe4cfbb84f7d582b50cdb43f13791d1b2b7996f2c342091814bbdd7f82.exeFilesize
7.9MB
MD5b41849196494f96020fc8b86d73f4e2b
SHA143d260823059fa04493984559e11af766e7acf6f
SHA256982c049b039501564f25bf23bd5737a4082273427affa5759bd1b3e2184977be
SHA512baf94f17e1ea991d40e562b5f5a8bbf3dec52b880badd9249695cdcbf087286f0adf8244bd73d762222207ff2138b635bf8f18d76868dfb28d293ffb6f2abb4d
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.6MB
MD5251a802e8bb13e39fe89ac035ed6fefd
SHA1f429ee4243604981679ee4cba673773f2060ef23
SHA2567c82c3d5b87d76d7efb561d75e845b866ba009f5e3f6d61b46c9d6fe0fe93e1a
SHA512fb520d84b406bdf877e68fd9de6da9484c0f58bf5344045113099ac19d444b45f0c898ff4a6f7b93ad2784aba2400023f9242c4ed5edcf03b56d4b03e07ff838
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeFilesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
C:\Windows\SysWOW64\240596828.txtFilesize
50KB
MD5c24d21458865d6a090ea168151d5fb7b
SHA1ce068224257d12e7412b0651aab7bbe7a5a48ce9
SHA256ca3d7fd64a3d4f0fee4360bd424d8238c5585e87f2668c9a513a4409b1bafa76
SHA512dc067dfe7a0b03a7bf78128a215dde2b94ea19aa7dadf521d5b8440dcba7b8ca82011643942e562e79444894ebc2977dbef7663fade0f01de7e24da4d22bea42
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
memory/3220-13-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3220-32-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3220-15-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3220-16-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3220-19-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3444-10-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3444-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3444-6-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3444-4-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4032-30-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4032-45-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4032-40-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4032-33-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4920-54-0x0000000000400000-0x0000000000C03000-memory.dmpFilesize
8.0MB
-
memory/4920-93-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4920-97-0x0000000000400000-0x0000000000C03000-memory.dmpFilesize
8.0MB