Overview

overview

10

Static

static

3

f1b7f05b44...aa.exe

windows7-x64

10

f1b7f05b44...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1b7f05b44e9a3ab0c8e1067351d24d649e8264ea406e66941c9944bdead86aa.exe

  • Size

    1.5MB

  • MD5

    7d12de80390c1d0168bf4d63a59a85ba

  • SHA1

    8540287af820cc26717ad18551ff608c12181eb1

  • SHA256

    f1b7f05b44e9a3ab0c8e1067351d24d649e8264ea406e66941c9944bdead86aa

  • SHA512

    14a77a3c1a7e69cc2fc2650fe6e4de4bd6272ed867df8842c632638aea03840e5b0c0c6c9819175ab6f729dc3c275c6d761ab8724ed0a8820925607300e73cb8

  • SSDEEP

    24576:109tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+sXAJDVD:109XJt4HIN2H2tFvduySC4VD

Score
10/10
gh0stratpurplefoxpersistenceratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 9 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 9 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1b7f05b44e9a3ab0c8e1067351d24d649e8264ea406e66941c9944bdead86aa.exe
    "C:\Users\Admin\AppData\Local\Temp\f1b7f05b44e9a3ab0c8e1067351d24d649e8264ea406e66941c9944bdead86aa.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Local\Temp\RVN.exe
      C:\Users\Admin\AppData\Local\Temp\\RVN.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:2496
    • C:\Users\Admin\AppData\Local\Temp\HD_f1b7f05b44e9a3ab0c8e1067351d24d649e8264ea406e66941c9944bdead86aa.exe
      C:\Users\Admin\AppData\Local\Temp\HD_f1b7f05b44e9a3ab0c8e1067351d24d649e8264ea406e66941c9944bdead86aa.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" https://qqgame.qq.com/download.shtml
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2384
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    914B

    MD5

    e4a68ac854ac5242460afd72481b2a44

    SHA1

    df3c24f9bfd666761b268073fe06d1cc8d4f82a4

    SHA256

    cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

    SHA512

    5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
    Filesize

    252B

    MD5

    c793e8b965ac6eadefad864359f87f94

    SHA1

    41b43ffa962cbb038f7c433b80358ef6ef6cbf1e

    SHA256

    4cda5e950a31bf744d4bbd1fd7f2ba87625e9337e71e4221dc8e984f24829e5d

    SHA512

    be409123c77d3d0539797754cfabcc4072c9face6cadfe4a353ab20af67aa2d63ae68c511f885450ffd95af7eb050fa66e65516ebfeb5aa1cf8a1edf9982effb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    f1c71180b985915816fd8030f4466025

    SHA1

    d5d7b241544fb5972a6d75e4554094dbf5dcc0d7

    SHA256

    b716c41bdb9d6f4331537bf3890e0760b14af23773ace3119f91c515c04c4217

    SHA512

    701e4e1c04739784d66c49b92cd08e157b8a2da07e9b9b61e7c9db7b05a990a6a1c71ed3cf566482971b79e4cebfb3aa05bd3bb8a797a31a40df9aff656227ac

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    c9884a3f32076ca0198ff1766424c276

    SHA1

    94c4d994033bada73ccff357eafc267f4b1bbddc

    SHA256

    32c08bb2cea87faacd6b09705bd6b9242c4c05c8342fabd4ae1d74ee9f9b6e52

    SHA512

    5ea926d2877df74b288540f87f44d790ad861e2ee03ed6656b9b67e01020ec5469dbf5b189b5c69eda3d30c1d3ea3d97cff9421b11bd2b9e76225305bdbed081

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5a976d74d2ae16fdd15a567b1ec67430

    SHA1

    fa9d56878d61234ca3270df1df28e74a4ece0dbc

    SHA256

    32f90fc03186be09d01cc9c5380dce1af838c9c3c600a9e533cf224ae03fd935

    SHA512

    bde4d4369c74cf6b7086cd5fee4401da313bbdeec7f2910bfe28555fa7c43c41c704bb829538fa83d7d523dbf94d2e01203bb5c48a3ff9cfe71f790483ee7068

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    aaa4adf4d9583620ffe1df4be6efdd69

    SHA1

    0cb649f9ba2e207ca2c2701f32068f93e399d0f9

    SHA256

    717aa4d6e7cf53e30e113d81f0115fdc56a815d7f98cae64ae5d8badfb44fc17

    SHA512

    a88d6c6fa56b5fa8547df204eed495c3c3ee501fc0aae2a4fd65672cc7aa95041dcb0978c6e587f39375185609c4d4bd1f09d332c3d41bd2205de43ee6bb60a5

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    c0577f8da85bbcc15a767b81096f5fff

    SHA1

    72456dde0e66686003559299cf2d001e2fd3a7c2

    SHA256

    569af5e7b28a285cef13f4e44c98e801786a9fe31b26d88cc01ecefe980325fc

    SHA512

    b60bbf522de4b4a0616cc3fa80394a7ba62a44098aa687ccf963063c3ec2dde53a43929403e9d3168144ff53c1052bb71b8c4c0655f6c5d7832e850ae95d8951

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    7ce8441b5fa498b1b8019baf060fe702

    SHA1

    5b52ae088a820b98d74d9c2b73786ba166445240

    SHA256

    266937e2c913d1a12690cc2b44a1d97fafd44fc7a7a1b59c86c14443be65c3d7

    SHA512

    ef58e6870f4dfd12bffb26aa20d3b17bbbfcc08e3c91edb993d8b5252217ddb4ffff6edeb14ffaa973929cb3d8ea8d80bd615cf9504248def18855a7451fa910

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    24f443240f048b41c33a89c21338009b

    SHA1

    6783bb922edd63421e2e4c8c946d6b351292f911

    SHA256

    ec679b78a281f893b38968e265bab6420ee03ce3da991dfa922e0dff52e6ccf9

    SHA512

    e1c00f94f6d2ba927240171425817c32facdb1767b961ffbcfc8913f08b53704ded2862f2dc40f6a7b3ef124f0b67662c67bb3f68263789741fc6d77cba1e899

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    c9f8eca16468b3e58ed17bd3c9767303

    SHA1

    c7a7bff7065d73793c767ff8082d3c7953211da1

    SHA256

    60a201b83c5e6566d2805d9d9311ae3fe0d19dfa400b83f01b473583e3dedd67

    SHA512

    30ef396d9488b4844eafe52e702e2afe7c9ac847fa2a6d10ece870c6ced3271b792a0eead65ebdff6a3c61904d7f22ee3ffeb2e2486eb8405aad5b26b9d282af

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    3b50ce3722d571b209b4c4e2ba91153b

    SHA1

    ce63cf5475e701cdf8bbe9f2e6717693cfee0e0e

    SHA256

    6d9b1b38eca209579af800f880c3033b48b1a68675779ce5a2edfe0f80e57471

    SHA512

    7ce3fc8181724dfe9ddbbf717876b5864f02a238466d1a631a8b8f96eaf8242968c4c0805ce6d7c898a1c6db014c1b496715d0ea9640eee7a12a7e65e7df16cc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5676aaf3931f21b7c4fadb7d561dcc2d

    SHA1

    67e24156c20cdff0b291081bfb4cc4514b58fecc

    SHA256

    eecb89cf97e089cf99e7b9f878794c0d17518f4ca5534a695a5646919319a8d6

    SHA512

    612e085c387f957bafc2a16ad382dcc4e61309b4fdb309648f37eac15e77e798d5fb4dfcb1d2ccf644a2a3ac4046e334af5800058f5076e2ee796411747286ba

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    bd269db2fd93d1b10c292ad332bdb233

    SHA1

    b8dee1fddcbdfe942bb6a02ad501e4be2133df5c

    SHA256

    6ba0ff65d49578a9bcf2bac82974142c951a1225144e23a4ed56d4d070c7150a

    SHA512

    a7d7460e8077c9e9af4ec5fffde31bd637a6574410e0df5af57e965265eec11f67a9b690daa7f206a1c7ff5a2a6685a2cf1a65e3bcd92404d17338ca2719d97b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    3d6649f5266851d2d58e332e4b3c69ca

    SHA1

    93aa5e5bdd0c5e8d12964723335f456b19b2f0b5

    SHA256

    2f56db41957e041ad3f87a313fad906bec9b9c81551e424569a7682d77fc1de7

    SHA512

    086999c089b13920bded541253ce90c7fb608c33c26017a300f42dd245302bf62a31c93322783786ec710f28e08e91f850d1f28f0bf464b285e11d1a020565bc

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
    Filesize

    242B

    MD5

    4020d89d45625c5f018cfec5ea8b33eb

    SHA1

    afb3efbce89430a33cdc76b17afbb9793ca9aafc

    SHA256

    9d232d637768749b147738925446ee84b0f19c9954184daa01c5eb392e2dbe16

    SHA512

    d780b7dcfc44b7054eee91dc638f4cf88e5cdba9d2bae6497ad53542e7a677287dc85ab01f2457bada427bcab1e4790a92331cce4266f5863893733d607e6a5d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab2F6A.tmp
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
    Filesize

    1.3MB

    MD5

    026f265f266be6490bb1b8a21e2dda44

    SHA1

    65f2fd0488023fbf0eda0e187ea82ba38cadb7f4

    SHA256

    68196b7c53fb1b3cbf585472f9adcae7d6a01862996a61fe12d6edc243120d69

    SHA512

    d79bd305a73b5665ae1362c902e73b0dc8f000df469ff5172d81e0ef554edeb4bb46e3e7bb6880f43e6f7ad893aaa5eda69f520ef8be1f9e7094b110b544431f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HD_f1b7f05b44e9a3ab0c8e1067351d24d649e8264ea406e66941c9944bdead86aa.exe
    Filesize

    198KB

    MD5

    26ad88629608fbdd06212a4ca11362d1

    SHA1

    8aa8791c5d18b8192623380082e044ab5f5bf99b

    SHA256

    5b0493551e2be141fa80d7ee577b40406606a27410a7b326401569df70eec878

    SHA512

    82d60898a8955f5c107dbac7108120cd432752cc1b267bc59c9be2a1eff6c0f6172ef31af49d8f24a287c97ad4521eeec26992091678b7334aa03a5d56180d7f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar2F7C.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RVN.exe
    Filesize

    377KB

    MD5

    80ade1893dec9cab7f2e63538a464fcc

    SHA1

    c06614da33a65eddb506db00a124a3fc3f5be02e

    SHA256

    57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

    SHA512

    fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

    Download Submit

  • memory/1208-33-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1208-18-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2100-23-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2100-8-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2100-7-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2100-9-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2100-5-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2768-55-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2768-38-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2768-35-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download