Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
26-05-2024 15:18
General
-
Target
abc6549b39ea1c21d44b1ca196a7bc5b85207f9b2be75ea78f233ea6f34afa62.exe
-
Size
8.3MB
-
MD5
f910ac3676bd3f17135199768e7dbea6
-
SHA1
4d694c5310ac75d436cf8ca6c15624106a3da808
-
SHA256
abc6549b39ea1c21d44b1ca196a7bc5b85207f9b2be75ea78f233ea6f34afa62
-
SHA512
61b9ac1ca4cc392e48bd4b2797907a4024bc2f198f4330f4309ae0ccbff1fb7bb022d1187610382cc158dcd5b85365720eef1a4e61a31c7778f64c0ee386de7c
-
SSDEEP
196608:mWT9nO7XXonLJRCsU3lHOYhE0dutEcKEmmI1nzH59a3K2ZXVVoVeB:G7H43xatvE05EW1zH5V2ZFVoVeB
Malware Config
Signatures
-
Detect PurpleFox Rootkit 10 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 11 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 13 IoCs
-
UPX packed file 11 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 6 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\abc6549b39ea1c21d44b1ca196a7bc5b85207f9b2be75ea78f233ea6f34afa62.exe"C:\Users\Admin\AppData\Local\Temp\abc6549b39ea1c21d44b1ca196a7bc5b85207f9b2be75ea78f233ea6f34afa62.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\HD_abc6549b39ea1c21d44b1ca196a7bc5b85207f9b2be75ea78f233ea6f34afa62.exeC:\Users\Admin\AppData\Local\Temp\HD_abc6549b39ea1c21d44b1ca196a7bc5b85207f9b2be75ea78f233ea6f34afa62.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 7363⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259399211.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
2Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5c493af6c6d39d58e71aff5b37b95d8b9
SHA18aeb8a08e4909ac540e149849e4457c8b439d9e6
SHA2567024f2b42b28dae7515d135adaa87967f37662a3abae067e063ff1d80f15d609
SHA51231867523dcb7d88771718c25eca88e7a5b4a7dc604c5583458be026dff5e408660f6b882713d35ce1115bde6bb5e29c11edaecbe0afaccab2ca1142dc4931ae4
-
Filesize
6.7MB
MD5228d6cc0e7e1399dae79eaa5d6f71e52
SHA1290443a75bfd4108abb6e9f7fc14d4da1542314b
SHA2567189cf2950eb69251a80d120d2a75c860de50d2084bdb7c41a3345e34734958b
SHA512bd4b464037ea2ece9331905da72ef33e6803c0e642a5f051146f1e222186bb3b74a6dd28a309e893413282604a804c9132d52c5f8069902721aa78b5b074d743
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD590748d5d5b4dffe50fa8199b33587a21
SHA155707c4f7cde2304769d12fc595be1e98063ede2
SHA256aeafcd10ab7fac12dbf5dc1a9ad1bd9236b12ef9fa91702fb8bae51a7ea77ae4
SHA512a3f0fa02d6b4ac5808e89e9f8bc2e93ea6199e9d3a1f0694f1f66cbc2381ccfe1c6c90b731fca6fd21956c6cf0812224e7ed42372864444954cdcf9a71d21946
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
17.6MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB