Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 16:11

General

  • Target

    5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe

  • Size

    4.0MB

  • MD5

    04424a5bb943a3308ebbc813a42c4af6

  • SHA1

    cea9d17cd451e46e072305a2fd20f7688df41f40

  • SHA256

    5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8

  • SHA512

    cdd54cb9e5324a3d42a342a707c4f753c5286c55879b0119e8e437bf7f36bd853275a32e33ea8b52ed46f577a48ca24ddc71e000ca2c472c5ba952bde001a31b

  • SSDEEP

    49152:1CwsbCANnKXferL7Vwe/Gg0P+Wh3hqz1UnUhO3YEpjF1Zpr42KedC/:ows2ANnKXOaeOgmhoz1jqtK2Kh

Malware Config

Signatures

  • Detect PurpleFox Rootkit 10 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 39 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe
    "C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Users\Admin\AppData\Local\Temp\R.exe
      C:\Users\Admin\AppData\Local\Temp\\R.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:1648
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 448
        3⤵
        • Program crash
        PID:3860
    • C:\Users\Admin\AppData\Local\Temp\N.exe
      C:\Users\Admin\AppData\Local\Temp\\N.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:976
    • C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe
      C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3844
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:812
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:812 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4640
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1648 -ip 1648
    1⤵
      PID:1472
    • C:\Windows\SysWOW64\TXPlatfor.exe
      C:\Windows\SysWOW64\TXPlatfor.exe -auto
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\Windows\SysWOW64\TXPlatfor.exe
        C:\Windows\SysWOW64\TXPlatfor.exe -acsi
        2⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:5096

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    2
    T1112

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Remote System Discovery

    1
    T1018

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      a78885dc856faeb57c7549a4b25d6a6a

      SHA1

      62cd1234f65a694281b47fb54f6aeb300d023093

      SHA256

      d586a36a410c287a57fb08f3e0e137f7fa66a303aaa86396c72b81f6abad2c63

      SHA512

      f41c11f88c04a6f3c8fa528c199790ed701d4f5577820881d29d78f239d03171962942deaa8e53320d83784d77a013d243f84b8f4bcd47fb97e056a197f2093b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      627d66bdc4801d57b692873de12f2875

      SHA1

      8dc1d7a0a4de3498e86c01e90fa1511a415e6d7e

      SHA256

      645050055b9bdafc47a28aef274db47cc1755a4e9fcf1875d099b90c48d7d23f

      SHA512

      f4b9bd1c845354907a9e3243a5317ad312e43abfece7336f070465aed64f6bbb214959423538c032c01d7157cb558d9e1e1c8b0380819d08a339fba4e4d419d3

    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD09E.tmp
      Filesize

      15KB

      MD5

      1a545d0052b581fbb2ab4c52133846bc

      SHA1

      62f3266a9b9925cd6d98658b92adec673cbe3dd3

      SHA256

      557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

      SHA512

      bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Z5ILU938\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    • C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe
      Filesize

      1.1MB

      MD5

      45ebd25a2158aed5d54f1164c964c860

      SHA1

      15b6b76c2853b8309e2b2182bb02b42c8c1e9371

      SHA256

      22b1e9dd9ec5a056817f425234674aa961a649758f13308a698a4c92854ce4c3

      SHA512

      16cfdaa5d59d73f7cdd58f621b68b4b22d775b556194f40aa04c99c8798eddc5dbefe844ea3c161c0e188de2143f9c16764011ac68efcfb0d658e84d3cbb0419

    • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
      Filesize

      2.9MB

      MD5

      b7ab7ab6b9c445db7a50620450970f77

      SHA1

      683a231521d6dd10664aec1b70f182065d24aef7

      SHA256

      04bf4712a8fbde15c7aab1397dbf6bda316d2221b5eaabaa1aadc31df52444bb

      SHA512

      2771b164a5598d5f7cbc85ad2baae18b2a4b7bda9ad77194c304dc39ec38ba00e810c71820d1508743182eb33a36aa99474e897ba34050b20c29ccc8e5f5197b

    • C:\Users\Admin\AppData\Local\Temp\N.exe
      Filesize

      377KB

      MD5

      4a36a48e58829c22381572b2040b6fe0

      SHA1

      f09d30e44ff7e3f20a5de307720f3ad148c6143b

      SHA256

      3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

      SHA512

      5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

    • C:\Users\Admin\AppData\Local\Temp\R.exe
      Filesize

      941KB

      MD5

      8dc3adf1c490211971c1e2325f1424d2

      SHA1

      4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

      SHA256

      bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

      SHA512

      ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

    • C:\Windows\SysWOW64\240596437.txt
      Filesize

      899KB

      MD5

      0ea572dddfbad4b1571d9303ff0c3b19

      SHA1

      0cbffaa84db8c9c1c739a032378b2e6995fcaa0c

      SHA256

      fb70755ccf0eec39694f2a60326c7150cd4cdb69065025758ed1a1cb26856c83

      SHA512

      2284ad9ad65d049e2035c9342a06c4c87a6f0213b14a2ffe5b2189bb72fcfca34f0d831dda8539b2df41d0bc88f85771c07ca8e155a114a39f3caa1c0d6c4a5c

    • memory/1420-15-0x0000000010000000-0x00000000101B6000-memory.dmp
      Filesize

      1.7MB

    • memory/1420-18-0x0000000010000000-0x00000000101B6000-memory.dmp
      Filesize

      1.7MB

    • memory/1420-14-0x0000000010000000-0x00000000101B6000-memory.dmp
      Filesize

      1.7MB

    • memory/1420-12-0x0000000010000000-0x00000000101B6000-memory.dmp
      Filesize

      1.7MB

    • memory/3544-27-0x0000000010000000-0x00000000101B6000-memory.dmp
      Filesize

      1.7MB

    • memory/3544-33-0x0000000010000000-0x00000000101B6000-memory.dmp
      Filesize

      1.7MB

    • memory/3544-23-0x0000000010000000-0x00000000101B6000-memory.dmp
      Filesize

      1.7MB

    • memory/3544-24-0x0000000010000000-0x00000000101B6000-memory.dmp
      Filesize

      1.7MB

    • memory/3544-21-0x0000000010000000-0x00000000101B6000-memory.dmp
      Filesize

      1.7MB

    • memory/5096-37-0x0000000010000000-0x00000000101B6000-memory.dmp
      Filesize

      1.7MB

    • memory/5096-39-0x0000000010000000-0x00000000101B6000-memory.dmp
      Filesize

      1.7MB

    • memory/5096-42-0x0000000010000000-0x00000000101B6000-memory.dmp
      Filesize

      1.7MB