Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 20:12

General

  • Target

    110aff8d08cf207cffa06b6dcd5913e47085c17303b500897853adc0758a4637.exe

  • Size

    13.8MB

  • MD5

    9aeb5d33d7baf9ffbdca5182deedb84a

  • SHA1

    721577f413624058b99c4a53da6bddd9f4b0f1db

  • SHA256

    110aff8d08cf207cffa06b6dcd5913e47085c17303b500897853adc0758a4637

  • SHA512

    db48a7a2f0d1195bc17da011452ebecb0ec0b5c2ba258e9037285d04e948053b73e31bb63901a367824b930b531299292272f0947960a992b5f3663d38b46083

  • SSDEEP

    196608:cKXbeO7B2/k/IXN+BupbShmbuR7HY4QIA6TC6otdn3gY3QIA6TP:d7aChG6xo3e6P

Malware Config

Signatures

  • Detect PurpleFox Rootkit 10 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 19 IoCs
  • UPX packed file 21 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\110aff8d08cf207cffa06b6dcd5913e47085c17303b500897853adc0758a4637.exe
    "C:\Users\Admin\AppData\Local\Temp\110aff8d08cf207cffa06b6dcd5913e47085c17303b500897853adc0758a4637.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Users\Admin\AppData\Local\Temp\R.exe
      C:\Users\Admin\AppData\Local\Temp\\R.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:232
    • C:\Users\Admin\AppData\Local\Temp\N.exe
      C:\Users\Admin\AppData\Local\Temp\\N.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:2268
    • C:\Users\Admin\AppData\Local\Temp\HD_110aff8d08cf207cffa06b6dcd5913e47085c17303b500897853adc0758a4637.exe
      C:\Users\Admin\AppData\Local\Temp\HD_110aff8d08cf207cffa06b6dcd5913e47085c17303b500897853adc0758a4637.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Checks processor information in registry
      PID:1780
  • C:\Windows\SysWOW64\TXPlatfor.exe
    C:\Windows\SysWOW64\TXPlatfor.exe -auto
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2952
    • C:\Windows\SysWOW64\TXPlatfor.exe
      C:\Windows\SysWOW64\TXPlatfor.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

1
T1012

Remote System Discovery

1
T1018

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BR56F9.tmp
    Filesize

    42KB

    MD5

    d31fa7d86a093997da6252a984b7b6bd

    SHA1

    700ab94f433798c70b8165503fb5ea1774fdd45a

    SHA256

    32d6cbfb9433bedfa29cc46a0b7d2ab0fb6d084e8f2e9a8c55295065bbad5128

    SHA512

    15e45f9fa4fc627c41e971dda84bede1c0ca069df8d3c0d2b21b0fec3aca500cc555466b6930fe265f99d1aebee3056e50e43404b33f913f114cd1987b7fc38c

  • C:\Users\Admin\AppData\Local\Temp\BR5739.tmp
    Filesize

    403KB

    MD5

    a210f1ac135e5331c314ce5f394fb5a5

    SHA1

    355afc1c61e1f65834472b16a4ca718e61537dc2

    SHA256

    65b32ea2982078fb9a18e88feec238cb76ed2ae6c2bb4ddb0f6a9c4f57b1d62b

    SHA512

    e4e70ef75e2f7897837f6772b9a0dcaaf4515d8be4210b28509f12cdde9d85bd7bed604ad5a9ee587356971f75e6f79874dbdb974cec4996262295e255501cf4

  • C:\Users\Admin\AppData\Local\Temp\BR5DC2.tmp
    Filesize

    35KB

    MD5

    08ad4cd2a940379f1dcdbdb9884a1375

    SHA1

    c302b7589ba4f05c6429e7f89ad0cb84dd9dfbac

    SHA256

    78827e2b1ef0aad4f8b1b42d0964064819aa22bfcd537ebaacb30d817edc06d8

    SHA512

    f37bd071994c31b361090a149999e8b2d4a7839f19ea63e1d4563aada1371be37f2bfcc474e24de95ff77ca4124a39580c9f711e2fbe54265713ab76f631835a

  • C:\Users\Admin\AppData\Local\Temp\BR5DD2.tmp
    Filesize

    121KB

    MD5

    4ff365a985db06a0d705d2149cafbe69

    SHA1

    04f39e572a888016be8775c50280588c5e89c440

    SHA256

    c26277333c29e32837338613bd1b42e722601471fd703dcd30160cf89dac9da3

    SHA512

    fc71651731d9a733bfa44adb708a95471bf029c1f60dacc7ddecc0d51e45ba9c3ead28a6076436b52f0f07a99742832c51e1f0dcdc69ed1d247d28b7d78e1557

  • C:\Users\Admin\AppData\Local\Temp\BR5DE3.tmp
    Filesize

    400KB

    MD5

    027491b39a7b16b116e780f55abc288e

    SHA1

    62c0ab7c3e374d5fc9920983ee62baa4421076b4

    SHA256

    eef69d005bf1c0b715c8d6205400d4755c261dd38ddfbbfe918e6ee91f21f1f0

    SHA512

    fe0ba835d9af2a2c297a545bb7e30d315b580273bb1f558f16d9cba59755200a4735f75b1672e5e5fbed449eb7a5abb6d905696674c181b742bf637028953194

  • C:\Users\Admin\AppData\Local\Temp\BR5E03.tmp
    Filesize

    72KB

    MD5

    c04970b55bcf614f24ca75b1de641ae2

    SHA1

    52b182caef513ed1c36f28eb45cedb257fa8ce40

    SHA256

    5ddee4aab3cf33e505f52199d64809125b26de04fb9970ca589cd8619c859d80

    SHA512

    a5f2660e336bf74a1936fb2e1c724220d862632907f5fd690b365009ac3e1bf35fa6689071f3da4049e495f340ff83f8438b79079ef1f248b9dcaedbdd5d3e40

  • C:\Users\Admin\AppData\Local\Temp\BR5F9B.tmp
    Filesize

    30KB

    MD5

    b226b75915b944bf20f96addfd6e4f87

    SHA1

    d1e745996ffd68c6ae91c2ac2c65b2d77bfd0eab

    SHA256

    91910bf7a630d272d5389aa6dafc4e71f32298731b4f44d39b6a0b0d34bd1a3b

    SHA512

    4913d11666057269249880668c92ec7d28788e3041bc18b6a9f72f94e2ca375464ada6242de694159e4ea99cce934b01a981f60171e7a739607bb9df6d07421b

  • C:\Users\Admin\AppData\Local\Temp\BR5F9C.tmp
    Filesize

    74KB

    MD5

    924b90c3d9e645dfad53f61ea4e91942

    SHA1

    65d397199ff191e5078095036e49f08376f9ae4e

    SHA256

    41788435f245133ec5511111e2c5d52f7515e359876180067e0b5ba85c729322

    SHA512

    76833708828c8f3fad941abeea158317aff98cf0691b5d5dfa4bca15279cdad1cc23a771258e4de41cf12a58f7033a3ee08b0b5eb834d22be568ea98b183ccd9

  • C:\Users\Admin\AppData\Local\Temp\BR5FAC.tmp
    Filesize

    102KB

    MD5

    5bbf62faf1e96dea7752dc930ae150ad

    SHA1

    d9b6a1b2fdea2a2047168963925ea0c581d596e6

    SHA256

    39ca391d58ec87f407227c5129194d747cc690bac514bbe735346c23db0a5462

    SHA512

    1c2ce49d0554a10b5793e54d89014131a041f061f2b3ae110ddc73f0349a1adeaca5dc76a7b6c244e89f97eaddf1d423d60089eb14e8a16427bbd4fb411d0585

  • C:\Users\Admin\AppData\Local\Temp\BR5FCC.tmp
    Filesize

    24KB

    MD5

    4cf27e0747e5719a5478aa2624f6b996

    SHA1

    13df901e34f77e5ea11f36c0afedda7f86a2c003

    SHA256

    e69a9d06f2c17cc021ebf9b62ca110548facdc147b67dea4846e09865043d2d9

    SHA512

    4b0ddcbd7321128f977e1dbbe18cc76c7e489d4ee84b7775989e99778b5a60daa683c6063c5b700794b7f2070ae381fef20b19b3cb35c1babef9be79ff264941

  • C:\Users\Admin\AppData\Local\Temp\BR5FDD.tmp
    Filesize

    24KB

    MD5

    124e89d0fcc409ede3595a253b788708

    SHA1

    bc88e037c3edea02dd20aeff10818105be9f4033

    SHA256

    27ea1b57a3024aec4a03188e80fdb2aa301fa5179c19be9c8b0dfc2aac73a114

    SHA512

    7cd0ca268a5dbd2aa22dbce1f253a2d067ca30c5195e059c3f431d546a20d1811592f8bd8fe88b6ad9cb5c6fdd6a4666ff451b84a5e790a9d5058865d48790b1

  • C:\Users\Admin\AppData\Local\Temp\BR5FDE.tmp
    Filesize

    100KB

    MD5

    606f13d4d580b1f322b3f3d3df423bba

    SHA1

    02cb375e13b415edc8b5360dffdba531e47827ed

    SHA256

    c71a16b1056e522cd0365449448116d06f37a3273d77694d170340064511dd25

    SHA512

    867a45dc15e99148f24fc528fbc9255582e5534bb4696700292b70163fddb15f35ddf2acd0536a9cd78b4d8f9d827bf7530d2303bfd7e428f11573b381a0986c

  • C:\Users\Admin\AppData\Local\Temp\BR5FEF.tmp
    Filesize

    56KB

    MD5

    145d5c49fe34a44662beaffe641d58c7

    SHA1

    95d5e92523990b614125d66fa3fa395170a73bfe

    SHA256

    59182f092b59a3005ada6b2f2855c7e860e53e8adf6e41cd8cd515578ae7815a

    SHA512

    48cb0048f4fcf460e791a5b0beca40dbf2399b70f1784236b6d1f17835201d70dfa64c498814b872f57e527793c58a5959230fe40ddf5ebdcb0b1de57e9c53ef

  • C:\Users\Admin\AppData\Local\Temp\HD_110aff8d08cf207cffa06b6dcd5913e47085c17303b500897853adc0758a4637.exe
    Filesize

    11.3MB

    MD5

    0a2f190c7b8e2744733944822bd317f3

    SHA1

    c2f2c0726ecb8230eba1953c3120ddd24f16745b

    SHA256

    7997cb88db3331191042eef5238fbf2eba44b9d244f43554a712996eba2fff49

    SHA512

    a50d4cfd6e320d685a398aa700072049e3bcdf8062b326003a3958ac562dfed96c9d01917dd8892093e1e856944e668425e6bbeaa9c8a92dd2075ceb205b1226

  • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
    Filesize

    2.5MB

    MD5

    704bef68fbb8832a7200d360d74ba34c

    SHA1

    dde49321af2cbbfa458e54ae52257e05751b163e

    SHA256

    f45013c09e4a1a4aad68fa5441d715f6782e58add9af90efcddc8292409a8b38

    SHA512

    0827efbabaf908d4fad6ce4e2341982e29063eb73be9ef564ccf250fdf3eb4eb70165bf4222d22c4c53037ff0c7d1524d5438113c7b80ab3aa39400799e8809f

  • C:\Users\Admin\AppData\Local\Temp\N.exe
    Filesize

    377KB

    MD5

    4a36a48e58829c22381572b2040b6fe0

    SHA1

    f09d30e44ff7e3f20a5de307720f3ad148c6143b

    SHA256

    3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

    SHA512

    5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

  • C:\Users\Admin\AppData\Local\Temp\R.exe
    Filesize

    941KB

    MD5

    8dc3adf1c490211971c1e2325f1424d2

    SHA1

    4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

    SHA256

    bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

    SHA512

    ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

  • C:\Windows\SysWOW64\240603687.txt
    Filesize

    899KB

    MD5

    505b011058907fda41a3c02d76f98f1e

    SHA1

    cffd2775c2aece94c6c09d95313608eb01f932d1

    SHA256

    b8b00db53bd7f3bb82d4fe1e3ac48325082c79051b6fd0ea2fad103a88b9ca1c

    SHA512

    02c4f1643f1b7150c4b2d339e4a3e6134ff1efcf796d42ccd88b65592f736b357981bba500f1745ca7a1cdd646974048cc34c252408e214ff017240ae3caca6f

  • memory/1780-144-0x0000000002F70000-0x0000000002F7E000-memory.dmp
    Filesize

    56KB

  • memory/1780-135-0x0000000002F50000-0x0000000002F69000-memory.dmp
    Filesize

    100KB

  • memory/1780-42-0x0000000000310000-0x00000000005E8000-memory.dmp
    Filesize

    2.8MB

  • memory/1780-152-0x0000000067380000-0x0000000067390000-memory.dmp
    Filesize

    64KB

  • memory/1780-188-0x0000000000310000-0x00000000005E8000-memory.dmp
    Filesize

    2.8MB

  • memory/1780-153-0x0000000066C00000-0x0000000066C14000-memory.dmp
    Filesize

    80KB

  • memory/1780-84-0x0000000002FC0000-0x0000000003025000-memory.dmp
    Filesize

    404KB

  • memory/1780-181-0x0000000000310000-0x00000000005E8000-memory.dmp
    Filesize

    2.8MB

  • memory/1780-148-0x0000000000310000-0x00000000005E8000-memory.dmp
    Filesize

    2.8MB

  • memory/1780-172-0x0000000000310000-0x00000000005E8000-memory.dmp
    Filesize

    2.8MB

  • memory/1780-165-0x0000000000310000-0x00000000005E8000-memory.dmp
    Filesize

    2.8MB

  • memory/1780-164-0x0000000000310000-0x00000000005E8000-memory.dmp
    Filesize

    2.8MB

  • memory/1780-155-0x0000000000310000-0x00000000005E8000-memory.dmp
    Filesize

    2.8MB

  • memory/1780-151-0x00000000710C0000-0x00000000710DF000-memory.dmp
    Filesize

    124KB

  • memory/1780-149-0x0000000074920000-0x000000007492E000-memory.dmp
    Filesize

    56KB

  • memory/1780-150-0x0000000066680000-0x000000006668E000-memory.dmp
    Filesize

    56KB

  • memory/1780-154-0x0000000067E00000-0x0000000067E1B000-memory.dmp
    Filesize

    108KB

  • memory/1840-43-0x0000000010000000-0x00000000101B6000-memory.dmp
    Filesize

    1.7MB

  • memory/1840-34-0x0000000010000000-0x00000000101B6000-memory.dmp
    Filesize

    1.7MB

  • memory/1840-39-0x0000000010000000-0x00000000101B6000-memory.dmp
    Filesize

    1.7MB

  • memory/2952-25-0x0000000010000000-0x00000000101B6000-memory.dmp
    Filesize

    1.7MB

  • memory/2952-21-0x0000000010000000-0x00000000101B6000-memory.dmp
    Filesize

    1.7MB

  • memory/2952-23-0x0000000010000000-0x00000000101B6000-memory.dmp
    Filesize

    1.7MB

  • memory/2952-24-0x0000000010000000-0x00000000101B6000-memory.dmp
    Filesize

    1.7MB

  • memory/2952-33-0x0000000010000000-0x00000000101B6000-memory.dmp
    Filesize

    1.7MB

  • memory/3780-14-0x0000000010000000-0x00000000101B6000-memory.dmp
    Filesize

    1.7MB

  • memory/3780-15-0x0000000010000000-0x00000000101B6000-memory.dmp
    Filesize

    1.7MB

  • memory/3780-16-0x0000000010000000-0x00000000101B6000-memory.dmp
    Filesize

    1.7MB

  • memory/3780-12-0x0000000010000000-0x00000000101B6000-memory.dmp
    Filesize

    1.7MB