Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 09:36

General

  • Target

    1d426cb0de85dec68fbb7517fef822d6c5efb07d0d9e74ffc81819d0001ab1d4.exe

  • Size

    1.5MB

  • MD5

    cf2fc9e14d535a0a37778d7a3a362164

  • SHA1

    c4d239fecb9a0a37cbfc32fb3077987b52ce41c4

  • SHA256

    1d426cb0de85dec68fbb7517fef822d6c5efb07d0d9e74ffc81819d0001ab1d4

  • SHA512

    f35ac125e03f99c46c8e8379d142b0cc792f56c03947777099c9b7b09cce0a025a3e7f45f22e5fecf6f4863c512f3358337c5b5e9b68c673724c54f0177b5c58

  • SSDEEP

    24576:eYVLN+uGOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:BTT3HPkVOBTK

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d426cb0de85dec68fbb7517fef822d6c5efb07d0d9e74ffc81819d0001ab1d4.exe
    "C:\Users\Admin\AppData\Local\Temp\1d426cb0de85dec68fbb7517fef822d6c5efb07d0d9e74ffc81819d0001ab1d4.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2188

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2188-0-0x0000000010000000-0x000000001019F000-memory.dmp
    Filesize

    1.6MB