Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03/06/2024, 14:51
Static task
static1
Behavioral task
behavioral1
Sample
d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e.exe
Resource
win7-20240221-en
General
-
Target
d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e.exe
-
Size
2.4MB
-
MD5
7ced3632e47c00c46cf4b38111c14735
-
SHA1
1a67efa94dc4d6110becbe6b733b73ea368a2a28
-
SHA256
d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e
-
SHA512
3db7b9561465f9ad980f6eff2ececd02093d4deff4a33b8d63c7258cfbac535aa3283d2503da95fae57bd77a2400c37f11c40df6a4d886f265a43b6787538bce
-
SSDEEP
24576:jCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nHZ:jCwsbCANnKXferL7Vwe/Gg0P+Whpw
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1664-14-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1664-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1664-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1532-32-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1532-25-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1532-24-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2380-33-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2380-47-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2380-49-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
resource yara_rule behavioral2/files/0x00090000000233ff-5.dat family_gh0strat behavioral2/memory/1664-14-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1664-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1664-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1532-32-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1532-25-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1532-24-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1532-23-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2380-33-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2380-47-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2380-49-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatfor.exe -
Executes dropped EXE 4 IoCs
pid Process 4220 R.exe 1664 N.exe 1532 TXPlatfor.exe 2380 TXPlatfor.exe -
Loads dropped DLL 1 IoCs
pid Process 4220 R.exe -
resource yara_rule behavioral2/memory/1664-12-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1664-14-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1664-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1664-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1532-21-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1532-32-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1532-25-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1532-24-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1532-23-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2380-33-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2380-47-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2380-49-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\240603468.txt R.exe File created C:\Windows\SysWOW64\TXPlatfor.exe N.exe File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe N.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1132 4220 WerFault.exe 82 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4348 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2380 TXPlatfor.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1664 N.exe Token: SeLoadDriverPrivilege 2380 TXPlatfor.exe Token: 33 2380 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 2380 TXPlatfor.exe Token: 33 2380 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 2380 TXPlatfor.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3076 d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e.exe 3076 d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3076 wrote to memory of 4220 3076 d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e.exe 82 PID 3076 wrote to memory of 4220 3076 d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e.exe 82 PID 3076 wrote to memory of 4220 3076 d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e.exe 82 PID 3076 wrote to memory of 1664 3076 d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e.exe 89 PID 3076 wrote to memory of 1664 3076 d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e.exe 89 PID 3076 wrote to memory of 1664 3076 d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e.exe 89 PID 1664 wrote to memory of 2012 1664 N.exe 91 PID 1664 wrote to memory of 2012 1664 N.exe 91 PID 1664 wrote to memory of 2012 1664 N.exe 91 PID 1532 wrote to memory of 2380 1532 TXPlatfor.exe 92 PID 1532 wrote to memory of 2380 1532 TXPlatfor.exe 92 PID 1532 wrote to memory of 2380 1532 TXPlatfor.exe 92 PID 2012 wrote to memory of 4348 2012 cmd.exe 94 PID 2012 wrote to memory of 4348 2012 cmd.exe 94 PID 2012 wrote to memory of 4348 2012 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e.exe"C:\Users\Admin\AppData\Local\Temp\d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4220 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 4483⤵
- Program crash
PID:1132
-
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:4348
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4220 -ip 42201⤵PID:692
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD57ced3632e47c00c46cf4b38111c14735
SHA11a67efa94dc4d6110becbe6b733b73ea368a2a28
SHA256d0d224c3c302243499b6a973deb31edfe432d7919853f8f805b7a509bb39a56e
SHA5123db7b9561465f9ad980f6eff2ececd02093d4deff4a33b8d63c7258cfbac535aa3283d2503da95fae57bd77a2400c37f11c40df6a4d886f265a43b6787538bce
-
Filesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
Filesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
Filesize
899KB
MD52655355ee69a376bbef5b2ff47c2b203
SHA1004d31d11bd06f17fe53e2a5055b785c5c98a8a6
SHA2569c9d1b9380b46a5662b8c2c33b0bc4bca9bf246c757ae961d7e4c77d611bc693
SHA512578569db47d1eb05558952bd702287e671dd0bb4c68b5a19fb14287a535da927a29f64be262cbb607acc00f3e953e291c5fdb74e99df4000d64a1c60f0e4f7ad