Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 03:38
Static task
static1
Behavioral task
behavioral1
Sample
d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe
Resource
win7-20240508-en
General
-
Target
d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe
-
Size
14.8MB
-
MD5
9c33b4c7e113445835d001daa05eb0c6
-
SHA1
2d76332da1de1f3ca8cc500247ef6aa43e578e31
-
SHA256
d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9
-
SHA512
7841c49a410ebb2d50cc1a5e9b0d23ce1cdea74a7eb2f74178095caa24248a7e3d536d3d523145bda686eeac6db799ef0459ab8cf13b2eebc6a6b8f1ecdbc37d
-
SSDEEP
196608:8iINy2LkaFmnG0+UloZqiKQtCnp46wJIfhnNVBBC3/BV/nJFLOyomFHKnPAfLpxi:SFq4FE3CjJFHLzyWwVLXqEZ
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2488-8-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2488-9-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2488-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2612-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2816-29-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2816-34-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2816-39-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2612-22-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2816-41-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/2488-8-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2488-9-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2488-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2612-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2816-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2816-34-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2816-39-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2612-22-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2816-41-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe -
Executes dropped EXE 4 IoCs
Processes:
RVN.exeTXPlatforn.exeTXPlatforn.exeHD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exepid process 2488 RVN.exe 2612 TXPlatforn.exe 2816 TXPlatforn.exe 3048 HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Wine HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe -
Loads dropped DLL 3 IoCs
Processes:
d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exeTXPlatforn.exepid process 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe 2612 TXPlatforn.exe 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe -
Processes:
resource yara_rule behavioral1/memory/2488-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2488-8-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2488-9-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2488-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2612-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2816-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2816-34-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2816-39-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2612-22-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2816-41-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
RVN.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 4 IoCs
Processes:
d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exepid process 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 2816 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RVN.exeTXPlatforn.exedescription pid process Token: SeIncBasePriorityPrivilege 2488 RVN.exe Token: SeLoadDriverPrivilege 2816 TXPlatforn.exe Token: 33 2816 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2816 TXPlatforn.exe Token: 33 2816 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2816 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exeHD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exepid process 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe 3048 HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exeRVN.exeTXPlatforn.execmd.exedescription pid process target process PID 3016 wrote to memory of 2488 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe RVN.exe PID 3016 wrote to memory of 2488 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe RVN.exe PID 3016 wrote to memory of 2488 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe RVN.exe PID 3016 wrote to memory of 2488 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe RVN.exe PID 3016 wrote to memory of 2488 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe RVN.exe PID 3016 wrote to memory of 2488 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe RVN.exe PID 3016 wrote to memory of 2488 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe RVN.exe PID 2488 wrote to memory of 2796 2488 RVN.exe cmd.exe PID 2488 wrote to memory of 2796 2488 RVN.exe cmd.exe PID 2488 wrote to memory of 2796 2488 RVN.exe cmd.exe PID 2488 wrote to memory of 2796 2488 RVN.exe cmd.exe PID 2612 wrote to memory of 2816 2612 TXPlatforn.exe TXPlatforn.exe PID 2612 wrote to memory of 2816 2612 TXPlatforn.exe TXPlatforn.exe PID 2612 wrote to memory of 2816 2612 TXPlatforn.exe TXPlatforn.exe PID 2612 wrote to memory of 2816 2612 TXPlatforn.exe TXPlatforn.exe PID 2612 wrote to memory of 2816 2612 TXPlatforn.exe TXPlatforn.exe PID 2612 wrote to memory of 2816 2612 TXPlatforn.exe TXPlatforn.exe PID 2612 wrote to memory of 2816 2612 TXPlatforn.exe TXPlatforn.exe PID 3016 wrote to memory of 3048 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe PID 3016 wrote to memory of 3048 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe PID 3016 wrote to memory of 3048 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe PID 3016 wrote to memory of 3048 3016 d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe PID 2796 wrote to memory of 2516 2796 cmd.exe PING.EXE PID 2796 wrote to memory of 2516 2796 cmd.exe PING.EXE PID 2796 wrote to memory of 2516 2796 cmd.exe PING.EXE PID 2796 wrote to memory of 2516 2796 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe"C:\Users\Admin\AppData\Local\Temp\d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exeC:\Users\Admin\AppData\Local\Temp\HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.5MB
MD5f6238fef305d0ab4bfcfcb74c0421a88
SHA1e1af1d0a57fe657ce817d505b3ca1b6de1317087
SHA256f00793e6a817d2d59a54dedce9e6dd921ca66dc89a5996f7eeb950ab3f48bbd4
SHA512f9c3fe317c18fd5b9d4cd915f59e490768809aed5b34f1ec0b8b7a18f457a43bda34f6edff974a0898931f1227d366eae5e46aeaf95c76e36a03b70fe14ba155
-
\Users\Admin\AppData\Local\Temp\HD_d98cb83dd6d4f1fe8eeeb48b3ae020b66ae9097612508b881985ae274df468a9.exeFilesize
13.3MB
MD5d7ff787985ec2c2f06e4adecc306ba6c
SHA1e365f953abc2a88bd3d8616018837c071635f433
SHA256549fa67d48f31b33eb4c85ff2fdcc64ec93feca713064a44535f971eaa273231
SHA512e181a1aeeb3aa97c2e6db03a924a6ff4fcd89588b6a2042e587e9c53f70cd2657e885fb16992e63817f3ed3cb3f80796cff87373266f0812ffa2c2e5eda007a3
-
\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
memory/2488-5-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2488-8-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2488-9-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2488-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2612-22-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2612-18-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2816-34-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2816-39-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2816-29-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2816-41-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3016-35-0x0000000005990000-0x00000000066D0000-memory.dmpFilesize
13.2MB
-
memory/3016-76-0x0000000005990000-0x00000000066D0000-memory.dmpFilesize
13.2MB
-
memory/3048-40-0x0000000000400000-0x0000000001140000-memory.dmpFilesize
13.2MB
-
memory/3048-75-0x0000000000400000-0x0000000001140000-memory.dmpFilesize
13.2MB