Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
25-06-2024 16:03
General
-
Target
10316a8c553a01479b68cd8b5d5d7fe77980a0de34110a7e8c1b44f361e78f1e.exe
-
Size
5.8MB
-
MD5
3020eb9061acdc66a3a09d34da061f01
-
SHA1
e339ff433649916c957595582fe2d7b7c0e9b149
-
SHA256
10316a8c553a01479b68cd8b5d5d7fe77980a0de34110a7e8c1b44f361e78f1e
-
SHA512
38f85727c7edf14fa82082e0e34a6404ebcd1fb083a9ee0b320ee8d72857a2d46d0e2ef84f92fbdb1c8305acc3a183309864a626c8de6dc8dc948ef83ba304ca
-
SSDEEP
98304:sws2ANnKXOaeOgmhVWTsLZNu0UIm760Pwj3VV/20V5hkgk:6KXbeO7KsLG360I/2YV
Malware Config
Signatures
-
Detect PurpleFox Rootkit 5 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 6 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 9 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 41 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\10316a8c553a01479b68cd8b5d5d7fe77980a0de34110a7e8c1b44f361e78f1e.exe"C:\Users\Admin\AppData\Local\Temp\10316a8c553a01479b68cd8b5d5d7fe77980a0de34110a7e8c1b44f361e78f1e.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_10316a8c553a01479b68cd8b5d5d7fe77980a0de34110a7e8c1b44f361e78f1e.exeC:\Users\Admin\AppData\Local\Temp\HD_10316a8c553a01479b68cd8b5d5d7fe77980a0de34110a7e8c1b44f361e78f1e.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://se.360.cn/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Remote Data.exe"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259398400.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD55de1d4941221d953f2d0051abb8952ce
SHA1f0d41f48ea35a6778335f2f3785db6d166f865b2
SHA256f05abb9adc2024811a4a22df07750c7ad74d1df6098aaffc55935df07a4a536f
SHA51288494c4f85fcdc96d7a463c80eb225c902942074e8a96be2ec9c6ed3b26313e6fb6d31b4b740d1933563576ed0228129830a68a6e20e01fef8e9cb62299c1f14
-
Filesize
342B
MD540ed7262f059aa000a059334591736b8
SHA12971d9b2ed84185f28ceacc0eefed7bd12f8734e
SHA256bc3de422b08dddc96b04c39d201e273ac2ed4a6cde5b8f2ec6ecb0c7f5cbad03
SHA5120cbf2322b926aef4f9f700a37d19c20e8ff25b9ca73464db88d4fdf464ed31a97c9b1df1352a80e2b1886ed822fa0bbc658b3e4f497eac25ec9feba46fb8e97b
-
Filesize
342B
MD5863a4c698609714a5889e7e154023c65
SHA1eed1b8046e3fef3c6df68d050da4b8bb8c5622a6
SHA25620f24582188982c169250b7c0a573f84f7bf5954948c4eccecb959d8adddc185
SHA5122d6a0530256494118bbba9e4216a0c2b65243da74d7b5cedb5b4da79c576e755de489538ae37f3de43be5418a758bb2fad7ec0018fb287d4172cd8b0326650ce
-
Filesize
342B
MD551340e411436dbcd4e02c977dbfe9622
SHA1ae3791222feff60b68223f33d249628c7cc479dd
SHA2569173f3218c099a3d3fff51fee4bb925cb01734aa5de72807aa7fd400c6e73224
SHA5121cf1157d892557a152b4157dff90c873a1ec784eb6a0555e5d33797713bf89267673960a2ac8ac2fade05fd60a925f846ad490c0437fa9ebd0db03e834d563f8
-
Filesize
342B
MD5f072a5f9377a50407e762dadb17e1e5a
SHA14eb8860ed8089124247df43a0e378db6d3fd393f
SHA256b08326faa92ae69c6441d495033b8256b8241f8f0ab803d4c967e56de8fdd7fb
SHA512585836bb5619003453a34530d03144ea5e14764ffac61a0652fbea16ba768d0f2645683c9d939874db3e71eadae630cb3a96ba5fd77cba0d4d44a35c4bcf812a
-
Filesize
342B
MD55f69f44cfcfdc54275265059510ed2fc
SHA1667c9b4285e651e51f69ecef4adc68444422f450
SHA256d74c95284313204fe1f9ed3bc14a75bba5b7da83b064263610cb8e8c1bad4ed9
SHA5126f6e76219838b503029648b68eecc34b0c7ba0b54e44344ad36d06c34a75a5b0f13ed7df328e724da015902d494d33c7cf24b5d90ddf7c0b67b9b76e9c3cd817
-
Filesize
342B
MD57dbe7fd28178765f07a7a866c0807f01
SHA16a50f9703319de2d18daa8fda83b52fe59924a4b
SHA2561146f011f05f5a0808b63edeb7aee1ef1b99808eb66cb7933b9a1738c058ae28
SHA51230ec1dbc7ef7de58911bebaeac88828f73a9c2d7fec207b3cb2ebd68ad54527e6bd02f1a631cfad47bcf382893ec61da2d6bdabff7333c1596f9b1975d13ddb5
-
Filesize
342B
MD5eec2c703ea65d23f63da7816bda60d57
SHA1a028b83a883da46a49abe623ac1afb6519b0161f
SHA2560d301e7a7c41e7bce8f3ce6c5586c931a4cafadfee9bb3cbaedbe36ca65e4bc7
SHA512913bd84636b118dc9ebe32fe7cfbca498730146a254e4090ae3f7f1fe5ea39aed4f6709b37dcc23a2580c399cc32bde89e0d6b627ae5658410dec689abf54fa7
-
Filesize
342B
MD5fceb120c89e295a576fdee09b8ef1e15
SHA1bb631573dae3a8033c23f28909bd0a51545260a0
SHA256344a4e654b561f5edd183d5547e802b077dcbbfd46f6f2b2c4f6b46357966944
SHA5121502c2d12cbdf40d619a693609478a1969ec8ddf5423403622bb28386cb86e7702e0e4b2486a4f38102ad7741478818f5d61773c3cccb63da0222aa8f5274a7d
-
Filesize
342B
MD5b28648e7d638d3bbc2ba80d031582aec
SHA111728066118359fdcd5d2248d6be21a363e81c37
SHA25645bf333bc719a6b3ce1689297b82b6234905baa58f93b75891fe702003c0d585
SHA51209da4fde4f73d81a3340f9e72450b7385c033188fad77ccba3b577b9a2d938385c653e41a49b4da2cc12bebec4ee504a9e6802b1db8e12b5e491023e4079f15e
-
Filesize
342B
MD51e5d3b33deb234098758c8c49dbeef6f
SHA1677cc4189c5d73f80e5dcf861677cabb453fc9e9
SHA256a9fb791827fc1e29a5036aa941d80deb37404ec63f2d46b9ce892cb151a70234
SHA512f0ce4172dd22d12fa69cef058cc391b96f9669c14c2b30ba0d97e1cbfbd8e8bbca32f264a44ae1d9f8b9c8b5e2b805841d8c3b9666a4b219f6b53acdfd289137
-
Filesize
342B
MD506a059e648dae3ca41bebde1e8c3bc9b
SHA114d833586f6da388a502b15eed45fa3084032ce3
SHA2567f3b6358eaaa9f51f95031bf0c1e32b11abbff912c46bf3a2966dc4a25509c68
SHA5125fdebe2e1fe35190dcd9666a9440f749bdbf063dde796c6b3aba62d4d6b61b835414085ac447d1eb1b235f358ba40a9e1255117e62e6b262d7fe113914bf29ec
-
Filesize
342B
MD5cea97103b3eaebf733e0c5068573d773
SHA14c60e01171de9610c530165b1cf2d55a44ac5f45
SHA256a890e767b58ac0a8c40deddaf926a3d5bb584e7999232b9be4ff77026468fb41
SHA51290b18709d90a9feda8fd418060ce42792a9a0dd9e97483b6cd0750dfb31012cccf737dfce4f61d4b75ecdb796178a7ab81232097a946a241483e5c6ca662ec38
-
Filesize
342B
MD540bf7dd35631c714e09c25c91304992c
SHA11273ceda8865a1c2cd63a5dcd39d3d35479e33ff
SHA2566ef43e88925508630fa9c64ff5d70a98b153483936cf9e21237226e2255a085e
SHA5127a128f61bc1eaf7b54929e642ae4f56b221016d1267bf31e57a6bba81a76560291360febe30ecc0cabe26d341794fd0d20745c80bb3f6fb2e4220eda5a8d99b4
-
Filesize
342B
MD5d6b2d76ea2aa5f22416957f7605d2453
SHA1893ac129c2fb6ce316e854ded6da62b133e8eb19
SHA256eac36b0650f70afa187f946df08ee4a5bf7de8375402b2010131b86bf80e442e
SHA51219054189ff01f387df60f8bcf4f2d3f59ef66ca8675fbe8bf450e7234abf1558ba1e37e8f8594904563ff26533010982006a33a6986b0c5b964794168a44f7bf
-
Filesize
342B
MD5e8f9291a4b8c878a203a969eba1f5a89
SHA1e2d584908d06c7c48af5d4a4f6eddf31f53ee265
SHA256c646c8ec14059d355bcd085fdb1e492959c10a4e6350309c0e14b051c889363c
SHA5124b62b56a56e0cf1d5a51c6e1911c645824b8b1e803cf4fef061ba4bb9f873baf90b3ccce37b7f846e9c1e6e7482c0b56c81dfad2f55e8edbd0654880127a5e1e
-
Filesize
342B
MD5738efd01f3bb07138d6c8ec2c8b03c34
SHA17a6fae14d615f35ba1b480a5f2d594b3cbef2dbf
SHA25650ea6bcbadde3ac0c81f11fda93efc819d26fb07fb311356f0a599cbe10f445b
SHA512f3bf678104dc264caa573d23883ae8e85d40d4ae693ea2f007b3cebfd242485002ffad61c8977ecabb191d64f31d27081d71e334497b95907ce366811a01a2d3
-
Filesize
342B
MD51f8ca34f9632466dafd4ed7ae3b73d24
SHA19faeb33804249f63a876108acc57365dc2ee59c1
SHA2565739cb578dddcda21a1871b050710fa475426661d795e36db1007aa18024d092
SHA512e3c4b8751b44cdaf29ce1742121e8df9031dcc1af6422d437e5c462a5f50821c868455ac71c1c94baa4c6a2d5b1929afc0f83717556e8cb66f8e3f4915162fb6
-
Filesize
342B
MD588ae7e36aa45cc85a77517c1f89e1223
SHA1265fe7788eab6f1d14555702ed04b64d06e6e873
SHA256a5cbb91c457467e344cf68aaf547344c8ebfc892d1647a4c12b37024c612d76a
SHA5121a3c82e1a741f7f6868602a5e940ada24676069dc2e8ce060d835056bc3e92ee320058e6e83bb0f3e04827c5afc2f3cd3b35d533015c132bf69432af962137cf
-
Filesize
342B
MD58d4b5c659fbed0be0ef889d63afa6d05
SHA1e3f847976db68df13425e6fa915f9303a5235e15
SHA2561d26c4c01719368407116aef4a2a6372e7541fa4d1c538fe2f04ce4d74e45dbe
SHA51216c37dfad03cc9282b741bd37c190ea398204b3ecd3d206b00394ef659244fa0f81eac2edb182cea8011b1f9001e0b054e24259d3f1e69489c7063223a965e9d
-
Filesize
342B
MD5cf7661e1d17e27950b3f9131c34850a5
SHA103b8247713d9ddcf9515cc49092d066c7734a75d
SHA256cb8987873aa5515c14a28ef30db048ad504655956d53605da212a174f6af6b63
SHA5127142f756e4910ff09e5253e27dc8ab258bf37f8102dab731b2cb77924a9f35aa8bce06395d8a8d2a573a9562ee24b7b25db3b7890a45dd36b17b60744b7f58e6
-
Filesize
342B
MD5b6d70c401e10bc6e8740e6cde0147785
SHA120f51be4de515bb3dfda4b3791b10e21f78a0733
SHA2565579326f58f4899ed0bf6c4c546e8d48f01f56902b3ef88c03900910f847ec6d
SHA512896694db1dd36021550adee79c2cd6afde855c19910f46d6c14bce58fa69b5d3139bb17335a0ac56e0d85c2dcfae66594485ac839091780898348540a1360042
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
3.4MB
MD5b432e97989094186a6d04e00b2a03a0f
SHA187da09c5fa7676d3cbc4a11f7f1e8655e600e2e7
SHA25639b5505c0c74709be34cd80cbb2a586c5d6dea03ea7f654120dd0bb15d20b6d2
SHA5128fab238ce7790dbf927b55d0f459d897b26612c10db2ac7bbcead2f0d01e1a08c6c35393835f38022382d43355c6aff65009535f0cc7a47334461fb90ba516a0
-
Filesize
2.5MB
MD599b3663b657ae86c0100958a9ea0027a
SHA1b94d7ea6d418f3fe78ea02ddbc1575d07e5485fd
SHA2560790377a3968b53b826f83f5fc0e6f5bb84a2d22661c0620b9067af0cb8a525b
SHA51276449248e2f4165d0c8f0e9eeac097913bbcbbf562be8318625112c502943b76e172df47f00618b3d1b361afb85e2f21d2ff5572d197a87c128479d3a6b441c4
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
Filesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
Filesize
899KB
MD5dcc14458f951ca9690481490010e55d9
SHA1e2e1f52c4460cb810ea80bb07d934336eeb30d9e
SHA2568e9d480a3bc311442cb225006374d087a781f2b731ac24cc2922b8b2b6464bfc
SHA512f47f36ed6ed60a5e56bbdd0197f8d46e2a1624b8d080ccacf30e3c2f7d69babe36a68667d5ee0b4ad4ed838d5688305ba9b2149f02e269f9b8d0747c4fb37ec6
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB