Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 18:25
Static task
static1
Behavioral task
behavioral1
Sample
8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe
Resource
win7-20240611-en
General
-
Target
8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe
-
Size
1.6MB
-
MD5
d347366edf497217290db640ecc33a8c
-
SHA1
90b0d25dc129741e472a64287333958e0c2c5b26
-
SHA256
8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1
-
SHA512
b61bc9ad16efd50243d506ae9889d90ce090f3a0d505d998400589690374a885f0063466edbe3ce96136fb078b3216705b74799c3d9775cb2017ebd6882b9fe6
-
SSDEEP
24576:qQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVY+7fe8F+7VI:qQZAdVyVT9n/Gg0P+WhonChFCVI
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2948-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2948-8-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2948-12-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2044-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2712-31-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2712-38-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2044-39-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2712-40-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 9 IoCs
resource yara_rule behavioral1/memory/2948-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2948-8-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2948-12-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2044-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2712-31-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/files/0x0009000000014ed9-34.dat family_gh0strat behavioral1/memory/2712-38-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2044-39-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2712-40-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259413095.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 6 IoCs
pid Process 2948 svchost.exe 2044 TXPlatforn.exe 2712 TXPlatforn.exe 2884 svchos.exe 2548 HD_8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 1240 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 8 IoCs
pid Process 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 2044 TXPlatforn.exe 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 2884 svchos.exe 2736 svchost.exe 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 2736 svchost.exe 1240 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
resource yara_rule behavioral1/memory/2948-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2948-8-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2948-12-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2948-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2044-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2712-31-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2712-38-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2044-39-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2712-40-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\259413095.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2572 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2712 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2948 svchost.exe Token: SeLoadDriverPrivilege 2712 TXPlatforn.exe Token: 33 2712 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2712 TXPlatforn.exe Token: 33 2712 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2712 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2948 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 28 PID 2928 wrote to memory of 2948 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 28 PID 2928 wrote to memory of 2948 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 28 PID 2928 wrote to memory of 2948 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 28 PID 2928 wrote to memory of 2948 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 28 PID 2928 wrote to memory of 2948 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 28 PID 2928 wrote to memory of 2948 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 28 PID 2948 wrote to memory of 2732 2948 svchost.exe 30 PID 2948 wrote to memory of 2732 2948 svchost.exe 30 PID 2948 wrote to memory of 2732 2948 svchost.exe 30 PID 2948 wrote to memory of 2732 2948 svchost.exe 30 PID 2044 wrote to memory of 2712 2044 TXPlatforn.exe 31 PID 2044 wrote to memory of 2712 2044 TXPlatforn.exe 31 PID 2044 wrote to memory of 2712 2044 TXPlatforn.exe 31 PID 2044 wrote to memory of 2712 2044 TXPlatforn.exe 31 PID 2044 wrote to memory of 2712 2044 TXPlatforn.exe 31 PID 2044 wrote to memory of 2712 2044 TXPlatforn.exe 31 PID 2044 wrote to memory of 2712 2044 TXPlatforn.exe 31 PID 2928 wrote to memory of 2884 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 33 PID 2928 wrote to memory of 2884 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 33 PID 2928 wrote to memory of 2884 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 33 PID 2928 wrote to memory of 2884 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 33 PID 2732 wrote to memory of 2572 2732 cmd.exe 34 PID 2732 wrote to memory of 2572 2732 cmd.exe 34 PID 2732 wrote to memory of 2572 2732 cmd.exe 34 PID 2732 wrote to memory of 2572 2732 cmd.exe 34 PID 2928 wrote to memory of 2548 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 37 PID 2928 wrote to memory of 2548 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 37 PID 2928 wrote to memory of 2548 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 37 PID 2928 wrote to memory of 2548 2928 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 37 PID 2736 wrote to memory of 1240 2736 svchost.exe 38 PID 2736 wrote to memory of 1240 2736 svchost.exe 38 PID 2736 wrote to memory of 1240 2736 svchost.exe 38 PID 2736 wrote to memory of 1240 2736 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe"C:\Users\Admin\AppData\Local\Temp\8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2572
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\HD_8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exeC:\Users\Admin\AppData\Local\Temp\HD_8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe2⤵
- Executes dropped EXE
PID:2548
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:2176
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259413095.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5c0fc66f2bf93e367af7f6f02acfa81ad
SHA10df5c673f8b0dff52688f8f052f8c9e8e6e915e5
SHA2566eded88c81fecc9645f7ce8a57bfc45cc32156cbc556973138e744650b2d7386
SHA512009e19ab1981f523afb6720e4594212c5ecc488219f50ed19217437d4641f324834e3a9a94f80b3f98451bfd998b4dde0b4704241d6e23d148dc59a8b0c59344
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
\Users\Admin\AppData\Local\Temp\HD_8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe
Filesize229KB
MD5a25e5abbe991c6d25471e9febbe2d48b
SHA1c03c1da85898ee3e4a95da13f78d96e6e715b9fb
SHA256fda9c5199dcfb584a1bccc1f60f6b71860ce9e0f7a91a5333a46fabd6be1e0d5
SHA5124cb0981fc276915b8c9e506b1ae8306a658572eed73f539a0dcb332f1c64a92269b9f4f3928d19489086f54a60079c2a069ccf205f51d6ac24b91fafc0af414d
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD5138585636917c22108dd55a5250977f8
SHA18950679ba9fcf596a0d1715573e2dfd8852b7240
SHA256e45ce00579dbf73ce1f5a05ea9fc733caa7162b9835463791618a76c9c13cbd4
SHA5120ea0c028fcfca679ebbab544e01f6da3b0ca526d35ed63dd564efa4a95b81fb5b85339b361f6096a7b18182de81557766169449550c5ab67d2e1a6b88085e37b
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d