Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 18:25
Static task
static1
Behavioral task
behavioral1
Sample
8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe
Resource
win7-20240611-en
General
-
Target
8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe
-
Size
1.6MB
-
MD5
d347366edf497217290db640ecc33a8c
-
SHA1
90b0d25dc129741e472a64287333958e0c2c5b26
-
SHA256
8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1
-
SHA512
b61bc9ad16efd50243d506ae9889d90ce090f3a0d505d998400589690374a885f0063466edbe3ce96136fb078b3216705b74799c3d9775cb2017ebd6882b9fe6
-
SSDEEP
24576:qQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVY+7fe8F+7VI:qQZAdVyVT9n/Gg0P+WhonChFCVI
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/416-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/416-11-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/416-12-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2568-22-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2568-23-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2568-24-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2224-36-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2224-39-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/416-42-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2224-43-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2568-46-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 12 IoCs
resource yara_rule behavioral2/memory/416-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/416-11-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/416-12-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2568-22-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2568-23-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2568-24-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x000700000002326c-26.dat family_gh0strat behavioral2/memory/2224-36-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2224-39-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/416-42-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2224-43-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2568-46-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240673609.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 6 IoCs
pid Process 416 svchost.exe 1100 svchos.exe 2568 TXPlatforn.exe 5152 HD_8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 2224 TXPlatforn.exe 5536 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 3 IoCs
pid Process 1100 svchos.exe 5316 svchost.exe 5536 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
resource yara_rule behavioral2/memory/416-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/416-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/416-11-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/416-12-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2568-22-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2568-23-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2568-24-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2568-20-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2224-36-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2224-39-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/416-42-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2224-43-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2568-46-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\240673609.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5772 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 904 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 904 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2224 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 416 svchost.exe Token: SeLoadDriverPrivilege 2224 TXPlatforn.exe Token: 33 2224 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2224 TXPlatforn.exe Token: 33 2224 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2224 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 904 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 904 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 904 wrote to memory of 416 904 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 91 PID 904 wrote to memory of 416 904 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 91 PID 904 wrote to memory of 416 904 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 91 PID 904 wrote to memory of 1100 904 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 92 PID 904 wrote to memory of 1100 904 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 92 PID 904 wrote to memory of 1100 904 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 92 PID 904 wrote to memory of 5152 904 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 94 PID 904 wrote to memory of 5152 904 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 94 PID 904 wrote to memory of 5152 904 8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe 94 PID 416 wrote to memory of 5444 416 svchost.exe 95 PID 416 wrote to memory of 5444 416 svchost.exe 95 PID 416 wrote to memory of 5444 416 svchost.exe 95 PID 2568 wrote to memory of 2224 2568 TXPlatforn.exe 97 PID 2568 wrote to memory of 2224 2568 TXPlatforn.exe 97 PID 2568 wrote to memory of 2224 2568 TXPlatforn.exe 97 PID 5444 wrote to memory of 5772 5444 cmd.exe 98 PID 5444 wrote to memory of 5772 5444 cmd.exe 98 PID 5444 wrote to memory of 5772 5444 cmd.exe 98 PID 5316 wrote to memory of 5536 5316 svchost.exe 103 PID 5316 wrote to memory of 5536 5316 svchost.exe 103 PID 5316 wrote to memory of 5536 5316 svchost.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe"C:\Users\Admin\AppData\Local\Temp\8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:5444 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:5772
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1100
-
-
C:\Users\Admin\AppData\Local\Temp\HD_8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exeC:\Users\Admin\AppData\Local\Temp\HD_8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe2⤵
- Executes dropped EXE
PID:5152
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:5408
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5316 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240673609.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3104 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵PID:5804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_8d1ead0187f305d9f0e40334b4dc7eb9e0faa21d60a95a61f1c6dd62c24269c1.exe
Filesize229KB
MD5a25e5abbe991c6d25471e9febbe2d48b
SHA1c03c1da85898ee3e4a95da13f78d96e6e715b9fb
SHA256fda9c5199dcfb584a1bccc1f60f6b71860ce9e0f7a91a5333a46fabd6be1e0d5
SHA5124cb0981fc276915b8c9e506b1ae8306a658572eed73f539a0dcb332f1c64a92269b9f4f3928d19489086f54a60079c2a069ccf205f51d6ac24b91fafc0af414d
-
Filesize
1.4MB
MD5c0fc66f2bf93e367af7f6f02acfa81ad
SHA10df5c673f8b0dff52688f8f052f8c9e8e6e915e5
SHA2566eded88c81fecc9645f7ce8a57bfc45cc32156cbc556973138e744650b2d7386
SHA512009e19ab1981f523afb6720e4594212c5ecc488219f50ed19217437d4641f324834e3a9a94f80b3f98451bfd998b4dde0b4704241d6e23d148dc59a8b0c59344
-
Filesize
1.4MB
MD58b07a82b3875ad1cae9d38c656c8d211
SHA102772b2dac1b52f2a337e782ef2cedb809829fbc
SHA2560981739eb5be46caaf8a15d04b8017ff77f82d60a352d3a01bc6d273628bbb22
SHA5129e657ca9682437bed2e38053f1dc1907c59a3ac4cf3f97a405bc225070d7cd505e64aa3e85d411726b121c35548a8f0872821a4ddbf88843e04ec0109239a5fe
-
Filesize
69KB
MD5e33fb6d686b1a8b171349572c5a33f67
SHA129f24fe536adf799b69b63c83efadc1bce457a54
SHA256020c8e0963f89f4b14538b7d69e83c6fec44a29bbbd52fbb6deb2be5c697f450
SHA512cf1f1d6a9efe53f84e5b4a8246b87c0b96496716605d1b00352d9aae30e664d3d2cbadebf598b4e690a9feef0b5785887a4e643cc5f68938ca744af1d3539e55
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD551e122204f092dc369e956658094828c
SHA1620715c21b00612f76f950cc634fb8647a77c402
SHA25666c408c9117fcf72bd36f15245ebfec138c0e9feed97ccf8264e8a7461a80803
SHA5125d988d955b5d1d12668b45329db9e0ad982f8894248f4a12a89326dfef3a41aa6a74d66225fe03f47530f864563b792cca25a0fedaff88b52804487ff8a8f83f
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641