Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 18:37
Static task
static1
Behavioral task
behavioral1
Sample
cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe
Resource
win7-20240508-en
General
-
Target
cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe
-
Size
8.4MB
-
MD5
8053279e1596ddda1ddd37f1548f3d26
-
SHA1
0d7d9b6b47a15f9e460278f8b89784e7f7a6837e
-
SHA256
cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737
-
SHA512
7278aa1721082786a4acedfc0588c62b957a8b891ce49b53ecb69adfb39557f92664bbd5bd20cae281b1510d80c8984952b9994e6cc5820ecc2238e249767824
-
SSDEEP
196608:KWT9nO77mnAjXBFxNtm1mdivZDtlK/pD3/:K77ljRltmEdysB
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1248-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1248-9-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1248-8-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2596-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2596-27-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2740-35-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2740-38-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1988-51-0x00000000040B0000-0x0000000005232000-memory.dmp purplefox_rootkit behavioral1/memory/2740-53-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 10 IoCs
resource yara_rule behavioral1/memory/1248-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1248-9-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1248-8-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2596-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2596-27-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/files/0x00080000000144c0-29.dat family_gh0strat behavioral1/memory/2740-35-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2740-38-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1988-51-0x00000000040B0000-0x0000000005232000-memory.dmp family_gh0strat behavioral1/memory/2740-53-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259397230.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Executes dropped EXE 6 IoCs
pid Process 1248 svchost.exe 2596 TXPlatforn.exe 2496 svchos.exe 2740 TXPlatforn.exe 3036 HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 2464 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 13 IoCs
pid Process 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 2596 TXPlatforn.exe 2496 svchos.exe 2488 svchost.exe 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe 1860 WerFault.exe 2488 svchost.exe 2464 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
resource yara_rule behavioral1/memory/1248-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1248-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1248-9-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1248-8-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2596-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2596-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2740-35-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2740-38-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1988-51-0x00000000040B0000-0x0000000005232000-memory.dmp upx behavioral1/memory/2740-53-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\259397230.txt svchos.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3036 HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1860 3036 WerFault.exe 37 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2840 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 3036 HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2740 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1248 svchost.exe Token: SeLoadDriverPrivilege 2740 TXPlatforn.exe Token: 33 2740 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2740 TXPlatforn.exe Token: 33 2740 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2740 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1988 wrote to memory of 1248 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 28 PID 1988 wrote to memory of 1248 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 28 PID 1988 wrote to memory of 1248 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 28 PID 1988 wrote to memory of 1248 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 28 PID 1988 wrote to memory of 1248 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 28 PID 1988 wrote to memory of 1248 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 28 PID 1988 wrote to memory of 1248 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 28 PID 1248 wrote to memory of 2680 1248 svchost.exe 30 PID 1248 wrote to memory of 2680 1248 svchost.exe 30 PID 1248 wrote to memory of 2680 1248 svchost.exe 30 PID 1248 wrote to memory of 2680 1248 svchost.exe 30 PID 1988 wrote to memory of 2496 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 32 PID 1988 wrote to memory of 2496 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 32 PID 1988 wrote to memory of 2496 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 32 PID 1988 wrote to memory of 2496 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 32 PID 2596 wrote to memory of 2740 2596 TXPlatforn.exe 33 PID 2596 wrote to memory of 2740 2596 TXPlatforn.exe 33 PID 2596 wrote to memory of 2740 2596 TXPlatforn.exe 33 PID 2596 wrote to memory of 2740 2596 TXPlatforn.exe 33 PID 2596 wrote to memory of 2740 2596 TXPlatforn.exe 33 PID 2596 wrote to memory of 2740 2596 TXPlatforn.exe 33 PID 2596 wrote to memory of 2740 2596 TXPlatforn.exe 33 PID 2680 wrote to memory of 2840 2680 cmd.exe 34 PID 2680 wrote to memory of 2840 2680 cmd.exe 34 PID 2680 wrote to memory of 2840 2680 cmd.exe 34 PID 2680 wrote to memory of 2840 2680 cmd.exe 34 PID 1988 wrote to memory of 3036 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 37 PID 1988 wrote to memory of 3036 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 37 PID 1988 wrote to memory of 3036 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 37 PID 1988 wrote to memory of 3036 1988 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 37 PID 3036 wrote to memory of 1860 3036 HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 38 PID 3036 wrote to memory of 1860 3036 HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 38 PID 3036 wrote to memory of 1860 3036 HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 38 PID 3036 wrote to memory of 1860 3036 HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 38 PID 2488 wrote to memory of 2464 2488 svchost.exe 39 PID 2488 wrote to memory of 2464 2488 svchost.exe 39 PID 2488 wrote to memory of 2464 2488 svchost.exe 39 PID 2488 wrote to memory of 2464 2488 svchost.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe"C:\Users\Admin\AppData\Local\Temp\cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2840
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exeC:\Users\Admin\AppData\Local\Temp\HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 7363⤵
- Loads dropped DLL
- Program crash
PID:1860
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:2536
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259397230.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD57309f7465a5fa7b1d493e9d953eb0e01
SHA13f8b1d211ea4c67df3a40c58ecfa7595aa934683
SHA256d6c80aa345adbc77a8300ae9a0a00593ca3e5cf737bafe5689732e55f9032b87
SHA51293ef0cf7a01cf45c3de6dd660817381a2149358c13457cab82dd363583b0137e59453c6386cf147bab1b33a43541168d52c3e8bd5006037de123a84d19f12cd6
-
\Users\Admin\AppData\Local\Temp\HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe
Filesize6.8MB
MD57d65651595a7892e740949ac6ead4d7a
SHA16273a92085f0ce795a9cec0a6b29e7248f5700ff
SHA256201238949a27d5c2bc087cc7c2413c4b7f225a58bde58c04b6e567814dd9c363
SHA512cf9265b0948ad601760a6daeacd1b5b046cb4e60212bd6d851d5cda4b29bb41e3b16e8a9069787d63dff8cb6c1f0c404b43dc57676c4dff32f487e8e02ce93c2
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD5f42dad9791f2877f286e830bfae050fa
SHA19c8cb960d4bb9e26e650644cae0c660447e59af8
SHA2565da7dac78e9fa2f6a0d0264280632c6eafa73e5b903102bdeeb48d49b781da1a
SHA5125467b6b969e70c45dff97437ac0f1b6bc648023812e9e488f6aa6a3da238949d4b764d9fe0d73e848c90a9904771769b9ec8ceba6644f4ef0cc046f1a47d7bce
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d