Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 18:37
Static task
static1
Behavioral task
behavioral1
Sample
cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe
Resource
win7-20240508-en
General
-
Target
cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe
-
Size
8.4MB
-
MD5
8053279e1596ddda1ddd37f1548f3d26
-
SHA1
0d7d9b6b47a15f9e460278f8b89784e7f7a6837e
-
SHA256
cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737
-
SHA512
7278aa1721082786a4acedfc0588c62b957a8b891ce49b53ecb69adfb39557f92664bbd5bd20cae281b1510d80c8984952b9994e6cc5820ecc2238e249767824
-
SSDEEP
196608:KWT9nO77mnAjXBFxNtm1mdivZDtlK/pD3/:K77ljRltmEdysB
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2000-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2000-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2000-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/724-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/724-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/724-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1976-38-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1976-42-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/724-26-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1976-25-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1976-43-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4600-49-0x0000000000980000-0x0000000001B02000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 13 IoCs
resource yara_rule behavioral2/memory/2000-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2000-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2000-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/724-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/724-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/724-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x00070000000233fd-36.dat family_gh0strat behavioral2/memory/1976-38-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1976-42-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/724-26-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1976-25-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1976-43-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4600-49-0x0000000000980000-0x0000000001B02000-memory.dmp family_gh0strat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240602546.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Executes dropped EXE 6 IoCs
pid Process 2000 svchost.exe 724 TXPlatforn.exe 1976 TXPlatforn.exe 4772 svchos.exe 4600 HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 2320 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 3 IoCs
pid Process 4772 svchos.exe 836 svchost.exe 2320 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
resource yara_rule behavioral2/memory/2000-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2000-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2000-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2000-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/724-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/724-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/724-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/724-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1976-38-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1976-42-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/724-26-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1976-25-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1976-43-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\240602546.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4600 HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4876 4600 WerFault.exe 90 -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2088 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 5060 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 5060 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 4600 HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 4600 HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1976 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2000 svchost.exe Token: SeLoadDriverPrivilege 1976 TXPlatforn.exe Token: 33 1976 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 1976 TXPlatforn.exe Token: 33 1976 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 1976 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5060 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 5060 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 5060 wrote to memory of 2000 5060 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 82 PID 5060 wrote to memory of 2000 5060 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 82 PID 5060 wrote to memory of 2000 5060 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 82 PID 2000 wrote to memory of 1316 2000 svchost.exe 84 PID 2000 wrote to memory of 1316 2000 svchost.exe 84 PID 2000 wrote to memory of 1316 2000 svchost.exe 84 PID 724 wrote to memory of 1976 724 TXPlatforn.exe 85 PID 724 wrote to memory of 1976 724 TXPlatforn.exe 85 PID 724 wrote to memory of 1976 724 TXPlatforn.exe 85 PID 5060 wrote to memory of 4772 5060 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 86 PID 5060 wrote to memory of 4772 5060 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 86 PID 5060 wrote to memory of 4772 5060 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 86 PID 1316 wrote to memory of 2088 1316 cmd.exe 91 PID 1316 wrote to memory of 2088 1316 cmd.exe 91 PID 1316 wrote to memory of 2088 1316 cmd.exe 91 PID 5060 wrote to memory of 4600 5060 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 90 PID 5060 wrote to memory of 4600 5060 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 90 PID 5060 wrote to memory of 4600 5060 cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe 90 PID 836 wrote to memory of 2320 836 svchost.exe 95 PID 836 wrote to memory of 2320 836 svchost.exe 95 PID 836 wrote to memory of 2320 836 svchost.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe"C:\Users\Admin\AppData\Local\Temp\cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2088
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4772
-
-
C:\Users\Admin\AppData\Local\Temp\HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exeC:\Users\Admin\AppData\Local\Temp\HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 11483⤵
- Program crash
PID:4876
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:5108
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240602546.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4600 -ip 46001⤵PID:3628
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD57309f7465a5fa7b1d493e9d953eb0e01
SHA13f8b1d211ea4c67df3a40c58ecfa7595aa934683
SHA256d6c80aa345adbc77a8300ae9a0a00593ca3e5cf737bafe5689732e55f9032b87
SHA51293ef0cf7a01cf45c3de6dd660817381a2149358c13457cab82dd363583b0137e59453c6386cf147bab1b33a43541168d52c3e8bd5006037de123a84d19f12cd6
-
C:\Users\Admin\AppData\Local\Temp\HD_cd2fd2638217e5b4002c25d69bf2ab79313789836473f66b5a7220d908295737.exe
Filesize6.8MB
MD57d65651595a7892e740949ac6ead4d7a
SHA16273a92085f0ce795a9cec0a6b29e7248f5700ff
SHA256201238949a27d5c2bc087cc7c2413c4b7f225a58bde58c04b6e567814dd9c363
SHA512cf9265b0948ad601760a6daeacd1b5b046cb4e60212bd6d851d5cda4b29bb41e3b16e8a9069787d63dff8cb6c1f0c404b43dc57676c4dff32f487e8e02ce93c2
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD5f42dad9791f2877f286e830bfae050fa
SHA19c8cb960d4bb9e26e650644cae0c660447e59af8
SHA2565da7dac78e9fa2f6a0d0264280632c6eafa73e5b903102bdeeb48d49b781da1a
SHA5125467b6b969e70c45dff97437ac0f1b6bc648023812e9e488f6aa6a3da238949d4b764d9fe0d73e848c90a9904771769b9ec8ceba6644f4ef0cc046f1a47d7bce
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641