Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 18:37
Static task
static1
Behavioral task
behavioral1
Sample
b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe
Resource
win7-20240611-en
General
-
Target
b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe
-
Size
3.6MB
-
MD5
94070bf7e88439c4f46d45a00756b11c
-
SHA1
761b39348c98db518bb8ec1e6f73aef350ab604c
-
SHA256
b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08
-
SHA512
9e4437371291505309370118fb35a6fa6fc9fbab55cb71da07757e2c7fa782924bfd146636efd48f8bd9735e046d112842bb1ea1e21909401ce9360cf0380f8d
-
SSDEEP
98304:NGdVyVT9nOgmhONCKK1KKK1KKKHXX0fEojPKYTdlm6JBAUZLB:KWT9nO7a0X0pLLJVl
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1676-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1676-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1676-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3404-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3404-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3404-19-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1108-47-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1108-58-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1108-61-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3404-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 12 IoCs
resource yara_rule behavioral2/memory/1676-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1676-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1676-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3404-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3404-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3404-19-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1108-47-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1108-58-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x00070000000233e7-36.dat family_gh0strat behavioral2/memory/1108-61-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1108-25-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3404-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240600062.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 6 IoCs
pid Process 1676 svchost.exe 3404 TXPlatforn.exe 1108 TXPlatforn.exe 4248 svchos.exe 3684 HD_b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 820 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 3 IoCs
pid Process 4248 svchos.exe 2056 svchost.exe 820 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
resource yara_rule behavioral2/memory/1676-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1676-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1676-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1676-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3404-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3404-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3404-19-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1108-47-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1108-58-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1108-61-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1108-25-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3404-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3404-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3684-121-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-144-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-142-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-140-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-136-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-132-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-130-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-128-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-126-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-124-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-122-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-119-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-116-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-114-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-112-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-111-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-108-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-106-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-138-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-134-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-104-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-103-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx behavioral2/memory/3684-102-0x0000000000C30000-0x0000000000C6E000-memory.dmp upx -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\240600062.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3532 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1988 b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 1988 b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1108 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1676 svchost.exe Token: SeLoadDriverPrivilege 1108 TXPlatforn.exe Token: SeDebugPrivilege 3684 HD_b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe Token: 33 1108 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 1108 TXPlatforn.exe Token: 33 1108 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 1108 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1988 b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 1988 b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 3684 HD_b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 3684 HD_b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 3684 HD_b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1988 wrote to memory of 1676 1988 b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 81 PID 1988 wrote to memory of 1676 1988 b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 81 PID 1988 wrote to memory of 1676 1988 b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 81 PID 3404 wrote to memory of 1108 3404 TXPlatforn.exe 83 PID 3404 wrote to memory of 1108 3404 TXPlatforn.exe 83 PID 3404 wrote to memory of 1108 3404 TXPlatforn.exe 83 PID 1676 wrote to memory of 3944 1676 svchost.exe 84 PID 1676 wrote to memory of 3944 1676 svchost.exe 84 PID 1676 wrote to memory of 3944 1676 svchost.exe 84 PID 1988 wrote to memory of 4248 1988 b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 85 PID 1988 wrote to memory of 4248 1988 b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 85 PID 1988 wrote to memory of 4248 1988 b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 85 PID 1988 wrote to memory of 3684 1988 b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 88 PID 1988 wrote to memory of 3684 1988 b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 88 PID 1988 wrote to memory of 3684 1988 b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe 88 PID 3944 wrote to memory of 3532 3944 cmd.exe 91 PID 3944 wrote to memory of 3532 3944 cmd.exe 91 PID 3944 wrote to memory of 3532 3944 cmd.exe 91 PID 2056 wrote to memory of 820 2056 svchost.exe 92 PID 2056 wrote to memory of 820 2056 svchost.exe 92 PID 2056 wrote to memory of 820 2056 svchost.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe"C:\Users\Admin\AppData\Local\Temp\b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:3532
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4248
-
-
C:\Users\Admin\AppData\Local\Temp\HD_b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exeC:\Users\Admin\AppData\Local\Temp\HD_b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3684
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:2052
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240600062.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD557eec3867bfa4bbbe532900163bdcf66
SHA1f2ee1d2bd895c6add491e94b903bf7c7e8baec97
SHA2562228f8f21137d49443774dc86998663e839f0015e374d439c195a523afa39d37
SHA51269ed246fdaddc4b49b3fc97fb80c584b0d9652d784e695bf11d8d4a7f717a41e34542fa50b2c28ebc07c03c22c09a097b0797165fbdfa1262116977420e16bcc
-
C:\Users\Admin\AppData\Local\Temp\HD_b605efb6032394d2c05660feea9e90efbb0ec8f498d471a02637992584e86c08.exe
Filesize2.3MB
MD530f8d7f450a69aae17bfc82e5e5b094c
SHA16a767bfef64f9d5d86f198eb01ac6eedcfb2f673
SHA256909b744abe647859f4e2a41b48f62aea0e6ac1aa7c2cf89fd4897f5fcc69522c
SHA51232025ceb0229d77bd7850ccbf1ce8b51014421ca8621be067341984e595b8226df3fd4d75731a1dfa9bdf05501a399651c3da8e28f268999384b453e8cb8547e
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD581fead3ff2933c9ec505ebce02516c34
SHA12f45d47aa8f6165a6d74a5f0f47a2e1963122c69
SHA2566051848a5a1e53157879782acce4d6866d63ba0857eaea1b4f54169e9169ac9e
SHA512b549cd05ba9a93eda4d690571793bcfbcd37dc4d66be0a34ca3e01d2636e4d2e1b6d19c4800ce7e24c637c71e447e90b515489d3c8c075bdaa316901b5119094
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641