Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 18:05
Static task
static1
Behavioral task
behavioral1
Sample
a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe
Resource
win7-20240220-en
General
-
Target
a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe
-
Size
3.0MB
-
MD5
e92112446aa0d6fb8c5895fbeb4ef7ba
-
SHA1
e0903eacac9caaf9e4e2be26e23ff49e71b4693d
-
SHA256
a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2
-
SHA512
e0910ce4a12f6d5325a0ae4f036565eea18768694cff71ffc9f131f6396b29ea81c8c0195eb5abb773381b0fa67fe1319d2985ac822d22068453842007bcf18d
-
SSDEEP
49152:cQZAdVyVT9n/Gg0P+WhoE/Hnji88iCq4HBc7vwZNW6VqTx:dGdVyVT9nOgmhRPji88inKBGuwx
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1908-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1908-12-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1908-8-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2524-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2524-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2576-37-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2576-39-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2576-54-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 9 IoCs
resource yara_rule behavioral1/memory/1908-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1908-12-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1908-8-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2524-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2524-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/files/0x0009000000012345-33.dat family_gh0strat behavioral1/memory/2576-37-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2576-39-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2576-54-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259392050.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 6 IoCs
pid Process 1908 svchost.exe 2524 TXPlatforn.exe 2560 svchos.exe 2576 TXPlatforn.exe 2456 HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 2388 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 9 IoCs
pid Process 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 2524 TXPlatforn.exe 2560 svchos.exe 2464 svchost.exe 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 2464 svchost.exe 2388 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
resource yara_rule behavioral1/memory/1908-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1908-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1908-12-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1908-8-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2524-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2524-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2576-37-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2576-39-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2576-54-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\259392050.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\gib26xvg HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe File opened for modification C:\Windows\gib26xvg HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2656 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 2576 TXPlatforn.exe 480 Process not Found -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1908 svchost.exe Token: SeLoadDriverPrivilege 2576 TXPlatforn.exe Token: SeDebugPrivilege 2456 HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe Token: 33 2576 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2576 TXPlatforn.exe Token: 33 2576 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2576 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 2456 HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 2456 HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1908 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 28 PID 2204 wrote to memory of 1908 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 28 PID 2204 wrote to memory of 1908 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 28 PID 2204 wrote to memory of 1908 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 28 PID 2204 wrote to memory of 1908 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 28 PID 2204 wrote to memory of 1908 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 28 PID 2204 wrote to memory of 1908 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 28 PID 1908 wrote to memory of 2760 1908 svchost.exe 30 PID 1908 wrote to memory of 2760 1908 svchost.exe 30 PID 1908 wrote to memory of 2760 1908 svchost.exe 30 PID 1908 wrote to memory of 2760 1908 svchost.exe 30 PID 2204 wrote to memory of 2560 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 32 PID 2204 wrote to memory of 2560 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 32 PID 2204 wrote to memory of 2560 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 32 PID 2204 wrote to memory of 2560 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 32 PID 2524 wrote to memory of 2576 2524 TXPlatforn.exe 33 PID 2524 wrote to memory of 2576 2524 TXPlatforn.exe 33 PID 2524 wrote to memory of 2576 2524 TXPlatforn.exe 33 PID 2524 wrote to memory of 2576 2524 TXPlatforn.exe 33 PID 2524 wrote to memory of 2576 2524 TXPlatforn.exe 33 PID 2524 wrote to memory of 2576 2524 TXPlatforn.exe 33 PID 2524 wrote to memory of 2576 2524 TXPlatforn.exe 33 PID 2760 wrote to memory of 2656 2760 cmd.exe 34 PID 2760 wrote to memory of 2656 2760 cmd.exe 34 PID 2760 wrote to memory of 2656 2760 cmd.exe 34 PID 2760 wrote to memory of 2656 2760 cmd.exe 34 PID 2204 wrote to memory of 2456 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 37 PID 2204 wrote to memory of 2456 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 37 PID 2204 wrote to memory of 2456 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 37 PID 2204 wrote to memory of 2456 2204 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 37 PID 2464 wrote to memory of 2388 2464 svchost.exe 38 PID 2464 wrote to memory of 2388 2464 svchost.exe 38 PID 2464 wrote to memory of 2388 2464 svchost.exe 38 PID 2464 wrote to memory of 2388 2464 svchost.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe"C:\Users\Admin\AppData\Local\Temp\a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2656
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2560
-
-
C:\Users\Admin\AppData\Local\Temp\HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exeC:\Users\Admin\AppData\Local\Temp\HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2456
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:2624
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259392050.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD529041b5b888c34f1862718b2c63e7124
SHA1dbcc2864aff32785b34a9f7f01bea2e8d1836994
SHA256687c44b96744538d6e35e4e79246899699a7ee8bc02fc70c34eed46721de6c5e
SHA512986cab21863aac3566bb6aae619eaaa5284d2ce263569a0ef8362e7b8cdb9f30d40d826a02a8559b6d3c9fd2ce1d1b13ac42f0d91aab162c429062ef785a2e99
-
\Users\Admin\AppData\Local\Temp\HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe
Filesize1.8MB
MD59ab6120cab1d4e4f0427f153d6aaf403
SHA13448c825c68a971e719b33dfe2c77b3034fddba7
SHA256e4ac85654a88cad0e12b77902bdd372551fb1c56f9e98a863dcfe79861ccbaf4
SHA5123cd31dff776c3e5b2cd776c480f7025d60b71889bc7b30d9f27e31c37f4a49aa6936146ae9ebbc42676c6b9205a8603684b2da48eef2ee8d7a332cc1b1c84c95
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD53aa5cecd21b3fbe7873c557263e24453
SHA12fafa94f7817d720877ec5748b693a87aad5e3e7
SHA25651bff5ab3e382b373b449c83e2fb45e1d1250ca0452b77e4662f8538dc8d79b2
SHA5129286d4e074da313ff5ef7c2cc151ca5256f30457f4372c18fedcebe63c04ec1a9ed79d1d36ba87cfbc5719f9536556e95ec68ddd8fb8b8ea65240b8ac0d1b184
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d