Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 18:05
Static task
static1
Behavioral task
behavioral1
Sample
a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe
Resource
win7-20240220-en
General
-
Target
a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe
-
Size
3.0MB
-
MD5
e92112446aa0d6fb8c5895fbeb4ef7ba
-
SHA1
e0903eacac9caaf9e4e2be26e23ff49e71b4693d
-
SHA256
a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2
-
SHA512
e0910ce4a12f6d5325a0ae4f036565eea18768694cff71ffc9f131f6396b29ea81c8c0195eb5abb773381b0fa67fe1319d2985ac822d22068453842007bcf18d
-
SSDEEP
49152:cQZAdVyVT9n/Gg0P+WhoE/Hnji88iCq4HBc7vwZNW6VqTx:dGdVyVT9nOgmhRPji88inKBGuwx
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/540-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/540-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/540-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2280-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2280-20-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3896-39-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3896-47-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3896-48-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3896-26-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2280-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2280-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 12 IoCs
resource yara_rule behavioral2/memory/540-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/540-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/540-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2280-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2280-20-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3896-39-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3896-47-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3896-48-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023410-36.dat family_gh0strat behavioral2/memory/3896-26-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2280-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2280-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240605812.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 6 IoCs
pid Process 540 svchost.exe 2280 TXPlatforn.exe 3896 TXPlatforn.exe 2412 svchos.exe 4900 HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 3368 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 3 IoCs
pid Process 2412 svchos.exe 1196 svchost.exe 3368 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
resource yara_rule behavioral2/memory/540-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/540-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/540-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/540-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2280-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2280-20-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3896-39-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3896-47-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3896-48-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3896-26-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2280-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2280-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2280-14-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\240605812.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ipB40sbD HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe File opened for modification C:\Windows\ipB40sbD HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 636 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4812 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 4812 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 3896 TXPlatforn.exe 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 540 svchost.exe Token: SeLoadDriverPrivilege 3896 TXPlatforn.exe Token: SeDebugPrivilege 4900 HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe Token: 33 3896 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 3896 TXPlatforn.exe Token: 33 3896 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 3896 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4812 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 4812 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 4900 HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 4900 HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4812 wrote to memory of 540 4812 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 82 PID 4812 wrote to memory of 540 4812 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 82 PID 4812 wrote to memory of 540 4812 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 82 PID 540 wrote to memory of 528 540 svchost.exe 86 PID 540 wrote to memory of 528 540 svchost.exe 86 PID 540 wrote to memory of 528 540 svchost.exe 86 PID 2280 wrote to memory of 3896 2280 TXPlatforn.exe 87 PID 2280 wrote to memory of 3896 2280 TXPlatforn.exe 87 PID 2280 wrote to memory of 3896 2280 TXPlatforn.exe 87 PID 4812 wrote to memory of 2412 4812 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 88 PID 4812 wrote to memory of 2412 4812 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 88 PID 4812 wrote to memory of 2412 4812 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 88 PID 4812 wrote to memory of 4900 4812 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 91 PID 4812 wrote to memory of 4900 4812 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 91 PID 4812 wrote to memory of 4900 4812 a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe 91 PID 528 wrote to memory of 636 528 cmd.exe 93 PID 528 wrote to memory of 636 528 cmd.exe 93 PID 528 wrote to memory of 636 528 cmd.exe 93 PID 1196 wrote to memory of 3368 1196 svchost.exe 96 PID 1196 wrote to memory of 3368 1196 svchost.exe 96 PID 1196 wrote to memory of 3368 1196 svchost.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe"C:\Users\Admin\AppData\Local\Temp\a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:636
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2412
-
-
C:\Users\Admin\AppData\Local\Temp\HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exeC:\Users\Admin\AppData\Local\Temp\HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4900
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3896
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:1064
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240605812.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3368
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD529041b5b888c34f1862718b2c63e7124
SHA1dbcc2864aff32785b34a9f7f01bea2e8d1836994
SHA256687c44b96744538d6e35e4e79246899699a7ee8bc02fc70c34eed46721de6c5e
SHA512986cab21863aac3566bb6aae619eaaa5284d2ce263569a0ef8362e7b8cdb9f30d40d826a02a8559b6d3c9fd2ce1d1b13ac42f0d91aab162c429062ef785a2e99
-
C:\Users\Admin\AppData\Local\Temp\HD_a3ff8e2c1225069881098297dc78e3241e78e6634bdd7b2ba1f4d9b2983859b2.exe
Filesize1.8MB
MD59ab6120cab1d4e4f0427f153d6aaf403
SHA13448c825c68a971e719b33dfe2c77b3034fddba7
SHA256e4ac85654a88cad0e12b77902bdd372551fb1c56f9e98a863dcfe79861ccbaf4
SHA5123cd31dff776c3e5b2cd776c480f7025d60b71889bc7b30d9f27e31c37f4a49aa6936146ae9ebbc42676c6b9205a8603684b2da48eef2ee8d7a332cc1b1c84c95
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD53aa5cecd21b3fbe7873c557263e24453
SHA12fafa94f7817d720877ec5748b693a87aad5e3e7
SHA25651bff5ab3e382b373b449c83e2fb45e1d1250ca0452b77e4662f8538dc8d79b2
SHA5129286d4e074da313ff5ef7c2cc151ca5256f30457f4372c18fedcebe63c04ec1a9ed79d1d36ba87cfbc5719f9536556e95ec68ddd8fb8b8ea65240b8ac0d1b184
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641