Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 18:16
Static task
static1
Behavioral task
behavioral1
Sample
79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe
Resource
win7-20240508-en
General
-
Target
79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe
-
Size
1.8MB
-
MD5
30bcad09887a8c6462d790f651cd38d6
-
SHA1
768f79b650a9e8556d01b3d4539087da177d5590
-
SHA256
79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a
-
SHA512
5242f02ac83ad49e770f8957b66ef1bfaab9d019d28aa651f338e796e185d9a2ae7aa60a4a212b0ec9477ea6bc59cc503789d02e955bde023dd268b51208716f
-
SSDEEP
24576:D09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+mCgI9TTqOwjR8zO:D09XJt4HIN2H2tFvduySYCgI93qO+B
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2400-8-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2400-9-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2864-35-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2864-34-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2864-36-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2864-39-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2864-41-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 7 IoCs
resource yara_rule behavioral1/memory/2400-8-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2400-9-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2864-35-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2864-34-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2864-36-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2864-39-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2864-41-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 7 IoCs
pid Process 2400 RVN.exe 3052 TXPlatforn.exe 2628 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 2864 TXPlatforn.exe 1128 Process not Found 640 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 2200 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe -
Loads dropped DLL 6 IoCs
pid Process 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 3052 TXPlatforn.exe 2628 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 640 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe -
resource yara_rule behavioral1/memory/2400-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2400-8-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2400-9-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2864-32-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2864-35-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2864-34-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2864-36-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2864-39-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2864-41-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2652 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2864 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2400 RVN.exe Token: SeLoadDriverPrivilege 2864 TXPlatforn.exe Token: 33 2864 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2864 TXPlatforn.exe Token: 33 2864 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2864 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 2628 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 2628 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 2628 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 640 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 640 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 640 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 2200 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 2200 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 2200 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2400 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 28 PID 3012 wrote to memory of 2400 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 28 PID 3012 wrote to memory of 2400 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 28 PID 3012 wrote to memory of 2400 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 28 PID 3012 wrote to memory of 2400 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 28 PID 3012 wrote to memory of 2400 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 28 PID 3012 wrote to memory of 2400 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 28 PID 2400 wrote to memory of 2748 2400 RVN.exe 30 PID 2400 wrote to memory of 2748 2400 RVN.exe 30 PID 2400 wrote to memory of 2748 2400 RVN.exe 30 PID 2400 wrote to memory of 2748 2400 RVN.exe 30 PID 3012 wrote to memory of 2628 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 32 PID 3012 wrote to memory of 2628 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 32 PID 3012 wrote to memory of 2628 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 32 PID 3012 wrote to memory of 2628 3012 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 32 PID 3052 wrote to memory of 2864 3052 TXPlatforn.exe 33 PID 3052 wrote to memory of 2864 3052 TXPlatforn.exe 33 PID 3052 wrote to memory of 2864 3052 TXPlatforn.exe 33 PID 3052 wrote to memory of 2864 3052 TXPlatforn.exe 33 PID 3052 wrote to memory of 2864 3052 TXPlatforn.exe 33 PID 3052 wrote to memory of 2864 3052 TXPlatforn.exe 33 PID 3052 wrote to memory of 2864 3052 TXPlatforn.exe 33 PID 2748 wrote to memory of 2652 2748 cmd.exe 34 PID 2748 wrote to memory of 2652 2748 cmd.exe 34 PID 2748 wrote to memory of 2652 2748 cmd.exe 34 PID 2748 wrote to memory of 2652 2748 cmd.exe 34 PID 2628 wrote to memory of 640 2628 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 35 PID 2628 wrote to memory of 640 2628 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 35 PID 2628 wrote to memory of 640 2628 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 35 PID 640 wrote to memory of 2200 640 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 36 PID 640 wrote to memory of 2200 640 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 36 PID 640 wrote to memory of 2200 640 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe"C:\Users\Admin\AppData\Local\Temp\79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2652
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exeC:\Users\Admin\AppData\Local\Temp\HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exeC:\Users\Admin\AppData\Local\Temp\HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exeC:\Users\Admin\AppData\Local\Temp\HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD51505f0ff8148e1dde194baa95ad564c4
SHA144e50a3bc1c403de557134b2e533b4263a400701
SHA2567b2dfa33b8aad1923d2a84091d90a41e6c9c6cf5d812e91986fe37d0d172d35b
SHA512f7c873742976331d734b79b7f80b1d106882b255923eab9c425322c37396f741b819da8dd1ab268c5137ad3d4a31b2f49d235ac770569fc9188bf9ea378221c6
-
\Users\Admin\AppData\Local\Temp\HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe
Filesize350KB
MD59099419b50867f05ce9c940d51b232f7
SHA13e8285c0d4520c06f8c7782da6034b5e2f97527d
SHA2563e60b27745a7ee88cd3facfcb5602dfcf3e09389d173282e6b945807c39e42a3
SHA51279d62710a5aad08c07a06e769434deb4b7cd6933e804a3f9d0cab0ba7e0d6d8fe38763cde1057f419e5c0411fca29e2f4b9ddb1892918a24226c35ff111b7d9c
-
Filesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4