Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 18:16
Static task
static1
Behavioral task
behavioral1
Sample
79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe
Resource
win7-20240508-en
General
-
Target
79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe
-
Size
1.8MB
-
MD5
30bcad09887a8c6462d790f651cd38d6
-
SHA1
768f79b650a9e8556d01b3d4539087da177d5590
-
SHA256
79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a
-
SHA512
5242f02ac83ad49e770f8957b66ef1bfaab9d019d28aa651f338e796e185d9a2ae7aa60a4a212b0ec9477ea6bc59cc503789d02e955bde023dd268b51208716f
-
SSDEEP
24576:D09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+mCgI9TTqOwjR8zO:D09XJt4HIN2H2tFvduySYCgI93qO+B
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2484-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2484-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2484-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4656-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4656-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4656-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4656-24-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2184-32-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2184-47-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2184-77-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 10 IoCs
resource yara_rule behavioral2/memory/2484-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2484-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2484-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4656-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4656-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4656-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4656-24-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2184-32-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2184-47-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2184-77-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 6 IoCs
pid Process 2484 RVN.exe 4656 TXPlatforn.exe 756 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 2184 TXPlatforn.exe 528 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 4900 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe -
resource yara_rule behavioral2/memory/2484-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2484-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2484-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2484-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4656-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4656-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4656-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4656-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4656-24-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2184-32-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2184-47-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2184-77-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4264 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3980 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 3980 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2184 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2484 RVN.exe Token: SeLoadDriverPrivilege 2184 TXPlatforn.exe Token: 33 2184 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2184 TXPlatforn.exe Token: 33 2184 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2184 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3980 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 3980 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 756 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 756 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 756 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 528 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 528 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 528 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 4900 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 4900 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 4900 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3980 wrote to memory of 2484 3980 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 81 PID 3980 wrote to memory of 2484 3980 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 81 PID 3980 wrote to memory of 2484 3980 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 81 PID 2484 wrote to memory of 2956 2484 RVN.exe 83 PID 2484 wrote to memory of 2956 2484 RVN.exe 83 PID 2484 wrote to memory of 2956 2484 RVN.exe 83 PID 3980 wrote to memory of 756 3980 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 84 PID 3980 wrote to memory of 756 3980 79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 84 PID 4656 wrote to memory of 2184 4656 TXPlatforn.exe 85 PID 4656 wrote to memory of 2184 4656 TXPlatforn.exe 85 PID 4656 wrote to memory of 2184 4656 TXPlatforn.exe 85 PID 2956 wrote to memory of 4264 2956 cmd.exe 87 PID 2956 wrote to memory of 4264 2956 cmd.exe 87 PID 2956 wrote to memory of 4264 2956 cmd.exe 87 PID 756 wrote to memory of 528 756 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 88 PID 756 wrote to memory of 528 756 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 88 PID 528 wrote to memory of 4900 528 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 89 PID 528 wrote to memory of 4900 528 HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe"C:\Users\Admin\AppData\Local\Temp\79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:4264
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exeC:\Users\Admin\AppData\Local\Temp\HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exeC:\Users\Admin\AppData\Local\Temp\HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Users\Admin\AppData\Local\Temp\HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exeC:\Users\Admin\AppData\Local\Temp\HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4900
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_79c7eb6b4ad48fb0ac860497ff7d01e69f6e826f5c143572e92d65aa69e0462a.exe
Filesize350KB
MD59099419b50867f05ce9c940d51b232f7
SHA13e8285c0d4520c06f8c7782da6034b5e2f97527d
SHA2563e60b27745a7ee88cd3facfcb5602dfcf3e09389d173282e6b945807c39e42a3
SHA51279d62710a5aad08c07a06e769434deb4b7cd6933e804a3f9d0cab0ba7e0d6d8fe38763cde1057f419e5c0411fca29e2f4b9ddb1892918a24226c35ff111b7d9c
-
Filesize
1.4MB
MD51505f0ff8148e1dde194baa95ad564c4
SHA144e50a3bc1c403de557134b2e533b4263a400701
SHA2567b2dfa33b8aad1923d2a84091d90a41e6c9c6cf5d812e91986fe37d0d172d35b
SHA512f7c873742976331d734b79b7f80b1d106882b255923eab9c425322c37396f741b819da8dd1ab268c5137ad3d4a31b2f49d235ac770569fc9188bf9ea378221c6
-
Filesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4