Overview

overview

10

Static

static

3

a0ac9fbd35...98.exe

windows7-x64

10

a0ac9fbd35...98.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/06/2024, 18:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a0ac9fbd354049da4e21371185ea9cf5f065c963bd2869bb039c91bce36d1f98.exe

  • Size

    2.5MB

  • MD5

    9b0640e26f4a635784ce9a1f9da6bc5a

  • SHA1

    db778a3f89eaa321b1f8764b188369f4cc06fb71

  • SHA256

    a0ac9fbd354049da4e21371185ea9cf5f065c963bd2869bb039c91bce36d1f98

  • SHA512

    1fd355695b74464b784bd4505a8b712e3f215075d9458efef044d0ef2f57ca0b2f7a7db006c29a987089b728c651870e8ad4fc4993ba93f717933bc1efc6f0bf

  • SSDEEP

    49152:vCwsbCANnKXferL7Vwe/Gg0P+WhzaUteEDT:6ws2ANnKXOaeOgmhzaUteEn

Score
10/10
gh0stratpurplefoxpersistenceratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 8 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 9 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Drops file in Drivers directory 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 6 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0ac9fbd354049da4e21371185ea9cf5f065c963bd2869bb039c91bce36d1f98.exe
    "C:\Users\Admin\AppData\Local\Temp\a0ac9fbd354049da4e21371185ea9cf5f065c963bd2869bb039c91bce36d1f98.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:824
    • C:\Users\Admin\AppData\Local\Temp\R.exe
      C:\Users\Admin\AppData\Local\Temp\\R.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:4652
    • C:\Users\Admin\AppData\Local\Temp\N.exe
      C:\Users\Admin\AppData\Local\Temp\\N.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3588
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4444
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:2732
    • C:\Users\Admin\AppData\Local\Temp\HD_a0ac9fbd354049da4e21371185ea9cf5f065c963bd2869bb039c91bce36d1f98.exe
      C:\Users\Admin\AppData\Local\Temp\HD_a0ac9fbd354049da4e21371185ea9cf5f065c963bd2869bb039c91bce36d1f98.exe
      2⤵
      • Executes dropped EXE
      PID:4740
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
    1⤵
      PID:1340
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3996
      • C:\Windows\SysWOW64\Remote Data.exe
        "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240652906.txt",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1188
    • C:\Windows\SysWOW64\TXPlatfor.exe
      C:\Windows\SysWOW64\TXPlatfor.exe -auto
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1080
      • C:\Windows\SysWOW64\TXPlatfor.exe
        C:\Windows\SysWOW64\TXPlatfor.exe -acsi
        2⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:4900
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:2536

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
              Filesize

              2.3MB

              MD5

              16990afab31c3a30601bbea221dfa4ed

              SHA1

              41f18d51dcf3668b6bfe3ca7641b7af5bcac9296

              SHA256

              473bbc262f4b4b94623a9e7defb67a68ad67c533f37eb2576302b78d08d92803

              SHA512

              043bdeec335c9ead01ecd271f37a9a0570e4132c2fc59f69472e1c783411284cd79e0dcfeb66369ea8da66346bc63bbf935cc87bc41a4e1710ba9e6c61e9d038

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\HD_a0ac9fbd354049da4e21371185ea9cf5f065c963bd2869bb039c91bce36d1f98.exe
              Filesize

              228KB

              MD5

              d52fb441628c4da9277efa98845fe17f

              SHA1

              985f24a9bfd95a411159d01f98acc3c99eb407cb

              SHA256

              d17de3ce45592dd49966fba823a323a971678be0631af2c49374545eab6fd9b5

              SHA512

              5eb143a7e97754162a57fbc4ea557d72d9959600024a3c4eb3fcadee1ba80ccf785cda66fd841163bee3e4846ae53d6c8fb75b390859860d673a5769c9002492

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\N.exe
              Filesize

              377KB

              MD5

              4a36a48e58829c22381572b2040b6fe0

              SHA1

              f09d30e44ff7e3f20a5de307720f3ad148c6143b

              SHA256

              3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

              SHA512

              5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\R.exe
              Filesize

              941KB

              MD5

              8dc3adf1c490211971c1e2325f1424d2

              SHA1

              4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

              SHA256

              bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

              SHA512

              ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RCXC63B.tmp
              Filesize

              2.3MB

              MD5

              89a5be25baa4ae1a4837d6c5eea42560

              SHA1

              01bb04adb4ad68651cdfd5bd04be40002e24b74b

              SHA256

              454b9cccd0841731af52eafe5887d4faf0cc42f7bca5f413b84050b66c59d8cc

              SHA512

              cbc631c55714f425b53c496a935a8ea74acc975cb15d18abb5424c081148e83ec2c3d6043c4d54f1f40c5b4ea741c0dc5080c49be29094a4caf49608f65134ec

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\X.ico
              Filesize

              69KB

              MD5

              e33fb6d686b1a8b171349572c5a33f67

              SHA1

              29f24fe536adf799b69b63c83efadc1bce457a54

              SHA256

              020c8e0963f89f4b14538b7d69e83c6fec44a29bbbd52fbb6deb2be5c697f450

              SHA512

              cf1f1d6a9efe53f84e5b4a8246b87c0b96496716605d1b00352d9aae30e664d3d2cbadebf598b4e690a9feef0b5785887a4e643cc5f68938ca744af1d3539e55

              Download Submit

            • C:\Windows\SysWOW64\240652906.txt
              Filesize

              899KB

              MD5

              376715c8476a70023c74dbebab6243e7

              SHA1

              131c91a74904e712e64d76091f79bc57c673f373

              SHA256

              5dbfc14797b59880aee82296dbad9845f03c9cc8e1f52a4673d010048590aa64

              SHA512

              9dce2ec3713d3fd637740fef86ed8f28fd91d863704648177bbcd47034daa1c54084a9af58c07ea1d9cb9c5464256fa99e34833bbea613637730b608b55209fa

              Download Submit

            • C:\Windows\SysWOW64\Remote Data.exe
              Filesize

              60KB

              MD5

              889b99c52a60dd49227c5e485a016679

              SHA1

              8fa889e456aa646a4d0a4349977430ce5fa5e2d7

              SHA256

              6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

              SHA512

              08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

              Download Submit

            • memory/1080-29-0x0000000010000000-0x00000000101B6000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/1080-31-0x0000000010000000-0x00000000101B6000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/1080-32-0x0000000010000000-0x00000000101B6000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/3588-14-0x0000000010000000-0x00000000101B6000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/3588-16-0x0000000010000000-0x00000000101B6000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/3588-15-0x0000000010000000-0x00000000101B6000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/3588-12-0x0000000010000000-0x00000000101B6000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/4900-42-0x0000000010000000-0x00000000101B6000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/4900-47-0x0000000010000000-0x00000000101B6000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/4900-39-0x0000000010000000-0x00000000101B6000-memory.dmp

              Filesize

              1.7MB

              Download