Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ce3257d47f...57.exe

windows7-x64

10

ce3257d47f...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    25/06/2024, 19:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ce3257d47fbbd3b7df81f9fdd21ccacd6dbe445e596ac797471b631c5a248557.exe

  • Size

    4.4MB

  • MD5

    b933d3ff5586158df3d6ef7320e66e96

  • SHA1

    4a7a634dd6a57b139713c1db04e0bf4282bd3fb8

  • SHA256

    ce3257d47fbbd3b7df81f9fdd21ccacd6dbe445e596ac797471b631c5a248557

  • SHA512

    4ff1ca7557708a125c560a642c903e05d7d7b4899e5685e4354df6505524e26504e35d47ce42db606a71941333792d8cf0707ea31b9c651e1dc7a4e4832e2369

  • SSDEEP

    49152:mCwsbCANnKXferL7Vwe/Gg0P+WhrGDY89OLqGdsyOTlXWc/lMhJ0CITqaYLjCXUS:Rws2ANnKXOaeOgmh037ahSnqaY7hPk

Score
10/10
gh0stratpurplefoxpersistenceratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 8 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 9 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce3257d47fbbd3b7df81f9fdd21ccacd6dbe445e596ac797471b631c5a248557.exe
    "C:\Users\Admin\AppData\Local\Temp\ce3257d47fbbd3b7df81f9fdd21ccacd6dbe445e596ac797471b631c5a248557.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\R.exe
      C:\Users\Admin\AppData\Local\Temp\\R.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      PID:2236
    • C:\Users\Admin\AppData\Local\Temp\N.exe
      C:\Users\Admin\AppData\Local\Temp\\N.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • Runs ping.exe
          PID:2584
    • C:\Users\Admin\AppData\Local\Temp\HD_ce3257d47fbbd3b7df81f9fdd21ccacd6dbe445e596ac797471b631c5a248557.exe
      C:\Users\Admin\AppData\Local\Temp\HD_ce3257d47fbbd3b7df81f9fdd21ccacd6dbe445e596ac797471b631c5a248557.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2752
  • C:\Windows\SysWOW64\TXPlatfor.exe
    C:\Windows\SysWOW64\TXPlatfor.exe -auto
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\SysWOW64\TXPlatfor.exe
      C:\Windows\SysWOW64\TXPlatfor.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:2860

Network

  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatfor.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
No results found
  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatfor.exe
    70 B
     131 B
     1
    1

    DNS Request

    hackerinvasion.f3322.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
    Filesize

    2.6MB

    MD5

    a8d3cb4cbf05f6088e80bb5c7f53b31e

    SHA1

    5373d2fe0862f17108d591104e3853bf3874ccf5

    SHA256

    f72f0a48ff3d5b0e291bb0fec138ac276ccc2df0991917514e20afcf508afe1d

    SHA512

    6fe5a2244caa786ca8e39f57ff0a351a54732007f2a1c4feddc70937ebf28785e991d910e482005a0c1d3d97c61de4871afd2acffeb11ed4f5a2d3f280213c3f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\HD_ce3257d47fbbd3b7df81f9fdd21ccacd6dbe445e596ac797471b631c5a248557.exe
    Filesize

    1.8MB

    MD5

    00975f432058d84a1b5a430e53d8833e

    SHA1

    3e419fb8c42deffeb186941865fc9b6f33b4ae34

    SHA256

    6b07d17730686830855e5c8085f9cd0f022e072c16147524493301fdeeb44284

    SHA512

    c67989895d76bc329f2a6390db62c56cb3ffc20ff411b67b151e50dc65542bebf378873e8ef5192d1d759a8ce017cfe38f2fc51a46b5fede2946235dd8116282

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\N.exe
    Filesize

    377KB

    MD5

    4a36a48e58829c22381572b2040b6fe0

    SHA1

    f09d30e44ff7e3f20a5de307720f3ad148c6143b

    SHA256

    3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

    SHA512

    5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\R.exe
    Filesize

    941KB

    MD5

    8dc3adf1c490211971c1e2325f1424d2

    SHA1

    4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

    SHA256

    bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

    SHA512

    ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

    Download Submit

  • \Windows\SysWOW64\259398384.txt
    Filesize

    899KB

    MD5

    a88c0dc0bb94bc687a6177186d020c09

    SHA1

    da41cdbce9fa2573bd52198149b7f5e7dce611b3

    SHA256

    7c5470daa7c3e1b5af1f223bb459c3ed36063852ba84a576a03207782c648f42

    SHA512

    1f4e7f754a20d6387d05bc8e4c6015ae5747fb32acd016c8e3bb398fffb92d6b6fd319d3e6c41deeb7b22a09bdb1df788492615149591d744db892d77b249c8b

    Download Submit

  • memory/2196-26-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2196-36-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2384-13-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2384-16-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2384-15-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2384-17-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2860-44-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2860-46-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2860-49-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.