Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
16-08-2024 07:59
General
-
Target
bdc1246dde3caddfe5e193b1a649f5f0N.exe
-
Size
8.2MB
-
MD5
bdc1246dde3caddfe5e193b1a649f5f0
-
SHA1
8d79d61cc24872b121b22d87cbf708df321680e8
-
SHA256
f7c0bb76949619b9aeecab860f7cc5dc9cf013419e10aaca1daef8aafae1fea0
-
SHA512
86d2247c34c8da4e91d9ca558ad018cb2c10f3e752dcf70c682c2eaf1fa813a629de48671933bf9ac81ea9f7a396cb227cbff3a9c0b1f7f5f9828e9186602dca
-
SSDEEP
196608:cphvilM0yV46scL0prmkBE7yqXhkUtf+woXFmtFULPW+iA7zc7HIw:2hvilMzdH2yNhkkfAX0FUa+N7zc7HIw
Malware Config
Signatures
-
Detect PurpleFox Rootkit 3 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 3 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 61 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdc1246dde3caddfe5e193b1a649f5f0N.exe"C:\Users\Admin\AppData\Local\Temp\bdc1246dde3caddfe5e193b1a649f5f0N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Temp\´°¿Úͬ²½1.7.exe"C:\Users\Admin\AppData\Local\Temp\Temp\´°¿Úͬ²½1.7.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_´°¿Úͬ²½1.7.exe"C:\Users\Admin\AppData\Local\Temp\._cache_´°¿Úͬ²½1.7.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp\tuoke.exe"C:\Users\Admin\AppData\Local\Temp\Temp\tuoke.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_tuoke.exe"C:\Users\Admin\AppData\Local\Temp\._cache_tuoke.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\_CACHE~2.EXE > nul4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.15⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\Stlme.exeC:\Windows\SysWOW64\Stlme.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Stlme.exeC:\Windows\SysWOW64\Stlme.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5678e212c1fcf0be623270e5a85cdf08b
SHA104bdb5bc82ae7e722dbdefe36701953bcdd06a02
SHA25605e7a0e8a48bdf39a1af82979b849800baad53a0881d181273052ac7b618ada0
SHA512753cb609bf1fadc427beae3b3adff6345aedd8f36c48aafca1ba6610bf26fbf6f9a0e9b4b23f94b7ccf49b1dddcf85020159aaa2a9bcb9603f8668654e0fdb92
-
Filesize
7.3MB
MD59c3809f7aaf1945f45dd315da63552f2
SHA1943ecdbfed56ef4d91b6ecf782335fcce1b57378
SHA25688f313959f0d92281d4e4860e479e9226b1d54d4405dc5d1ca02bab764355341
SHA51288c09ae6256114d62d52a64226177617beb1a08dedcc08bdd0e93322a34f5e3b63cf268f6c319bf403c4871292271baef6ba7e52580a7d9e4ab04089f9ae8d2f
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
2.1MB
MD54b5baf368b8c19f0d5d4d0f92265f330
SHA14561aa2a5252e8f147d9db3187cb02bc8d25329a
SHA256da90d075b283fe4920890121e920e7612799c5d22401838e325a137977e9c236
SHA512c594af423339134e7a71dd9d485dc5cb7fa51d65d64ab04b45f0575992ed097cb543f8b82451f3d929ef1fd11a6c3fcfb85e7a1fc2254b3b991add93e9ce6565
-
Filesize
8.1MB
MD5929a3a2c990157418992fedcde6683b5
SHA1f5aeb38194602d57763a79117517c88eeea514c8
SHA25609e95265b3872f6e4ea43993e655567d6aab346f5139f5189fcec9e956a4f987
SHA5121417ee189f06ce1484517a8509a202237d8a1075e16b7efc3a092aa0cb56ba58e6a250970e4dd79bfb275f64a3b6735974d38332c21416b0500ea4729fbb6ae5
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
4KB
-
Filesize
2.1MB
-
Filesize
2.0MB
-
Filesize
2.1MB
-
Filesize
2.0MB
-
Filesize
112KB
-
Filesize
112KB
-
Filesize
8.1MB
-
Filesize
4KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
2.0MB
-
Filesize
2.0MB