Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

670ac768b9...de.exe

windows7-x64

10

670ac768b9...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/09/2024, 08:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    670ac768b90031b314cb4bbdbc3c8886bee2c3736d36f946958c4e236498e5de.exe

  • Size

    4.5MB

  • MD5

    1707a2a98b639c97bd89a25a13d2c9d2

  • SHA1

    fb3b16386450da9bcfc374459134d7bc6a178cab

  • SHA256

    670ac768b90031b314cb4bbdbc3c8886bee2c3736d36f946958c4e236498e5de

  • SHA512

    f6e623b32b5fc8176cf43b95b80969d5519b78420f9fd868fa71b2429476320a701ffdd3a6fb3acf44b0be3b148b0bae27a68dcd86b1b811dbb2b5145c0368c9

  • SSDEEP

    49152:709XJt4HIN2H2tFvduySrbXsPNIULkmp1/j6AeXZG7wmpvGF1IP9z5WuHC4O8b8R:oZJt4HINy2LkrbXsPN5kiQaZ56

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 9 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 9 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\670ac768b90031b314cb4bbdbc3c8886bee2c3736d36f946958c4e236498e5de.exe
    "C:\Users\Admin\AppData\Local\Temp\670ac768b90031b314cb4bbdbc3c8886bee2c3736d36f946958c4e236498e5de.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2504
    • C:\Users\Admin\AppData\Local\Temp\RVN.exe
      C:\Users\Admin\AppData\Local\Temp\\RVN.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2660
    • C:\Users\Admin\AppData\Local\Temp\HD_670ac768b90031b314cb4bbdbc3c8886bee2c3736d36f946958c4e236498e5de.exe
      C:\Users\Admin\AppData\Local\Temp\HD_670ac768b90031b314cb4bbdbc3c8886bee2c3736d36f946958c4e236498e5de.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2740
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:2356

Network

  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
No results found
  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
     131 B
     1
    1

    DNS Request

    hackerinvasion.f3322.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
    Filesize

    1.4MB

    MD5

    683880ec4fa71981918299cda8dda1c2

    SHA1

    e3bf66ea8dd0baabd4846bba30c37a221aedabc2

    SHA256

    236093b98e9e1c65ede5b9eda3874e38579c8524e15f4fdacbbd2bb61fda7fdb

    SHA512

    1342f2fab5640716c4f3d7bb72401f9d528f0986f6eb697014cabfd655fbc8c21083b44f88d131bdc0e773e5df4f4c7774d533a10de7049df34e87c99639d07b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\HD_670ac768b90031b314cb4bbdbc3c8886bee2c3736d36f946958c4e236498e5de.exe
    Filesize

    3.1MB

    MD5

    fb083acd60fe5c3156dc25442be815e3

    SHA1

    61df59b8f3ebd8b3d29ca3aedc4995e23cacf6d8

    SHA256

    f130b3789962d5c8b59aa250d6f26ad5945928f3905b32bf65aa7bd30348a794

    SHA512

    7147337d2c1006bb15cfa967c9eea6826b63c8d343f866e7454d7368d25019f39e52cf179500810834244c3ca9644d6c0df0b2c3128a9051e9ee6b428fa926f6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RVN.exe
    Filesize

    377KB

    MD5

    80ade1893dec9cab7f2e63538a464fcc

    SHA1

    c06614da33a65eddb506db00a124a3fc3f5be02e

    SHA256

    57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

    SHA512

    fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

    Download Submit

  • memory/1232-8-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1232-7-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1232-9-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1232-5-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2356-67-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2356-71-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2356-54-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2356-72-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2516-18-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2516-66-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.