Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

5379dd2fa1...be.exe

windows7-x64

10

5379dd2fa1...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/09/2024, 00:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5379dd2fa1e21b4bbb686080d5d3d8e9787006ccd74e035214b534c1dff75ebe.exe

  • Size

    2.7MB

  • MD5

    b486ce35cff944a1a5d833c2f6d59ac2

  • SHA1

    924aade26b361f075706de55a19b6c94d60ef5a2

  • SHA256

    5379dd2fa1e21b4bbb686080d5d3d8e9787006ccd74e035214b534c1dff75ebe

  • SHA512

    1b2b47f6c1efbb1bd4d01c31ce6ad9d5dda388c2354c62b836ca0fefb8ba83324d038eaaf932433ae8141bae6d4b0d81adb3c6423f79425caacf7297cb5a278d

  • SSDEEP

    49152:aCwsbCANnKXferL7Vwe/Gg0P+Wh+4F64V:Nws2ANnKXOaeOgmhdB

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 7 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 8 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Drops file in Drivers directory 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 9 IoCs
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5379dd2fa1e21b4bbb686080d5d3d8e9787006ccd74e035214b534c1dff75ebe.exe
    "C:\Users\Admin\AppData\Local\Temp\5379dd2fa1e21b4bbb686080d5d3d8e9787006ccd74e035214b534c1dff75ebe.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Users\Admin\AppData\Local\Temp\R.exe
      C:\Users\Admin\AppData\Local\Temp\\R.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1816
    • C:\Users\Admin\AppData\Local\Temp\N.exe
      C:\Users\Admin\AppData\Local\Temp\\N.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2640
    • C:\Users\Admin\AppData\Local\Temp\HD_5379dd2fa1e21b4bbb686080d5d3d8e9787006ccd74e035214b534c1dff75ebe.exe
      C:\Users\Admin\AppData\Local\Temp\HD_5379dd2fa1e21b4bbb686080d5d3d8e9787006ccd74e035214b534c1dff75ebe.exe
      2⤵
      • Executes dropped EXE
      PID:2156
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
    1⤵
      PID:2080
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Windows\SysWOW64\Remote Data.exe
        "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259434264.txt",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2456
    • C:\Windows\SysWOW64\TXPlatfor.exe
      C:\Windows\SysWOW64\TXPlatfor.exe -auto
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\SysWOW64\TXPlatfor.exe
        C:\Windows\SysWOW64\TXPlatfor.exe -acsi
        2⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:3036

    Network

    • flag-us
      DNS
      hackerinvasion.f3322.net
      Remote Data.exe
      Remote address:
      8.8.8.8:53
      Request
      hackerinvasion.f3322.net
      IN A
      Response
    No results found
    • 8.8.8.8:53
      hackerinvasion.f3322.net
      dns
      Remote Data.exe
      70 B
       131 B
       1
      1

      DNS Request

      hackerinvasion.f3322.net

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\HD_5379dd2fa1e21b4bbb686080d5d3d8e9787006ccd74e035214b534c1dff75ebe.exe
      Filesize

      226KB

      MD5

      b2b65f2569b7940e6d9152e87b5c86e8

      SHA1

      af3db7d76e5b46fd375689213145e9349cf34bb8

      SHA256

      e79e17925b72439954264b511a635e7750bafb178b7f17e9eb03648cabe209d0

      SHA512

      c683e1d8f8ac752e02f1896964b9b131d5a44be6e621886b0da134f28f58da1494d19eeb32f6452aab0080d95969b55a3351925ebe0fd8ba42896dd81c0e3da5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
      Filesize

      2.4MB

      MD5

      db30c64a68c21a816f6faf5eb4b13248

      SHA1

      816923d47f719cf12d364ffafd2f9441e9483776

      SHA256

      70ca45b56685c68ddcc3443c26023b4a99646eef3b292af091b4dea42a427e9b

      SHA512

      d5246435f4f00d5ca021efa284d642cc9db355b15b214e90afe1556eb16a181fe6b70bdd05482c951c9e039ffd0d4b5236f0e288c21cbf7d4adbfe5dbcc178ee

      Download Submit

    • \Users\Admin\AppData\Local\Temp\N.exe
      Filesize

      377KB

      MD5

      4a36a48e58829c22381572b2040b6fe0

      SHA1

      f09d30e44ff7e3f20a5de307720f3ad148c6143b

      SHA256

      3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

      SHA512

      5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

      Download Submit

    • \Users\Admin\AppData\Local\Temp\R.exe
      Filesize

      941KB

      MD5

      8dc3adf1c490211971c1e2325f1424d2

      SHA1

      4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

      SHA256

      bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

      SHA512

      ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

      Download Submit

    • \Windows\SysWOW64\259434264.txt
      Filesize

      899KB

      MD5

      3310669effdf3ad0b0165cc6ba66ce08

      SHA1

      0787e648e964a3bfdfe8256579a552d86a229d1e

      SHA256

      c62a646614e1a43c7de33d1a7606457f9bc514bf356131c9bcedaa540137ffa3

      SHA512

      7843911671a09f3f4403caa3bb89d846ca183dc53b450b6d14f2daff04f0599c085fab92a7ae5db0463937e5d8b198c26e9b3962ec0209ae2d577040eb1562c3

      Download Submit

    • \Windows\SysWOW64\Remote Data.exe
      Filesize

      43KB

      MD5

      51138beea3e2c21ec44d0932c71762a8

      SHA1

      8939cf35447b22dd2c6e6f443446acc1bf986d58

      SHA256

      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

      SHA512

      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

      Download Submit

    • memory/2736-20-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2736-18-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2736-21-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3036-44-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3036-43-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3036-41-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3036-46-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3036-50-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3036-52-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.