Overview

overview

10

Static

static

10

3b2c20bfda...bd.exe

windows7-x64

10

3b2c20bfda...bd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24/09/2024, 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd.exe

  • Size

    8.9MB

  • MD5

    1f9ad8367647ae321e2ab53f221ace48

  • SHA1

    e19db0c1288c81909378852c9130983bc65cfcfb

  • SHA256

    3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd

  • SHA512

    7aa1aa242288397027b690d2816763e37f30b87898e781bff617085d41737cfb0a620d9b690ad1abbef3e5b95d487da2601452595d3efc1d80c2fd953b850d04

  • SSDEEP

    196608:Dl1PkID0eA2EhGE9Fy1GlkkyzLSMo/Mpz0YIpP8L2+7/A1Yt:RFm2EgE9Fy0TOkMp1ImL2k/2Yt

Score
10/10
gh0stratneshtapurplefoxdiscoveryevasionpersistenceratrootkitspywarestealerthemidatrojan

Malware Config

Signatures

  • Detect Neshta payload 3 IoCs
  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 10 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 12 IoCs
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd.exe
    "C:\Users\Admin\AppData\Local\Temp\3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Program Files\ddd\dadoudou_skd1.8.exe
      "C:\Program Files\ddd\dadoudou_skd1.8.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system executable filetype association
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Users\Admin\AppData\Local\Temp\3582-490\dadoudou_skd1.8.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\dadoudou_skd1.8.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c start C:\Users\Admin\AppData\Local\Temp\\SB360.exe
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2712
          • C:\Users\Admin\AppData\Local\Temp\SB360.exe
            C:\Users\Admin\AppData\Local\Temp\\SB360.exe
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\SB360.exe > nul
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Suspicious use of WriteProcessMemory
              PID:2628
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 2 127.0.0.1
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2008
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c start C:\Users\Admin\AppData\Local\Temp\\ÉÏ¿¨¶Ë.exe
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Users\Admin\AppData\Local\Temp\ÉÏ¿¨¶Ë.exe
            C:\Users\Admin\AppData\Local\Temp\\ÉÏ¿¨¶Ë.exe
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Modifies system certificate store
            • Suspicious use of AdjustPrivilegeToken
            PID:2840
  • C:\Windows\SysWOW64\Phiya.exe
    C:\Windows\SysWOW64\Phiya.exe -auto
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\SysWOW64\Phiya.exe
      C:\Windows\SysWOW64\Phiya.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Change Default File Association

1
T1546.001

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ÉÏ¿¨¶Ë.exe
    Filesize

    6.4MB

    MD5

    7fd0a3aa60c35d5eba5249f354216e02

    SHA1

    50eb2680fb4d1de48e542fbaea16aa85bdfd924f

    SHA256

    9392e25660fc55b43f03dfe57312ec0e6c540322640234caff8032f325050a72

    SHA512

    de5ad23ce99bf61595b436f0ca23179a3e577751dc2a91192f863329a38bae92c1e0ca85cd6f1ac548145cac1714b7a6b667e5891bde9d729a3a774fc4fa7551

    Download Submit

  • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
    Filesize

    252KB

    MD5

    9e2b9928c89a9d0da1d3e8f4bd96afa7

    SHA1

    ec66cda99f44b62470c6930e5afda061579cde35

    SHA256

    8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

    SHA512

    2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

    Download Submit

  • \Program Files\ddd\dadoudou_skd1.8.exe
    Filesize

    8.3MB

    MD5

    19c6b4bd8d9963b05ebf55a829a048d9

    SHA1

    16e5c75e74f1aa7cd5cc70d336f65c5d5f07a9e3

    SHA256

    e17205c47fed992a15c0b5e4520601a6aae94075c4b7d7902fe6192345d65545

    SHA512

    aab1ebf2033d1a7db2ca0928f9e38e8a5a78b86d4ac409c62b7047bf73ea4ee6560e937d30cbfa584e7dfc7ea1889eb59e883c44c5dac9cfd09322c2f91c7ef6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\3582-490\dadoudou_skd1.8.exe
    Filesize

    8.2MB

    MD5

    e3583f6b5670ebec804bf2e7aa3cd325

    SHA1

    94b8fc19bcb0cb7c4267ecba71d3166c9fdd90de

    SHA256

    5afd815d7ad1bba7510f591d789e8efe10802a37a5e579d6ee9e7a26161c7524

    SHA512

    10607de92cadd9f200ae57180a10bc497fbb8a96004ed5eaad37ce2e5e76bf90ab6fef229401a584e4fd97ccb820930f0e464307d1ad2ec96ca397e7292eda03

    Download Submit

  • \Users\Admin\AppData\Local\Temp\E_4\krnln.fnr
    Filesize

    1.1MB

    MD5

    97c8fe752e354b2945e4c593a87e4a8b

    SHA1

    03ab4c91535ecf14b13e0258f3a7be459a7957f9

    SHA256

    820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

    SHA512

    af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\E_4\shell.fne
    Filesize

    56KB

    MD5

    d63851f89c7ad4615565ca300e8b8e27

    SHA1

    1c9a6c1ce94581f85be0e99e2d370384b959578f

    SHA256

    0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

    SHA512

    623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\SB360.exe
    Filesize

    1.3MB

    MD5

    81250dab88064c74cef402a33d906934

    SHA1

    ce063f39ccd18b5a9a1c0be221cd9f3bec557729

    SHA256

    3690b1a6c63b925b6f34a84e86befcb816c99e8d9bb06611520262310aeaa5f2

    SHA512

    497f8e9c57f8a45afc4b131a95ca6a1a897fad55773ac49aa0d47efd642518c0d028b59c9e54aa3b12551c1e0c99fa6e78f71f0fe5a9748d8f14b007e3e1cbf1

    Download Submit

  • memory/2140-19-0x0000000002630000-0x000000000263B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2140-160-0x0000000002630000-0x000000000263B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2140-163-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2140-161-0x0000000002630000-0x000000000263B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2140-167-0x0000000000400000-0x000000000041B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/2140-13-0x0000000002630000-0x000000000263B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2252-36-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2252-32-0x00000000003C0000-0x00000000003D4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2252-20-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2688-44-0x0000000010000000-0x000000001019F000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2840-56-0x00000000003A0000-0x0000000000F3A000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/2840-120-0x00000000056B0000-0x0000000005726000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2840-132-0x0000000005DF0000-0x0000000005EA2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2840-146-0x0000000002E00000-0x0000000002E0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2840-145-0x0000000002E00000-0x0000000002E0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2840-114-0x00000000010F0000-0x000000000110A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2840-112-0x0000000001320000-0x000000000135A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2840-162-0x00000000003A0000-0x0000000000F3A000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/2840-55-0x00000000003A0000-0x0000000000F3A000-memory.dmp

    Filesize

    11.6MB

    Download

  • memory/2840-165-0x0000000002E00000-0x0000000002E0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2840-47-0x00000000003A0000-0x0000000000F3A000-memory.dmp

    Filesize

    11.6MB

    Download