Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
25-09-2024 16:48
General
-
Target
65ca10479fc6ee6d8f9a276878a5313b4145776c505e7d23e8716c42f740fc4a.exe
-
Size
2.2MB
-
MD5
f0e2f2f26ef1e2b99b56f27651f72330
-
SHA1
92e2b5467a0c9af9579c3f0c9448d5b2daa0b5b5
-
SHA256
65ca10479fc6ee6d8f9a276878a5313b4145776c505e7d23e8716c42f740fc4a
-
SHA512
9b5a0ffd86e36c510a3f8f0b9263431cf8d4adf1fa3abcb66c4c2ee60ebbd22806e738c02711d4685c56276db895390cfcee59e8a2ecfeff19afe5fcf90cb969
-
SSDEEP
49152:jQZAdVyVT9n/Gg0P+WhowZPItx2apeapelI:EGdVyVT9nOgmhStUvlI
Malware Config
Signatures
-
Detect PurpleFox Rootkit 11 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 12 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 3 IoCs
-
Drops file in System32 directory 6 IoCs
-
UPX packed file 13 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\65ca10479fc6ee6d8f9a276878a5313b4145776c505e7d23e8716c42f740fc4a.exe"C:\Users\Admin\AppData\Local\Temp\65ca10479fc6ee6d8f9a276878a5313b4145776c505e7d23e8716c42f740fc4a.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\HD_65ca10479fc6ee6d8f9a276878a5313b4145776c505e7d23e8716c42f740fc4a.exeC:\Users\Admin\AppData\Local\Temp\HD_65ca10479fc6ee6d8f9a276878a5313b4145776c505e7d23e8716c42f740fc4a.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240625765.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
645KB
MD500eae789b0aab1b0fbd23b830fbf1064
SHA1e4e5fd089f6ae17c83f073cf91edc9db8189980d
SHA2567addb2269266ac471a690802cab54539b40c2ae5b31e2120fdcf8dfb0ed15dc7
SHA51223a0e06b39f8b5a932ae5b8f60704ba265332b341ac8bab5b74b2f31f04ce8c7fe6f77278d70c7685cfa894ab0e25a70d89990f5f643b54c07337f90fa5943fb
-
Filesize
1.6MB
MD576008dc9b5a8611d12437cc10cc35b74
SHA17466f019bae6a24a4eb52495859cde3107b6a690
SHA2567d1532062c945ee2be6f84d18af7b3b1b2a616b4c73d36f75a0309dec9433540
SHA51250989791ed7a6ba6612e87dd96085a1a5b70749835610411adfef58043d8e9f2e9a3a92cdf7284aec47374bd51e90cf34620acf888ae29a16cabbc6e175c457f
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD53c39c2513682bb13dc599cc6253d0068
SHA1645ee9b12724ea99d9551db4d14882d9e0c4346d
SHA256bab2ed9ff9f6136bd9a6885a96b109477310b233e05e7d9b9a7d0263ffce8d23
SHA512b451ddeb1e28531dadc2f7d91d23f77468d0a5ce02168591bfd36e53b47e6e6c3610dc34b23410ece204429d3d7c6d1d1b2b14ff7e4f8c922407182fc6f11d48
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB