Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2024, 11:17 UTC

General

  • Target

    ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe

  • Size

    13.8MB

  • MD5

    91f6f067afb0b7957728801b37c4ec97

  • SHA1

    8a5b517024449366839048e8a981498419fff2a8

  • SHA256

    ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f

  • SHA512

    d9954094b6dd673370d50e940ac877a2cbce9b7bde7158650268db0e9f64b6051dcf6b61afbd29d055f8f87e7689572535908e1faf7234a2a4f69754fbca9a27

  • SSDEEP

    393216:5irhlWxZXNwLL8ElWxZJNwqL80oHdRaMcGPj:4rhl6Qv8El6yC80QcGL

Malware Config

Signatures

  • Detect PurpleFox Rootkit 10 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 10 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe
    "C:\Users\Admin\AppData\Local\Temp\ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\Users\Admin\AppData\Local\Temp\RVN.exe
      C:\Users\Admin\AppData\Local\Temp\\RVN.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1104
    • C:\Users\Admin\AppData\Local\Temp\HD_ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe
      C:\Users\Admin\AppData\Local\Temp\HD_ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4400
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3064
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:3240

Network

  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
No results found
  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
    131 B
    1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    57.169.31.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    57.169.31.20.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    53.210.109.20.in-addr.arpa

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    210 B
    131 B
    3
    1

    DNS Request

    hackerinvasion.f3322.net

    DNS Request

    hackerinvasion.f3322.net

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
    131 B
    1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
    131 B
    1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
    131 B
    1
    1

    DNS Request

    hackerinvasion.f3322.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

    Filesize

    584KB

    MD5

    312ccd4a3e3f198fa7f48dbc35feadb2

    SHA1

    d24b8625d1305b709cd0817295a9f89ea2a48710

    SHA256

    1c3d0187d4ff457e23bee62cf69a2aa5cf73f602ac209b596db47ecfabde8328

    SHA512

    5a26731958efb76763bfcb2805b8003077805e223ac5074ec34f921d658c85d8e3add84ca73e2cd55b2cd64ed59d60c9072d0af0535c22d9a148cdde670eae23

  • C:\Users\Admin\AppData\Local\Temp\HD_ecda9558b348e368631ff602448e2b189a7e5330bf17ed6774f8c824a011913f.exe

    Filesize

    13.3MB

    MD5

    2e06a4ed6985a6558cd0bae7d89fa439

    SHA1

    2c7662c1c376b2d69a9f3eac750f5ef1ca43af4d

    SHA256

    dc1a447a5b07da68c77d80c37c38dcc6799f9466d189daa16cf3ac48d8b8e28a

    SHA512

    07c459c26d197734b4ac5a32c0bd224b1af66975cfdc3dfef3be8ec666584e072d0d6d569c4f8951dfe6e5e0b39684213546e18faf76d5208b5da19dd1174dc7

  • C:\Users\Admin\AppData\Local\Temp\RVN.exe

    Filesize

    377KB

    MD5

    80ade1893dec9cab7f2e63538a464fcc

    SHA1

    c06614da33a65eddb506db00a124a3fc3f5be02e

    SHA256

    57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

    SHA512

    fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPInst64.exe

    Filesize

    908KB

    MD5

    c3ac43b2018114a617e946aa8fdf3cac

    SHA1

    2d90f38bc995c9cd5efec52109f8bd2468001ca7

    SHA256

    ef6c5fe9f08be67f24c7dfa5c7bc3d69ab4e387e6065602d45ba358289f05117

    SHA512

    8c471a2575751c5995b10859219b979d75c8e8e4496604c0718268d8367790c5bb8e6dd47c735dcecd02a62dbb0d8fbbb70ea1d085ad7b798491a3d831cd9488

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WUDFUpdate_01009.dll

    Filesize

    2.1MB

    MD5

    0306a26c0f455a1ca5d862f12cfa4600

    SHA1

    49038288bb6f0e1c27c18f1e0fe51f49f97c1546

    SHA256

    cb4a3bb8768ccc3c48f1324539d0d18ee8cf69ba409328d54cb1d47fa0de737b

    SHA512

    255b1e7acafe948e3d64dbb20e036a7ec98067e4961c14d91aec963b5f1187f17d76393477379f89b1a697589c3214edb2eece633f00c9a6bb1ed3d5821a7524

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\WdfCoInstaller01009.dll

    Filesize

    1.7MB

    MD5

    264850cd1b6b7dac95fffb101579caed

    SHA1

    b15f105e4e2088aa7cb632719ff8462a9e080633

    SHA256

    c2b893ef5d49888719491fcea41a5f6f58f1916681f8a7db6c4a2e61c798615c

    SHA512

    843575242ccbdffc1ad353469d5521bcf0f8a572deb0fe9cb283cab50de755ec680a6967d719624e30970b26209bfcb06b892f14af5af73d27cb36fdd012dff9

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\i386\NOTICE.txt

    Filesize

    236B

    MD5

    ea7f2158b930baf2c0fe799566489716

    SHA1

    f103d72fd8ee8240aab21f526ed0e4c8ee3a1525

    SHA256

    a19b767b9ddda7306c78232e4a223d0ba966471b74dce3c0c995307cab5bf7b7

    SHA512

    20351c59a906dff9622625f12e3bbe0b2260999913d4b2f18ec43e66656f1a9251e2462f269c7919f59c89a9b4569d505a095b50d8cfccfe0d37c0abf9ff79cb

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\winusbcoinstaller2.dll

    Filesize

    987KB

    MD5

    c3b28eb02cc804c3886266e6a8f5c123

    SHA1

    bde780d98784c43c148e88243982acbc7854cbe6

    SHA256

    f195cbc0a65c85a26aba8f96b0859819f8d8a7429e1adf197da7221ef1d49502

    SHA512

    a23782dbb06e348ec232d308b44010864361518d6523e0025036c3ad9fe5a00b3cf57670b5c08924f6f1ff09927c0bfbbf33e754078dc508db96ba8c65353844

  • memory/864-4-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/864-6-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/864-7-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/864-10-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/2276-15-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/2276-17-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/2276-41-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/2276-18-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/2276-19-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/3240-48-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/3240-30-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/3240-28-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.