Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
17-10-2024 12:08
General
-
Target
980e21566e7242bea51f88da989363daa885e9727e47037d9493513e422550e0.exe
-
Size
4.8MB
-
MD5
ac4122420bae55b084da11e6aa8f9eb7
-
SHA1
fa309fe47913153d750f199900258a02030e736e
-
SHA256
980e21566e7242bea51f88da989363daa885e9727e47037d9493513e422550e0
-
SHA512
97962c52e4e762e20917ed545f798c674e7ee6268e8e56cc3ef2cec58a007bb9caec36f8217aad76124d7b6bf77c0cb5b69d58ff0669e006bc32480c4b247761
-
SSDEEP
49152:gQZAdVyVT9n/Gg0P+Who6MvfKGbXsPNIULkmp1/j6AeXZG7wmpvGF1IP9z5WuHCr:pGdVyVT9nOgmh9PGbXsPN5kiQaZ56
Malware Config
Signatures
-
Detect PurpleFox Rootkit 10 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 11 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 8 IoCs
-
Drops file in System32 directory 6 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\980e21566e7242bea51f88da989363daa885e9727e47037d9493513e422550e0.exe"C:\Users\Admin\AppData\Local\Temp\980e21566e7242bea51f88da989363daa885e9727e47037d9493513e422550e0.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\HD_980e21566e7242bea51f88da989363daa885e9727e47037d9493513e422550e0.exeC:\Users\Admin\AppData\Local\Temp\HD_980e21566e7242bea51f88da989363daa885e9727e47037d9493513e422550e0.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259489489.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5db9ade7526a06ae5427bc5dd83a3f8c2
SHA1fec9d76615fad9f3a15d98eaa1833e3b9848e287
SHA256592db095d2d791521928081e0923614e54be3272516820b7ac1319d33824acbc
SHA512782b6b04b9d1bf6cc30af861e8ca03f711940a4467c768b1ee822996faf14bee3c87aca211c2f298b9e30b0dd7cf3bc053bad153beff2a3192758f66c27cdd9f
-
Filesize
3.1MB
MD5fb083acd60fe5c3156dc25442be815e3
SHA161df59b8f3ebd8b3d29ca3aedc4995e23cacf6d8
SHA256f130b3789962d5c8b59aa250d6f26ad5945928f3905b32bf65aa7bd30348a794
SHA5127147337d2c1006bb15cfa967c9eea6826b63c8d343f866e7454d7368d25019f39e52cf179500810834244c3ca9644d6c0df0b2c3128a9051e9ee6b428fa926f6
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD571a95b811c64abcbfad5444223a3daca
SHA176719e69fc7d8a448736e499bb0fa06555a7c7ee
SHA2568c023104b22c0069d1cb6edcd05c79ab3ca9bd85e73f5858b2b64993c5c71374
SHA5123d1d8ea2a6b5e86465ac8a6fcc7c312176cda7455d58ab823229051195dd5b18cdfb037cbaa9e38458673c4b339ad65cd9e9e28cea26f3ebc982ead4f9f31c95
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB