Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2024 11:16

General

  • Target

    c3323433ba6de5cdf45210741f2b97229d4cbfa85550cb40c728615483180b11.exe

  • Size

    1.3MB

  • MD5

    ac6203917379e03753adb1a9a34b151b

  • SHA1

    cfeeff5e3883870b91c6a1adebcd771eb520271d

  • SHA256

    c3323433ba6de5cdf45210741f2b97229d4cbfa85550cb40c728615483180b11

  • SHA512

    7407538b36dd2265e6aa3b741ab0e8adc0d92aa282c5bc69b931b41ec8a36f61509fa828454425868a34a0e4714b4a8f6b78091cbbb240bd69b13b5465192147

  • SSDEEP

    24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN+:QHPkVOBTK

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Purplefox family
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3323433ba6de5cdf45210741f2b97229d4cbfa85550cb40c728615483180b11.exe
    "C:\Users\Admin\AppData\Local\Temp\c3323433ba6de5cdf45210741f2b97229d4cbfa85550cb40c728615483180b11.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1400-0-0x0000000010000000-0x000000001019F000-memory.dmp

    Filesize

    1.6MB