Overview

overview

10

Static

static

3

2024-12-15...er.exe

windows7-x64

10

2024-12-15...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/12/2024, 20:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-15_e0bfdf2dc967cb0614ae05f4de146e1b_hijackloader_icedid_luca-stealer.exe

  • Size

    4.6MB

  • MD5

    e0bfdf2dc967cb0614ae05f4de146e1b

  • SHA1

    c32a58bc3bfd426df9000796f91799b4fd7a62de

  • SHA256

    9ae268c84c2dc7ce1fd9c7069cf5ae1de8b3dd681116c28c8d143fe97d482b3a

  • SHA512

    a5286e4ccd2b41c884d54f68eb36982e740b68d666167a56ff7671fd71560b97015c3f4f50cda4af5a26c602b62fe03e05099458f4ca20a3040e6b1b04cedb97

  • SSDEEP

    98304:7ws2ANBKXOaeOgmhwWIO0H7+ZUX8ZqvOd/cV/20V5hkgk/J:dYXbeO7gH7d2YVm

Score
10/10
gh0stratpurplefoxsalitybackdoordiscoveryevasionpersistenceratrootkittrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Detect PurpleFox Rootkit 6 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 7 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • Modifies firewall policy service 3 TTPs 3 IoCs
    evasion
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • Sality family
    sality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 3 IoCs
  • UPX packed file 27 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 24 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1096
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1172
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1208
          • C:\Users\Admin\AppData\Local\Temp\2024-12-15_e0bfdf2dc967cb0614ae05f4de146e1b_hijackloader_icedid_luca-stealer.exe
            "C:\Users\Admin\AppData\Local\Temp\2024-12-15_e0bfdf2dc967cb0614ae05f4de146e1b_hijackloader_icedid_luca-stealer.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:604
            • C:\Users\Admin\AppData\Local\Temp\R.exe
              C:\Users\Admin\AppData\Local\Temp\\R.exe
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              PID:3052
            • C:\Users\Admin\AppData\Local\Temp\N.exe
              C:\Users\Admin\AppData\Local\Temp\\N.exe
              3⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2664
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
                4⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Suspicious use of WriteProcessMemory
                PID:2600
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 2 127.0.0.1
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:400
            • C:\Users\Admin\AppData\Local\Temp\HD_2024-12-15_e0bfdf2dc967cb0614ae05f4de146e1b_hijackloader_icedid_luca-stealer.exe
              C:\Users\Admin\AppData\Local\Temp\HD_2024-12-15_e0bfdf2dc967cb0614ae05f4de146e1b_hijackloader_icedid_luca-stealer.exe
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1676
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/
                4⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2628
                • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1508
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:275457 /prefetch:2
                    6⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:1036
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1424
          • C:\Windows\SysWOW64\TXPlatfor.exe
            C:\Windows\SysWOW64\TXPlatfor.exe -auto
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2580
            • C:\Windows\SysWOW64\TXPlatfor.exe
              C:\Windows\SysWOW64\TXPlatfor.exe -acsi
              2⤵
              • Drops file in Drivers directory
              • Sets service image path in registry
              • Executes dropped EXE
              • Suspicious behavior: LoadsDriver
              • Suspicious use of AdjustPrivilegeToken
              PID:2088
          • C:\Windows\system32\conhost.exe
            \??\C:\Windows\system32\conhost.exe "1759776916-1299711641473809361883763359-1973734841-1653827117781528128-1508191693"
            1⤵
              PID:2632
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
              1⤵
                PID:2384

              Network

                    MITRE ATT&CK Enterprise v15

                    Reconnaissance

                    Resource Development

                    Initial Access

                    Replication Through Removable Media

                    1
                    T1091

                    Execution

                    Persistence

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Create or Modify System Process

                    1
                    T1543

                    Windows Service

                    1
                    T1543.003

                    Privilege Escalation

                    Abuse Elevation Control Mechanism

                    1
                    T1548

                    Bypass User Account Control

                    1
                    T1548.002

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Create or Modify System Process

                    1
                    T1543

                    Windows Service

                    1
                    T1543.003

                    Defense Evasion

                    Abuse Elevation Control Mechanism

                    1
                    T1548

                    Bypass User Account Control

                    1
                    T1548.002

                    Impair Defenses

                    4
                    T1562

                    Disable or Modify System Firewall

                    1
                    T1562.004

                    Disable or Modify Tools

                    3
                    T1562.001

                    Modify Registry

                    7
                    T1112

                    Credential Access

                    Discovery

                    Peripheral Device Discovery

                    1
                    T1120

                    Query Registry

                    1
                    T1012

                    Remote System Discovery

                    1
                    T1018

                    System Information Discovery

                    3
                    T1082

                    System Location Discovery

                    1
                    T1614

                    System Language Discovery

                    1
                    T1614.001

                    System Network Configuration Discovery

                    1
                    T1016

                    Internet Connection Discovery

                    1
                    T1016.001

                    Lateral Movement

                    Replication Through Removable Media

                    1
                    T1091

                    Collection

                    Command and Control

                    Exfiltration

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\0F773CD2_Rar\2024-12-15_e0bfdf2dc967cb0614ae05f4de146e1b_hijackloader_icedid_luca-stealer.exe
                      Filesize

                      4.5MB

                      MD5

                      b84ec058fc86a6e3c1c56844c7989989

                      SHA1

                      e66bdfcf515b537679a55872b4e7ad79a3e87496

                      SHA256

                      d6e2a33e5247c3ad636653e4c5a29d3d9f206c8294b9c50b849385b0fe01415a

                      SHA512

                      56d21d2b3d4ecfc2c78a256c3879f8354645d32d49d39e3a2658c89ada74eaf087c9b42d1d0e2b88c9f363a6b33b65c1374d253214af3cbfc2859c064ced5ac9

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\CabE708.tmp
                      Filesize

                      70KB

                      MD5

                      49aebf8cbd62d92ac215b2923fb1b9f5

                      SHA1

                      1723be06719828dda65ad804298d0431f6aff976

                      SHA256

                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                      SHA512

                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\HD_2024-12-15_e0bfdf2dc967cb0614ae05f4de146e1b_hijackloader_icedid_luca-stealer.exe
                      Filesize

                      2.2MB

                      MD5

                      cf7135f501fbb7462c332227db639577

                      SHA1

                      2ccd0071b87c07108bc810b2af84c6c740fa7408

                      SHA256

                      d8d6b518d9f6c9b88ead9744809eea3c64d7c1013d86d59397504a63eecf22d8

                      SHA512

                      33a7b744416120970da83b25d50c2def2a3e4ff3327a7dbbc4314810bd39f25d902056fa4d121d4c8e56e1a7896e9eecc4109ccc113cd3c1b6265413c3d8e321

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\N.exe
                      Filesize

                      377KB

                      MD5

                      4a36a48e58829c22381572b2040b6fe0

                      SHA1

                      f09d30e44ff7e3f20a5de307720f3ad148c6143b

                      SHA256

                      3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

                      SHA512

                      5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\R.exe
                      Filesize

                      941KB

                      MD5

                      8dc3adf1c490211971c1e2325f1424d2

                      SHA1

                      4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

                      SHA256

                      bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

                      SHA512

                      ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\TarCC3.tmp
                      Filesize

                      181KB

                      MD5

                      4ea6026cf93ec6338144661bf1202cd1

                      SHA1

                      a1dec9044f750ad887935a01430bf49322fbdcb7

                      SHA256

                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                      SHA512

                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                      Download Submit

                    • C:\ieih.exe
                      Filesize

                      100KB

                      MD5

                      4798c241c333069294f1cdf110ca89c6

                      SHA1

                      a8571f00d61b06b1233e138dc04ffc12393833c9

                      SHA256

                      b472ab860e56c309289070c1c5180c6668fa6991ea4502f24f926c9cc699acc9

                      SHA512

                      d49adec6834b059c8fcc3d0e1bc50b8c7d6a6b5ca2075a4daf59530ab9da62466594957a939542d0edd636776af98458a298fe2f17770066224d3ca96f614eee

                      Download Submit

                    • \Windows\SysWOW64\259450582.txt
                      Filesize

                      899KB

                      MD5

                      8c84fcc1d8e65ea89a9866271528fa2b

                      SHA1

                      56c2606a349889fcc137870a7d52d2c684459ef2

                      SHA256

                      0a0186d79effcc6ecc5b9430ece85b4c6edf08b38456fbb52518d155e3499cf9

                      SHA512

                      4c2275536fccd38f1f475863c00b6e0088485a11d09f16ffb6e2e9db8f2248475ff5eab34421f789af9fa99d3c2a68ffa79b9475a9d9e4ed57075b1c4bbb89c6

                      Download Submit

                    • memory/604-82-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-48-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-29-0x00000000007A0000-0x00000000007A2000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/604-28-0x00000000007A0000-0x00000000007A2000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/604-27-0x00000000007B0000-0x00000000007B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/604-25-0x00000000007B0000-0x00000000007B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/604-1-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-24-0x00000000007A0000-0x00000000007A2000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/604-5-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-14-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-13-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-4-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-7-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-6-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-234-0x0000000000400000-0x000000000068C000-memory.dmp

                      Filesize

                      2.5MB

                      Download

                    • memory/604-11-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-10-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-9-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-8-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-63-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-91-0x00000000007A0000-0x00000000007A2000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/604-90-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-61-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-89-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-81-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-0-0x0000000000400000-0x000000000068C000-memory.dmp

                      Filesize

                      2.5MB

                      Download

                    • memory/604-83-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/604-84-0x0000000002350000-0x00000000033DE000-memory.dmp

                      Filesize

                      16.6MB

                      Download

                    • memory/1096-17-0x0000000000350000-0x0000000000352000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2088-79-0x0000000010000000-0x00000000101B6000-memory.dmp

                      Filesize

                      1.7MB

                      Download

                    • memory/2088-72-0x0000000010000000-0x00000000101B6000-memory.dmp

                      Filesize

                      1.7MB

                      Download

                    • memory/2088-76-0x0000000010000000-0x00000000101B6000-memory.dmp

                      Filesize

                      1.7MB

                      Download

                    • memory/2664-40-0x0000000010000000-0x00000000101B6000-memory.dmp

                      Filesize

                      1.7MB

                      Download

                    • memory/2664-43-0x0000000010000000-0x00000000101B6000-memory.dmp

                      Filesize

                      1.7MB

                      Download

                    • memory/2664-44-0x0000000010000000-0x00000000101B6000-memory.dmp

                      Filesize

                      1.7MB

                      Download

                    • memory/2664-42-0x0000000010000000-0x00000000101B6000-memory.dmp

                      Filesize

                      1.7MB

                      Download