Analysis

  • max time kernel
    150s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2024 07:30

General

  • Target

    e615a3adcad4e531b71d760d08e05108fa1c7f96b62511e8e37a29b13f9051e6.exe

  • Size

    1.8MB

  • MD5

    28e427a5b2d44a0dc4e5dbac6291e348

  • SHA1

    623964934635e6d82fcb30e0c128864c9ff36d1c

  • SHA256

    e615a3adcad4e531b71d760d08e05108fa1c7f96b62511e8e37a29b13f9051e6

  • SHA512

    7f77dfe1108c19f4315e950aaa12a93220cd1616d81629099ebda9b4e161fcba14a36e00677cc968a0fb0fabaeb0a4dbd09ae0386f6746ec117a76157bc5a05c

  • SSDEEP

    49152:n09XJt4HIN2H2tFvduyS3pe5gnZPItx2apeapelI:0ZJt4HINy2LkUGatUvlI

Malware Config

Signatures

  • Detect PurpleFox Rootkit 11 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Purplefox family
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e615a3adcad4e531b71d760d08e05108fa1c7f96b62511e8e37a29b13f9051e6.exe
    "C:\Users\Admin\AppData\Local\Temp\e615a3adcad4e531b71d760d08e05108fa1c7f96b62511e8e37a29b13f9051e6.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Users\Admin\AppData\Local\Temp\RVN.exe
      C:\Users\Admin\AppData\Local\Temp\\RVN.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:4672
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4720
    • C:\Users\Admin\AppData\Local\Temp\HD_e615a3adcad4e531b71d760d08e05108fa1c7f96b62511e8e37a29b13f9051e6.exe
      C:\Users\Admin\AppData\Local\Temp\HD_e615a3adcad4e531b71d760d08e05108fa1c7f96b62511e8e37a29b13f9051e6.exe
      2⤵
      • Executes dropped EXE
      PID:4412
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:3716

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    154.239.44.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    154.239.44.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
    131 B
    1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    154.239.44.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    154.239.44.20.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
    131 B
    1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
    131 B
    1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    21.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    21.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
    131 B
    1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
    131 B
    1
    1

    DNS Request

    hackerinvasion.f3322.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

    Filesize

    1.2MB

    MD5

    fe7f2b7fdce4caeeefd4e542f52d39f0

    SHA1

    49fd01d152d03eb17796fa69a36d35d7de1cf50d

    SHA256

    17699a58cb84ef5c13dbeef466bd6c09017e5b9b2d9c0084e4b09da89d8aa9d7

    SHA512

    eadabb8b6c0fe16fdc64b3e1379fe3afe0e6e843c353df9eb40259fba4f31f6acb8aa9bc90641e03b7a7ae930db0dfef7f73145d1694aa8a482ba7abeecddce5

  • C:\Users\Admin\AppData\Local\Temp\HD_e615a3adcad4e531b71d760d08e05108fa1c7f96b62511e8e37a29b13f9051e6.exe

    Filesize

    645KB

    MD5

    00eae789b0aab1b0fbd23b830fbf1064

    SHA1

    e4e5fd089f6ae17c83f073cf91edc9db8189980d

    SHA256

    7addb2269266ac471a690802cab54539b40c2ae5b31e2120fdcf8dfb0ed15dc7

    SHA512

    23a0e06b39f8b5a932ae5b8f60704ba265332b341ac8bab5b74b2f31f04ce8c7fe6f77278d70c7685cfa894ab0e25a70d89990f5f643b54c07337f90fa5943fb

  • C:\Users\Admin\AppData\Local\Temp\RVN.exe

    Filesize

    377KB

    MD5

    80ade1893dec9cab7f2e63538a464fcc

    SHA1

    c06614da33a65eddb506db00a124a3fc3f5be02e

    SHA256

    57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

    SHA512

    fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

  • memory/2260-15-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/2260-16-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/2260-20-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/2260-28-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/2260-14-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/3184-4-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/3184-6-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/3184-7-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/3184-10-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/3716-29-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/3716-35-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/3716-34-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

  • memory/3716-30-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.