Overview

overview

10

Static

static

1

93df5e4b28...aN.exe

windows7-x64

10

93df5e4b28...aN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 19:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    93df5e4b28f679af94aa59b4295018981728011747d87a19656b326ba820e6eaN.exe

  • Size

    3.8MB

  • MD5

    2a24bf1bd56f8738574f6cd31b294170

  • SHA1

    6ab7010c6177d51e9aa88ea07444588149b36a52

  • SHA256

    93df5e4b28f679af94aa59b4295018981728011747d87a19656b326ba820e6ea

  • SHA512

    4b13175afabf35c5fa0ee299d8e7295603082d5a52482b48285e98a78451147a8946c816dd8c3bf509152caa8c7c3ccb63d7e295b56ac39be42309947795738a

  • SSDEEP

    98304:ITcOeIdcUP6wg45kHjObfMSDzbF7jo7t1a/l+6F:IceP5kHqN7joR0/lb

Score
10/10
gh0stratpurplefoxdiscoveryratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates connected drives 3 TTPs 45 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\93df5e4b28f679af94aa59b4295018981728011747d87a19656b326ba820e6eaN.exe
    "C:\Users\Admin\AppData\Local\Temp\93df5e4b28f679af94aa59b4295018981728011747d87a19656b326ba820e6eaN.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\microsoft\Windows Installl 1.0.0\install\C456A2E\Windows.msi" /quiet /norestart AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\93df5e4b28f679af94aa59b4295018981728011747d87a19656b326ba820e6eaN.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:384
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 375D96044D00EDFD3B552B138BA66312
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4044
    • C:\Windows\Installer\MSI9475.tmp
      "C:\Windows\Installer\MSI9475.tmp" /HideWindow /dir C:\Users\Public\Documents\WindowsData C:\Users\Public\Documents\WindowsData\NtHandleCallback.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:596
      • C:\Users\Public\Documents\WindowsData\NtHandleCallback.exe
        "C:\Users\Public\Documents\WindowsData\NtHandleCallback.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2544
    • C:\Windows\Installer\MSI9476.tmp
      "C:\Windows\Installer\MSI9476.tmp" /HideWindow /dir C:\Users\Public\Documents\WindowsData cmd.exe /c copy "C:\Users\Public\Documents\WindowsData\WindowsPowerShell WbemScripting.SWbemLocator.vbe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\WindowsPowerShell WbemScripting.SWbemLocator.vbe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Public\Documents\WindowsData\WindowsPowerShell WbemScripting.SWbemLocator.vbe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\WindowsPowerShell WbemScripting.SWbemLocator.vbe"
        3⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e579175.rbs
    Filesize

    21KB

    MD5

    2efad4a64e6bed451c8440d0de567c26

    SHA1

    6d16a2328f9016c19d5e71fdcb03c8bd8bfc97fa

    SHA256

    bdd49c6a35a39b5afa59108f38094973ecebc46903512a70c8c3db995ef0adcd

    SHA512

    277c65dccbbd9b214c98be10bc6d2ad8fb9ba84f5f6d6265c072e9bf0351338e2c519adb8d224585225aab68e0b87dfb48ea38cc1102fa31ff1498ab42c49d87

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows Installl 1.0.0\install\decoder.dll
    Filesize

    120KB

    MD5

    8c00a53e94bf9571f6fea2b36bfa526c

    SHA1

    090bb8ff15e4277c9c85a402a4726179e9bf696d

    SHA256

    333bb1ac355835f781edf467b3ba35ed9a78d9ae658047aab7203e7980fcf060

    SHA512

    313ea8c2634b66147690876fd0af4acb34fe5b15be6450bdb05c1687b58891c32778d41546c042d5861509ffa61a98bddd1bc0b6c94be5812ab7f91936a41bab

    Download Submit

  • C:\Users\Admin\AppData\Roaming\microsoft\Windows Installl 1.0.0\install\C456A2E\Irrlicht.dll
    Filesize

    203KB

    MD5

    4abc463313ad03288e790ce129494aa7

    SHA1

    71f8150d675fc5b3d5aae8e5ec0418546acc616a

    SHA256

    eea967af09622e78ad0b9fc4476b3a22a8122b98e4e8e7a3d65e6c8fefd6ccad

    SHA512

    5d4d7b1a53fcbbfb14bfaa51e93bb15cc2523d9c0a7183f7bcf8515818ec6575580a1a298893777f9fe8d42eb086dc9f8602258b473cb73fb9470b99b5c31258

    Download Submit

  • C:\Users\Admin\AppData\Roaming\microsoft\Windows Installl 1.0.0\install\C456A2E\NtHandleCallback.exe
    Filesize

    150KB

    MD5

    157b89f140fcdc2fa6d0990a3cf29560

    SHA1

    bcdfb7aaf53ca6cea2b5a75e6c398efe6eb0dab9

    SHA256

    63a34aaf8e991e67032e02de652f1f7a8f746a7bff5f196c507732192b6dcaf1

    SHA512

    26c893e50f6cade2148413ff552418c8f9fac685152b6f1916a74bd8a333cb85026a56afe1cd47e518fdc014f29779372e036a63fe102077b684ec8e6ef3341b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\microsoft\Windows Installl 1.0.0\install\C456A2E\Server.log
    Filesize

    1.3MB

    MD5

    c6703f866da4ca446cdd53d4a0d2beac

    SHA1

    108f17b8315e8c45db9b7db67426e817025410c5

    SHA256

    86e20be845f0b5945f1f6a486ca549df13ed456775a198b2424ee9ba53cedfc3

    SHA512

    75139e1e7ee202e5600af15e6225590f3d04c8f043a9ef9f9a764a00a06fa638b9d1db7529cbe53f7a1d04a2477c26c3930e08586fd00255bfde63a93c4df352

    Download Submit

  • C:\Users\Admin\AppData\Roaming\microsoft\Windows Installl 1.0.0\install\C456A2E\Windows.msi
    Filesize

    538KB

    MD5

    c553a949a5a26e180f02a9d8eb143ddc

    SHA1

    3050b837322540458dc55891244af33179c9a438

    SHA256

    b7ad8fc8160d1c303f1bf72644e6a9f4bb4e4af0114e8af2c17e68eca76f341c

    SHA512

    31673bf7b13a05c980a8129fdcc49043eaa31efcc7100fa7a3f8490b4b749334f406a2ea1429ca0c101c465b802a91ba2d036b65596f39d5141319065a54c077

    Download Submit

  • C:\Users\Admin\AppData\Roaming\microsoft\Windows Installl 1.0.0\install\C456A2E\WindowsPowerShell WbemScripting.SWbemLocator.vbe
    Filesize

    1KB

    MD5

    889fca15a3b0c88f5ceec9bb0ed06c80

    SHA1

    ed825a783bf7c7847b30deb182e1c44379148c0b

    SHA256

    46fa50a35bd2336f757504e84cfd0528f424a00efdfbff45b24aadf9760f8164

    SHA512

    bdf81081e4a8d5250916e6da0406ec6c8ab8a48866a61622338f097a651ddf203da844ead8ffeb886d722be315c492fb6163da139aab26abad124c01bb0b300f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\microsoft\Windows Installl 1.0.0\install\C456A2E\kail.exe
    Filesize

    181KB

    MD5

    ba594acdeeb6d6b6ac64c6fc94270000

    SHA1

    033ad086afd3d1e448ff2ab85fded86184718f77

    SHA256

    36b89921104a1d9a8521349974f48a426b170a0bdc69017c18c7020f18fba58d

    SHA512

    e577d77346167924678257ae6adf4d4a6f435a2c2ba1e4d875aebb842b17c8d378d8953770a1a9e4cac3e74d833f3fc0474549f7c6231d901c4c141f52805009

    Download Submit

  • C:\Users\Admin\AppData\Roaming\microsoft\Windows Installl 1.0.0\install\C456A2E\me.key
    Filesize

    1.0MB

    MD5

    4b220adbc7b838e225cc006be33a86ad

    SHA1

    b9c461da3ada4666413ce7db700e682ca97b14c0

    SHA256

    045e4730e98f713ba89f95bb460b09304f18b47b1d6f3aba0d3cf05b0bd32d93

    SHA512

    b863ba8a797f2637c6f3cd81c076131c5468eaf470c01bf86909afc7a6a4c3bbaa051a83dc731babbabb008c611f1a2cad05507d71da396afa765ff68a81f4c6

    Download Submit

  • C:\Windows\Installer\MSI920E.tmp
    Filesize

    79KB

    MD5

    9a4968fe67c177850163deafec64d0a6

    SHA1

    15b3f837c4f066cface8b3535a88523d20e5ca5c

    SHA256

    441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

    SHA512

    256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

    Download Submit

  • C:\Windows\Installer\MSI931B.tmp
    Filesize

    287KB

    MD5

    30ee500e69f06a463f668522fc789945

    SHA1

    c67a201b59ca2388e8ef060de287a678f1fae705

    SHA256

    849131d9b648070461d0fa90cbf094e3c149643ceab43d0c834b82f48a2ef277

    SHA512

    87a0b5aa28a426a156041f050ac9abce2d25efc70570a829fce3831827dc2a426ca5a85acf672519c3c88b463dcdfa9f20ccef46f0eb07e8d04c4e0d9673246d

    Download Submit

  • C:\Windows\Installer\MSI9476.tmp
    Filesize

    9KB

    MD5

    0979cea9804fbcd758f60649f29d01ea

    SHA1

    999627113e93cdd3bedcde3cd86a0f010fddfe9f

    SHA256

    e5df917742012911d358dcde17a38ff4999020557fee4f1bbffd1db04994e1cf

    SHA512

    bbef1dccde7062c686b6f0018856b2b008bb8af2f68724b9f052cfaa33dec66ae16aabf0df5bf20e94b7ce18ecdb75e71125caa8707e282e2da47ae55b0b936f

    Download Submit

  • memory/2544-86-0x0000000010000000-0x0000000010145000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2544-89-0x00000000022C0000-0x0000000002461000-memory.dmp

    Filesize

    1.6MB

    Download