Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28/12/2024, 15:41 UTC

General

  • Target

    57e44f34c18de50d0967b6092455046221f2f5aa9ed2c404e00a5734c1850900.exe

  • Size

    1.3MB

  • MD5

    425b8f406711fdbcdf2153565dda2df1

  • SHA1

    19d60d32f6924e12dc33d800657be814e1b9f4b2

  • SHA256

    57e44f34c18de50d0967b6092455046221f2f5aa9ed2c404e00a5734c1850900

  • SHA512

    6601e9d377575497c76b4af875d9715d0119b3c0f0a88be0869a8c390ef2353452dc4d2ebe8d32a59b825804f22b3f8a22f4d449d54e418706daaa985f6da40f

  • SSDEEP

    24576:5OyHutimZ9VSly2hVvHW6qMnSbTBBhBMNV:0HPkVOBTK

Malware Config

Signatures

  • Detect PurpleFox Rootkit 2 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 2 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Purplefox family
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies data under HKEY_USERS 4 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57e44f34c18de50d0967b6092455046221f2f5aa9ed2c404e00a5734c1850900.exe
    "C:\Users\Admin\AppData\Local\Temp\57e44f34c18de50d0967b6092455046221f2f5aa9ed2c404e00a5734c1850900.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\57E44F~1.EXE > nul
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2604
  • C:\Program Files (x86)\AppPatch\Dtldt.exe
    "C:\Program Files (x86)\AppPatch\Dtldt.exe" -auto
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Program Files (x86)\AppPatch\Dtldt.exe
      "C:\Program Files (x86)\AppPatch\Dtldt.exe" -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:2708

Network

  • flag-us
    DNS
    hk-3.lcf.icu
    Dtldt.exe
    Remote address:
    8.8.8.8:53
    Request
    hk-3.lcf.icu
    IN A
    Response
    hk-3.lcf.icu
    IN A
    156.224.77.75
  • 156.224.77.75:8080
    hk-3.lcf.icu
    Dtldt.exe
    152 B
    3
  • 156.224.77.75:8080
    hk-3.lcf.icu
    Dtldt.exe
    152 B
    3
  • 156.224.77.75:8080
    hk-3.lcf.icu
    Dtldt.exe
    152 B
    3
  • 156.224.77.75:8080
    hk-3.lcf.icu
    Dtldt.exe
    152 B
    3
  • 156.224.77.75:8080
    hk-3.lcf.icu
    Dtldt.exe
    152 B
    3
  • 156.224.77.75:8080
    hk-3.lcf.icu
    Dtldt.exe
    152 B
    3
  • 156.224.77.75:8080
    hk-3.lcf.icu
    Dtldt.exe
    104 B
    2
  • 8.8.8.8:53
    hk-3.lcf.icu
    dns
    Dtldt.exe
    58 B
    74 B
    1
    1

    DNS Request

    hk-3.lcf.icu

    DNS Response

    156.224.77.75

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\AppPatch\Dtldt.exe

    Filesize

    11.3MB

    MD5

    4d27765fc723b1dee9216db931925caa

    SHA1

    21e9c439faafa751f2c2ad53cbe8feac9f255513

    SHA256

    9dc0a02861c4b8c90fad773d4521acb187a39f251cc7e984f6ecf94b40c883c3

    SHA512

    3d898c8d3879262eccfbf5f796ba3a4090d085b2803be8468455bbc95f3c4734b48839c3fbf9cbad3af59548e4dfc1e3d58c94d4c0e6a6d68d70aeb74a024e4d

  • memory/2224-0-0x0000000010000000-0x000000001019F000-memory.dmp

    Filesize

    1.6MB

  • memory/2708-19-0x0000000010000000-0x000000001019F000-memory.dmp

    Filesize

    1.6MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.