Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    28/12/2024, 15:59 UTC

General

  • Target

    c5be2440e585cbc4de32314cbdae2e904b81e53d45d0597c1c484649615c9d69.exe

  • Size

    4.3MB

  • MD5

    9ea97062269da599a23f3790e42fac71

  • SHA1

    962df0a7a496cb36cf5c1ae45920840ce3c53328

  • SHA256

    c5be2440e585cbc4de32314cbdae2e904b81e53d45d0597c1c484649615c9d69

  • SHA512

    0ad91722696880e005274c38f1dee612b145a8b64cda231562736a08451374efcb17d5f951a036d9c32f2e2891be48c0e15e36ed5ccd7b76272d9eb592e860e0

  • SSDEEP

    49152:eCwsbCANnKXferL7Vwe/Gg0P+WhnYeOazv2MRrTIGGiert88NXmckpe9Z:Zws2ANnKXOaeOgmhniMRrTIOe+8

Malware Config

Signatures

  • Detect PurpleFox Rootkit 5 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 6 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • Gh0strat family
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Purplefox family
  • Drops file in Drivers directory 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 8 IoCs
  • Drops file in System32 directory 6 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c5be2440e585cbc4de32314cbdae2e904b81e53d45d0597c1c484649615c9d69.exe
    "C:\Users\Admin\AppData\Local\Temp\c5be2440e585cbc4de32314cbdae2e904b81e53d45d0597c1c484649615c9d69.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Local\Temp\R.exe
      C:\Users\Admin\AppData\Local\Temp\\R.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2496
    • C:\Users\Admin\AppData\Local\Temp\N.exe
      C:\Users\Admin\AppData\Local\Temp\\N.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2400
    • C:\Users\Admin\AppData\Local\Temp\HD_c5be2440e585cbc4de32314cbdae2e904b81e53d45d0597c1c484649615c9d69.exe
      C:\Users\Admin\AppData\Local\Temp\HD_c5be2440e585cbc4de32314cbdae2e904b81e53d45d0597c1c484649615c9d69.exe
      2⤵
      • Executes dropped EXE
      PID:2692
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
    1⤵
      PID:2028
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2440
      • C:\Windows\SysWOW64\Remote Data.exe
        "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259486509.txt",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2628
    • C:\Windows\SysWOW64\TXPlatfor.exe
      C:\Windows\SysWOW64\TXPlatfor.exe -auto
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\SysWOW64\TXPlatfor.exe
        C:\Windows\SysWOW64\TXPlatfor.exe -acsi
        2⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:3016

    Network

    • flag-us
      DNS
      hackerinvasion.f3322.net
      Remote Data.exe
      Remote address:
      8.8.8.8:53
      Request
      hackerinvasion.f3322.net
      IN A
      Response
    No results found
    • 8.8.8.8:53
      hackerinvasion.f3322.net
      dns
      Remote Data.exe
      70 B
      131 B
      1
      1

      DNS Request

      hackerinvasion.f3322.net

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

      Filesize

      2.6MB

      MD5

      7de2590d82ae8c59050f2dcb1cca923b

      SHA1

      4024f8ad6c409ffa06cc8bf9005638a2a06188be

      SHA256

      9cc1f468c514f48932bd9e3f8d2d231d116c46932df7ed0cbd03430c1a72e85c

      SHA512

      46fe5badd9129952384e784c54ca78ac62f1817534472529f301ffe8da59425833fcb6874e9e2de39798eebdac564aa6d6981e22be3ef4c93962c09d550595c2

    • C:\Users\Admin\AppData\Local\Temp\HD_c5be2440e585cbc4de32314cbdae2e904b81e53d45d0597c1c484649615c9d69.exe

      Filesize

      1.7MB

      MD5

      0d46d9218b50532fa25f0fb6490de5d3

      SHA1

      0b5d2a4accfaa282588fa840a636536ac101d907

      SHA256

      4c03dc1ab5d43ff7a78d41a1bdcfae3f2e1590afbe58ac9aa755559a722a279b

      SHA512

      5ec6f0a8a82a9a9ed90bdee4db03edfb962880bdfd87dbf807e99d015ed49ddd8f313d0ebe0bcd752fb9997c403a040c521e46c495a9f3e30d674a540efd84dc

    • \Users\Admin\AppData\Local\Temp\N.exe

      Filesize

      377KB

      MD5

      4a36a48e58829c22381572b2040b6fe0

      SHA1

      f09d30e44ff7e3f20a5de307720f3ad148c6143b

      SHA256

      3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

      SHA512

      5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

    • \Users\Admin\AppData\Local\Temp\R.exe

      Filesize

      941KB

      MD5

      8dc3adf1c490211971c1e2325f1424d2

      SHA1

      4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

      SHA256

      bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

      SHA512

      ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

    • \Windows\SysWOW64\259486509.txt

      Filesize

      899KB

      MD5

      4ee4049635d3555adf65eec955a319b3

      SHA1

      6abe1557a37116adf2d465a7048e2fa03f045ff8

      SHA256

      1eda21833330926882a9455678e7cfb70313cc6bb645fba43eab6f55d761fd7f

      SHA512

      a7d94c1119624280411def4f2cd0a7b5ec91db30ad6f7af398d303bc2311b799a58e1072ac12b1b8a77fd5a32441b14801022f24556bc2a48380ab457c3df919

    • \Windows\SysWOW64\Remote Data.exe

      Filesize

      43KB

      MD5

      51138beea3e2c21ec44d0932c71762a8

      SHA1

      8939cf35447b22dd2c6e6f443446acc1bf986d58

      SHA256

      5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

      SHA512

      794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

    • memory/2880-21-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

    • memory/2880-20-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

    • memory/2880-19-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

    • memory/3016-39-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

    • memory/3016-48-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

    • memory/3016-49-0x0000000010000000-0x00000000101B6000-memory.dmp

      Filesize

      1.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.