Overview

overview

10

Static

static

7

3dc27b5f60...8b.dll

windows7-x64

10

3dc27b5f60...8b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/12/2024, 10:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3dc27b5f607a81c065e86bcfa27e35cc48c585fdb62f24bc6a9141460a14698b.dll

  • Size

    430KB

  • MD5

    baeb8abfaa635845ad9934b96f083ca4

  • SHA1

    d3fe86e4805d1d68e97d60106862ae3623dc0415

  • SHA256

    3dc27b5f607a81c065e86bcfa27e35cc48c585fdb62f24bc6a9141460a14698b

  • SHA512

    f344f277a9324494ad8b80c8c90885fee8626aa06b0dcfb0401a39893faee99cfb917fd607dc4ca2acc93147323773f0869f5cabf56bc0d89c49822674779ac5

  • SSDEEP

    12288:q9j8pWxJdNxnSJwu416c9y0wiL7s1T37AVu68VnogfN7oSI:q9I+dGwu13UVb+n3fNG

Score
10/10
gh0stratpurplefoxdiscoveryratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 3 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 3 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3dc27b5f607a81c065e86bcfa27e35cc48c585fdb62f24bc6a9141460a14698b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\3dc27b5f607a81c065e86bcfa27e35cc48c585fdb62f24bc6a9141460a14698b.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4400
      • C:\Windows\SysWOW64\svchost.exe
        svchost.exe fagahawhawhgawccc
        3⤵
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Windows\SysWOW64\svchost.exe > nul
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:3440
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 2 127.0.0.1
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:612
  • C:\Program Files (x86)\NetMeeting\svchost.exe
    "C:\Program Files (x86)\NetMeeting\svchost.exe" -auto
    1⤵
    • Executes dropped EXE
    PID:964

Network

  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    85.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    85.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    85.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    85.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\NetMeeting\svchost.exe
    Filesize

    45KB

    MD5

    b7c999040d80e5bf87886d70d992c51e

    SHA1

    a8ed9a51cc14ccf99b670e60ebbc110756504929

    SHA256

    5c3257b277f160109071e7e716040e67657341d8c42aa68d9afafe1630fcc53e

    SHA512

    71ba2fbd705e51b488afe3bb33a67212cf297e97e8b1b20ada33e16956f7ec8f89a79e04a4b256fd61a442fada690aff0c807c2bdcc9165a9c7be3de725de309

    Download Submit

  • memory/2796-6-0x0000000000400000-0x0000000000543000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2796-13-0x0000000010000000-0x00000000101A0000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2796-12-0x0000000077540000-0x0000000077630000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2796-11-0x0000000077563000-0x0000000077564000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2796-2-0x0000000000400000-0x0000000000543000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2796-8-0x0000000000400000-0x0000000000543000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2796-7-0x0000000000400000-0x0000000000543000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2796-25-0x0000000077540000-0x0000000077630000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2796-9-0x0000000000400000-0x0000000000543000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2796-15-0x0000000077540000-0x0000000077630000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2796-3-0x0000000000400000-0x0000000000543000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2796-16-0x0000000077540000-0x0000000077630000-memory.dmp

    Filesize

    960KB

    Download

  • memory/2796-14-0x0000000000400000-0x0000000000543000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2796-10-0x0000000000400000-0x0000000000543000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2796-17-0x0000000010000000-0x00000000101A0000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2796-1-0x0000000000400000-0x0000000000543000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4400-0-0x0000000010000000-0x00000000100FE000-memory.dmp

    Filesize

    1016KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.