Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ffb2dfa39b...95.exe

windows7-x64

10

ffb2dfa39b...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 00:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ffb2dfa39b14502ec6dce8af02afec5c599f733ef22d6b5c28d675000018f195.exe

  • Size

    1.8MB

  • MD5

    efddaac843ebbd74b62abb88b704376f

  • SHA1

    833ae65820b337839aa886ac076cf76d6e93f1c2

  • SHA256

    ffb2dfa39b14502ec6dce8af02afec5c599f733ef22d6b5c28d675000018f195

  • SHA512

    5023f57bc105bdf3a05119a1649e2c2477c1d865781a99f25e9c3ae32d5ef3831ee420657b46f0232b0b55a7a5b53670bebe352c3e303844026c3ab4d9e5e182

  • SSDEEP

    24576:Z09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+N4TpEWQ7z9vFw:Z09XJt4HIN2H2tFvduySCpEWoxvi

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 11 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 11 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ffb2dfa39b14502ec6dce8af02afec5c599f733ef22d6b5c28d675000018f195.exe
    "C:\Users\Admin\AppData\Local\Temp\ffb2dfa39b14502ec6dce8af02afec5c599f733ef22d6b5c28d675000018f195.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5008
    • C:\Users\Admin\AppData\Local\Temp\RVN.exe
      C:\Users\Admin\AppData\Local\Temp\\RVN.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1336
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:744

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.190.18.2.in-addr.arpa
    IN PTR
    Response
    196.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-196deploystaticakamaitechnologiescom
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
     131 B
     1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    2.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    2.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
     131 B
     1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    196.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    196.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
     131 B
     1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
     131 B
     1
    1

    DNS Request

    hackerinvasion.f3322.net

  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
     131 B
     1
    1

    DNS Request

    hackerinvasion.f3322.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RVN.exe
    Filesize

    377KB

    MD5

    80ade1893dec9cab7f2e63538a464fcc

    SHA1

    c06614da33a65eddb506db00a124a3fc3f5be02e

    SHA256

    57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

    SHA512

    fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

    Download Submit

  • C:\Users\Admin\Desktop\RepairExport.exe
    Filesize

    2.4MB

    MD5

    cbe5d4a1926c42b979f02b29cf23c40c

    SHA1

    b7cc49c2307b01c5b7119acd1c93e36e1315206d

    SHA256

    6ac92f8821382b777876d16e3eff9456e7bbfac674cb0af24af5e675a5db0ee1

    SHA512

    9283b7479a2c64d978d044e43ed11f88f0e79b789314bb87c829c6342159627c0ae6fe871930f5114d97def0aaeabc84f595f3e7d9236f71e85882a227d6d3a7

    Download Submit

  • memory/744-35-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/744-29-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/744-26-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/744-24-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3876-25-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3876-13-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3876-15-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3876-17-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3876-16-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4244-7-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4244-10-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4244-6-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4244-4-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.