Analysis Overview
SHA256
de8f4ece529cfd4938e0a3b8899eb5d2cea7650b8353dbacb30ba1d71b578510
Threat Level: Known bad
The file de8f4ece529cfd4938e0a3b8899eb5d2cea7650b8353dbacb30ba1d71b578510 was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Blackmoon, KrBanker
Detect PurpleFox Rootkit
Purplefox family
Blackmoon family
Gh0st RAT payload
PurpleFox
Gh0strat family
Detect Blackmoon payload
Executes dropped EXE
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Suspicious use of SetThreadContext
Drops file in Program Files directory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 15:54
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 15:54
Reported
2024-12-30 15:56
Platform
win7-20240903-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Blackmoon family
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\NetMeeting\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2996 set thread context of 2544 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\svchost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\NetMeeting\svchost.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NetMeeting\svchost.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de8f4ece529cfd4938e0a3b8899eb5d2cea7650b8353dbacb30ba1d71b578510.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de8f4ece529cfd4938e0a3b8899eb5d2cea7650b8353dbacb30ba1d71b578510.dll,#1
C:\Windows\SysWOW64\svchost.exe
svchost.exe fagahawhawhgawccc
C:\Program Files (x86)\NetMeeting\svchost.exe
"C:\Program Files (x86)\NetMeeting\svchost.exe" -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Windows\SysWOW64\svchost.exe > nul
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
Network
Files
memory/2996-3-0x0000000010000000-0x00000000100FE000-memory.dmp
memory/2996-2-0x0000000010000000-0x00000000100FE000-memory.dmp
memory/2996-1-0x0000000010000000-0x00000000100FE000-memory.dmp
memory/2996-0-0x0000000010000000-0x00000000100FE000-memory.dmp
memory/2544-4-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2544-22-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2544-24-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2544-25-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2544-23-0x0000000010000000-0x00000000101A0000-memory.dmp
memory/2544-21-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2544-26-0x00000000768BE000-0x00000000768BF000-memory.dmp
memory/2544-20-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2544-19-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2544-18-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2996-17-0x0000000010000000-0x00000000100FE000-memory.dmp
memory/2544-27-0x0000000010000000-0x00000000101A0000-memory.dmp
memory/2996-15-0x0000000010006000-0x0000000010007000-memory.dmp
memory/2544-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2544-8-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2544-6-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2544-16-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2544-10-0x0000000000400000-0x0000000000543000-memory.dmp
C:\Program Files (x86)\NetMeeting\svchost.exe
| MD5 | 54a47f6b5e09a77e61649109c6a08866 |
| SHA1 | 4af001b3c3816b860660cf2de2c0fd3c1dfb4878 |
| SHA256 | 121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2 |
| SHA512 | 88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419 |
memory/2544-35-0x0000000000400000-0x0000000000543000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 15:54
Reported
2024-12-30 15:56
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\NetMeeting\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3960 set thread context of 2624 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\svchost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\NetMeeting\svchost.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NetMeeting\svchost.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de8f4ece529cfd4938e0a3b8899eb5d2cea7650b8353dbacb30ba1d71b578510.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\de8f4ece529cfd4938e0a3b8899eb5d2cea7650b8353dbacb30ba1d71b578510.dll,#1
C:\Windows\SysWOW64\svchost.exe
svchost.exe fagahawhawhgawccc
C:\Windows\SysWOW64\svchost.exe
svchost.exe fagahawhawhgawccc
C:\Windows\SysWOW64\svchost.exe
svchost.exe fagahawhawhgawccc
C:\Program Files (x86)\NetMeeting\svchost.exe
"C:\Program Files (x86)\NetMeeting\svchost.exe" -auto
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Windows\SysWOW64\svchost.exe > nul
C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3960-0-0x0000000010000000-0x00000000100FE000-memory.dmp
memory/2624-9-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2624-7-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2624-13-0x0000000076D70000-0x0000000076E60000-memory.dmp
memory/2624-12-0x0000000076D93000-0x0000000076D94000-memory.dmp
memory/2624-11-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2624-2-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2624-8-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2624-6-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2624-4-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2624-1-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2624-15-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2624-16-0x0000000076D70000-0x0000000076E60000-memory.dmp
memory/2624-14-0x0000000010000000-0x00000000101A0000-memory.dmp
memory/2624-17-0x0000000010000000-0x00000000101A0000-memory.dmp
memory/2624-10-0x0000000000400000-0x0000000000543000-memory.dmp
C:\Program Files (x86)\NetMeeting\svchost.exe
| MD5 | b7c999040d80e5bf87886d70d992c51e |
| SHA1 | a8ed9a51cc14ccf99b670e60ebbc110756504929 |
| SHA256 | 5c3257b277f160109071e7e716040e67657341d8c42aa68d9afafe1630fcc53e |
| SHA512 | 71ba2fbd705e51b488afe3bb33a67212cf297e97e8b1b20ada33e16956f7ec8f89a79e04a4b256fd61a442fada690aff0c807c2bdcc9165a9c7be3de725de309 |
memory/2624-26-0x0000000000400000-0x0000000000543000-memory.dmp
memory/2624-25-0x0000000076D70000-0x0000000076E60000-memory.dmp