Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
31-12-2024 04:21
General
-
Target
2024-12-31_4f0698c5884c1a6ce9a6800504df7e90_hijackloader_icedid_luca-stealer.exe
-
Size
4.9MB
-
MD5
4f0698c5884c1a6ce9a6800504df7e90
-
SHA1
d9e346c9bd10b189d29122d9b74d3131be344a9a
-
SHA256
848ff9842b11b9025e4af88f7b984e6857ce28bed5b7ebf4c344a837ef6ae8f4
-
SHA512
12d2ad15896d630c85779ab6f10396b638338e5a767fd0cb226ea5549bd7852a24da2ce50e8690a110cd40e90c99718a05bfdb4522befc89e651c4d41f80a773
-
SSDEEP
49152:cQZAdVyVT9n/Gg0P+WhogD4FebXsPNIULkmp1/j6AeXZG7wmpvGF1IP9z5WuHC4Q:dGdVyVT9nOgmh8ebXsPN5kiQaZ56
Malware Config
Signatures
-
Detect PurpleFox Rootkit 10 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 11 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 3 IoCs
-
Drops file in System32 directory 6 IoCs
-
UPX packed file 12 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-31_4f0698c5884c1a6ce9a6800504df7e90_hijackloader_icedid_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-31_4f0698c5884c1a6ce9a6800504df7e90_hijackloader_icedid_luca-stealer.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\HD_2024-12-31_4f0698c5884c1a6ce9a6800504df7e90_hijackloader_icedid_luca-stealer.exeC:\Users\Admin\AppData\Local\Temp\HD_2024-12-31_4f0698c5884c1a6ce9a6800504df7e90_hijackloader_icedid_luca-stealer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240616843.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5fb083acd60fe5c3156dc25442be815e3
SHA161df59b8f3ebd8b3d29ca3aedc4995e23cacf6d8
SHA256f130b3789962d5c8b59aa250d6f26ad5945928f3905b32bf65aa7bd30348a794
SHA5127147337d2c1006bb15cfa967c9eea6826b63c8d343f866e7454d7368d25019f39e52cf179500810834244c3ca9644d6c0df0b2c3128a9051e9ee6b428fa926f6
-
Filesize
1.8MB
MD5f2842235e0f8610026a936a90364887c
SHA1ac2994fb5884007e179a7827c676f732fe26693e
SHA256ed9a176c2b0049cb5e237d40f31c8de07f15955a831699fffc25e7cfc3550eca
SHA512ee0e212ce207186698d368593dca69dfdfd3f6f3a382288233ec1b072dfd589a2dcf871eb169e665208dfbc10500c8be1e9e7b1454b9d9167aed7b724f4d08a6
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD5a0c2000c3673df86b4e32147e87cc7f0
SHA1aa20ac5f1f5cf1bc36820ebf4eba898bf32394aa
SHA25645206e4dfbf27b8be67838d0a10b87d7667b5ae31f992dacfba034d9f244c194
SHA512d3a90468382c0d1ba922be237aae2c47e35628890cef5ca6a806c14261ec052020e86c4e2f38b6780a843ebd1c0cad73fc8c85993cdf15719f01635afef31875
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB