Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

712e273859...b2.exe

windows7-x64

10

712e273859...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/01/2025, 16:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    712e2738590085a6d437f93799d422fb8498ab2ddae5769db3fbca77e32076b2.exe

  • Size

    539KB

  • MD5

    684cde79fb89775b4d4687381206503b

  • SHA1

    d3f436fbb2e22e05e6ba8142c4d024456c71e48b

  • SHA256

    712e2738590085a6d437f93799d422fb8498ab2ddae5769db3fbca77e32076b2

  • SHA512

    0a69a356e0a816e14b9c6942b51e989383dfd0186edc2877b8dc8d0e012d9179c06b19c03413c7acbf7735c3cc50812811b0b522b69bf21c893786563bf05979

  • SSDEEP

    12288:+hymnwJFPNdgBAEHApqePJN1AmLM7uVq9sSX:+Umwrl2Ao7sJNlM7ymsS

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 6 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 6 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\712e2738590085a6d437f93799d422fb8498ab2ddae5769db3fbca77e32076b2.exe
    "C:\Users\Admin\AppData\Local\Temp\712e2738590085a6d437f93799d422fb8498ab2ddae5769db3fbca77e32076b2.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\712E27~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1108
  • C:\Windows\SysWOW64\Meume.exe
    C:\Windows\SysWOW64\Meume.exe -auto
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Windows\SysWOW64\Meume.exe
      C:\Windows\SysWOW64\Meume.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:776

Network

  • flag-us
    DNS
    wka1.e2.luyouxia.net
    Meume.exe
    Remote address:
    8.8.8.8:53
    Request
    wka1.e2.luyouxia.net
    IN A
    Response
    wka1.e2.luyouxia.net
    IN CNAME
    e2.luyouxia.net
    e2.luyouxia.net
    IN A
    123.99.198.201
    e2.luyouxia.net
    IN A
    123.99.200.172
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    68.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    8.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.153.16.2.in-addr.arpa
    IN PTR
    Response
    8.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-8deploystaticakamaitechnologiescom
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 123.99.198.201:8080
    wka1.e2.luyouxia.net
    Meume.exe
    260 B
     5
  • 123.99.198.201:8080
    wka1.e2.luyouxia.net
    Meume.exe
    260 B
     5
  • 123.99.198.201:8080
    wka1.e2.luyouxia.net
    Meume.exe
    260 B
     5
  • 123.99.198.201:8080
    wka1.e2.luyouxia.net
    Meume.exe
    260 B
     5
  • 123.99.198.201:8080
    wka1.e2.luyouxia.net
    Meume.exe
    260 B
     5
  • 123.99.198.201:8080
    wka1.e2.luyouxia.net
    Meume.exe
    260 B
     5
  • 123.99.198.201:8080
    wka1.e2.luyouxia.net
    Meume.exe
    156 B
     3
  • 8.8.8.8:53
    wka1.e2.luyouxia.net
    dns
    Meume.exe
    66 B
     112 B
     1
    1

    DNS Request

    wka1.e2.luyouxia.net

    DNS Response

    123.99.198.201
    123.99.200.172

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    68.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    68.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    8.153.16.2.in-addr.arpa
    dns
    69 B
     131 B
     1
    1

    DNS Request

    8.153.16.2.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    144 B
     158 B
     2
    1

    DNS Request

    171.39.242.20.in-addr.arpa

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\Meume.exe
    Filesize

    539KB

    MD5

    684cde79fb89775b4d4687381206503b

    SHA1

    d3f436fbb2e22e05e6ba8142c4d024456c71e48b

    SHA256

    712e2738590085a6d437f93799d422fb8498ab2ddae5769db3fbca77e32076b2

    SHA512

    0a69a356e0a816e14b9c6942b51e989383dfd0186edc2877b8dc8d0e012d9179c06b19c03413c7acbf7735c3cc50812811b0b522b69bf21c893786563bf05979

    Download Submit

  • memory/776-29-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/776-39-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2024-0-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2024-1-0x0000000010000000-0x000000001019F000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2024-19-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3840-11-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3840-12-0x0000000010000000-0x000000001019F000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3840-22-0x0000000000400000-0x0000000000547000-memory.dmp

    Filesize

    1.3MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.