Overview

overview

10

Static

static

3

891a8f1284...45.exe

windows7-x64

10

891a8f1284...45.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/01/2025, 23:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    891a8f128440e08a34379b6b9c0674dd2600d82efe911136c5ce001bbb695e45.exe

  • Size

    1.8MB

  • MD5

    94bbf82d89ccb6b454a3fe7db782a998

  • SHA1

    e92f16d611e82e471d763a4a8f4fcb9421baf769

  • SHA256

    891a8f128440e08a34379b6b9c0674dd2600d82efe911136c5ce001bbb695e45

  • SHA512

    5ec961bdfc6c7a0465ff8bc5fe2f9cddc69795a08123a654226f1b42c31dd64f2aaca188088f57e779ce2518764378fd5d9f48f327ca6cf5c5ba23c0fa1c7180

  • SSDEEP

    24576:7QZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cV0Tdy764qNGg7MQT:7QZAdVyVT9n/Gg0P+WhoC64qNp7

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupx

Malware Config

Signatures

  • Detect PurpleFox Rootkit 9 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 10 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\891a8f128440e08a34379b6b9c0674dd2600d82efe911136c5ce001bbb695e45.exe
    "C:\Users\Admin\AppData\Local\Temp\891a8f128440e08a34379b6b9c0674dd2600d82efe911136c5ce001bbb695e45.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      C:\Users\Admin\AppData\Local\Temp\\svchost.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2572
    • C:\Users\Admin\AppData\Local\Temp\svchos.exe
      C:\Users\Admin\AppData\Local\Temp\\svchos.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2608
  • C:\Windows\SysWOW64\TXPlatforn.exe
    C:\Windows\SysWOW64\TXPlatforn.exe -auto
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\SysWOW64\TXPlatforn.exe
      C:\Windows\SysWOW64\TXPlatforn.exe -acsi
      2⤵
      • Drops file in Drivers directory
      • Sets service image path in registry
      • Executes dropped EXE
      • Suspicious behavior: LoadsDriver
      • Suspicious use of AdjustPrivilegeToken
      PID:3060

Network

  • flag-us
    DNS
    hackerinvasion.f3322.net
    TXPlatforn.exe
    Remote address:
    8.8.8.8:53
    Request
    hackerinvasion.f3322.net
    IN A
    Response
No results found
  • 8.8.8.8:53
    hackerinvasion.f3322.net
    dns
    TXPlatforn.exe
    70 B
     131 B
     1
    1

    DNS Request

    hackerinvasion.f3322.net

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\HD_X.dat
    Filesize

    1.8MB

    MD5

    94bbf82d89ccb6b454a3fe7db782a998

    SHA1

    e92f16d611e82e471d763a4a8f4fcb9421baf769

    SHA256

    891a8f128440e08a34379b6b9c0674dd2600d82efe911136c5ce001bbb695e45

    SHA512

    5ec961bdfc6c7a0465ff8bc5fe2f9cddc69795a08123a654226f1b42c31dd64f2aaca188088f57e779ce2518764378fd5d9f48f327ca6cf5c5ba23c0fa1c7180

    Download Submit

  • \Users\Admin\AppData\Local\Temp\svchos.exe
    Filesize

    93KB

    MD5

    3b377ad877a942ec9f60ea285f7119a2

    SHA1

    60b23987b20d913982f723ab375eef50fafa6c70

    SHA256

    62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

    SHA512

    af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    377KB

    MD5

    a4329177954d4104005bce3020e5ef59

    SHA1

    23c29e295e2dbb8454012d619ca3f81e4c16e85a

    SHA256

    6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

    SHA512

    81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

    Download Submit

  • \Windows\SysWOW64\259455293.txt
    Filesize

    50KB

    MD5

    b2e60e1346bdc784f6849574591b33a4

    SHA1

    0d12b5209d26d09213e758fff531f4c7692bae48

    SHA256

    6ad5b5bf58de0b4b75495e8b88976eb3823c2cad7112009aab433652ac1e5204

    SHA512

    123ad43bf1cd7ee1befd68dea9f83f9c6968b0f65ef84afc29acaf6495f1f16745a0f2426ae30ded1026061f1dd5394a6bba23b4b1010fcec9dfb0892880ee09

    Download Submit

  • memory/2740-18-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2740-32-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3060-34-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3060-31-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3060-37-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3060-75-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3064-23-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3064-12-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3064-7-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/3064-5-0x0000000010000000-0x00000000101B6000-memory.dmp

    Filesize

    1.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.