Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
09/02/2025, 07:14
General
-
Target
635ee63fe0a10f9dc2ee0b8fb21e5af88f791c0cba857ebe907be4de538efd10.exe
-
Size
1.3MB
-
MD5
75c351b054babaf553ca7c546efae7f7
-
SHA1
25b0619f3b133309aac7062354f4df81d4b95e3b
-
SHA256
635ee63fe0a10f9dc2ee0b8fb21e5af88f791c0cba857ebe907be4de538efd10
-
SHA512
af29891879c75074a813cf980ea65d1be74c9f43dfd087a87f419e559b16e943f34a783c81e4ea2156f1e8e019f6bf2664a8751a6654bc1f7f7787938472ba3c
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNe:QHPkVOBTK
Malware Config
Signatures
-
Detect PurpleFox Rootkit 2 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 2 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies data under HKEY_USERS 4 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\635ee63fe0a10f9dc2ee0b8fb21e5af88f791c0cba857ebe907be4de538efd10.exe"C:\Users\Admin\AppData\Local\Temp\635ee63fe0a10f9dc2ee0b8fb21e5af88f791c0cba857ebe907be4de538efd10.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\635EE6~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\ProgramData\Application Data\Microsoft.NET\sainbox.exe"C:\ProgramData\Application Data\Microsoft.NET\sainbox.exe" -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Application Data\Microsoft.NET\sainbox.exe"C:\ProgramData\Application Data\Microsoft.NET\sainbox.exe" -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD5359b1099c5b49a19b757936e989470c7
SHA1dd1872853705ff85c5b6d40cb921f221c8ba4387
SHA256fe08b4c0ac528994aa904505396789f473ad3f578ff28f4ffeb750c697cf3946
SHA512c45501510e9a2c10cb3ab4ac249d3dfcedacfb693bf68f5e784c1d8056ebbba541c09cb0f0570d13d27080bcacf63b021971628498e3675d280167daaf0baef2
-
Filesize
1.6MB
-
Filesize
1.6MB