Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
-
submitted
09-02-2025 07:14
General
-
Target
635ee63fe0a10f9dc2ee0b8fb21e5af88f791c0cba857ebe907be4de538efd10.exe
-
Size
1.3MB
-
MD5
75c351b054babaf553ca7c546efae7f7
-
SHA1
25b0619f3b133309aac7062354f4df81d4b95e3b
-
SHA256
635ee63fe0a10f9dc2ee0b8fb21e5af88f791c0cba857ebe907be4de538efd10
-
SHA512
af29891879c75074a813cf980ea65d1be74c9f43dfd087a87f419e559b16e943f34a783c81e4ea2156f1e8e019f6bf2664a8751a6654bc1f7f7787938472ba3c
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNe:QHPkVOBTK
Malware Config
Signatures
-
Detect PurpleFox Rootkit 2 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 2 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Purplefox family
-
Downloads MZ/PE file 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies data under HKEY_USERS 3 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\635ee63fe0a10f9dc2ee0b8fb21e5af88f791c0cba857ebe907be4de538efd10.exe"C:\Users\Admin\AppData\Local\Temp\635ee63fe0a10f9dc2ee0b8fb21e5af88f791c0cba857ebe907be4de538efd10.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\635EE6~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\ProgramData\Application Data\Microsoft.NET\sainbox.exe"C:\ProgramData\Application Data\Microsoft.NET\sainbox.exe" -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Application Data\Microsoft.NET\sainbox.exe"C:\ProgramData\Application Data\Microsoft.NET\sainbox.exe" -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTdBOTdFQ0YtQzNCQi00MEQ2LUFDMUItRUE5ODFBODhDMEE4fSIgdXNlcmlkPSJ7NTA1NkFEMzctMjQxOS00NTEyLUFCN0YtMjFDRTREN0MwQ0U3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NThGNTBBODAtRkVENi00MEZDLTgzRTEtNDYzODY0MEI1NjVDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU1NzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODAxNjUyMzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTExMDA5NDEwIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD5359b1099c5b49a19b757936e989470c7
SHA1dd1872853705ff85c5b6d40cb921f221c8ba4387
SHA256fe08b4c0ac528994aa904505396789f473ad3f578ff28f4ffeb750c697cf3946
SHA512c45501510e9a2c10cb3ab4ac249d3dfcedacfb693bf68f5e784c1d8056ebbba541c09cb0f0570d13d27080bcacf63b021971628498e3675d280167daaf0baef2
-
Filesize
1.6MB
-
Filesize
1.6MB