Analysis
-
max time kernel
20s -
max time network
23s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
09/03/2025, 07:46
Errors
General
-
Target
e825939968d105e0de163dcbfb02c8f278f7d7ef1d949746e291b91b28b3e824.exe
-
Size
7.2MB
-
MD5
42c396b9ee536974b4cc0b0f041da800
-
SHA1
da624c1c062636de7bf44037284fc12a190c4fd3
-
SHA256
e825939968d105e0de163dcbfb02c8f278f7d7ef1d949746e291b91b28b3e824
-
SHA512
ab435911755ba41bb796352387700a8c22ec8010ff940417861f5325c7d6394b71d21a0adca1a4100352b3751c0f61b84ce6442a8de3fc4f615c23a62a92d108
-
SSDEEP
196608:eKXbeO7T6KlhE9U6476itR+mLPw6lyZY61:z7GKv647n+YlmY2
Malware Config
Signatures
-
Detect PurpleFox Rootkit 8 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 9 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Gh0strat family
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 4 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 6 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies data under HKEY_USERS 18 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e825939968d105e0de163dcbfb02c8f278f7d7ef1d949746e291b91b28b3e824.exe"C:\Users\Admin\AppData\Local\Temp\e825939968d105e0de163dcbfb02c8f278f7d7ef1d949746e291b91b28b3e824.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_e825939968d105e0de163dcbfb02c8f278f7d7ef1d949746e291b91b28b3e824.exeC:\Users\Admin\AppData\Local\Temp\HD_e825939968d105e0de163dcbfb02c8f278f7d7ef1d949746e291b91b28b3e824.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\5a23a1bf633c1cb2b19d1b\install.exec:\5a23a1bf633c1cb2b19d1b\.\install.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Remote Data.exe"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240621328.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3979055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD54138c31964fbcb3b7418e086933324c3
SHA197cc6f58fb064ab6c4a2f02fb665fef77d30532f
SHA256b72056fc3df6f46069294c243fe5006879bf4a9d8eef388369a590ca41745f29
SHA51240cf2f35c3a944fca93d58d66465f0308197f5485381ff07d3065e0f59e94fc3834313068e4e5e5da395413ff2d3d1c3ff6fa050f2256e118972bf21a5643557
-
Filesize
2.9MB
MD50e196508f09c474e950251d67a5a3ca7
SHA18b7a86b0db3b6c9f1c0e0d9c008804208f8d1256
SHA256b280379717ea118b8fa7855222f3c4062ae831bab8d86fd0d2f1b17751ef832a
SHA512cbdc3037479f7d08fa6d7a547003b60936233e127e56f8a4ee06a043365898d018902c2f0e3ddba645870fe92f123cab3de0617b7092a6ae0f85e410ac6f91e9
-
Filesize
4.3MB
MD535da2bf2befd998980a495b6f4f55e60
SHA1470640aa4bb7db8e69196b5edb0010933569e98d
SHA2566b3e4c51c6c0e5f68c8a72b497445af3dbf976394cbb62aa23569065c28deeb6
SHA512bf630667c87b8f10ef85b61f2f379d7ce24124618b999babfec8e2df424eb494b8f1bf0977580810dff5124d4dbdec9539ff53e0dc14625c076fa34dfe44e3f2
-
Filesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
Filesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
Filesize
1KB
MD5a2f30320751f4fdeef1a34d76cd0cb69
SHA14269679e1b7bc509310ed34be7886fb5d946ab69
SHA256fccdd5f99a71314adb7d34b9658fcee6db3ec2ac4501485709ca49711c90308b
SHA512b982b90a36127a385deadce88854f5eda8b4bc2be2c0c7f4f1d2eec162910a8a6a29298ca1937f8b4f0674d8448a75af477560e4f7ca4c7046725b8a8e01b6c9
-
Filesize
899KB
MD581ab0f966ac03845d1a968b3a9b56650
SHA139dd0252feeb168a08ee352284f8a48da749bbf3
SHA2560c73b089c8ef2b4823216183ef3787de117a63848e60705bb8ce785c38f2c09c
SHA512f6b2e8fd7f8653090186033bde89830408bc848f1000a8995d358b4098f51ea498ec58ff64bde03df6671ed09176d8956b190edbb5302f8574374209f6f8b3ec
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
3.7MB
MD50ee84ab717bc400c5e96c8d9d329fbb0
SHA1be4ba7bbb068c7256b70f4fd7634eaeb2ad04d0a
SHA256461d575bc1a07f64c14f1da885d2f310bd282cbbedcd0a5cf8ffa7057411805d
SHA5124a6b0619f471a51df09fb6c1eff4ed166cdb7ef57f79ffdf709fa952a7c2a176c338084689c8ace1a94024a24579e9ee0ab6d411c25a1b42b0f517c57749d1a2
-
Filesize
3KB
MD5f187c4924020065b61ec9ef8eb482415
SHA1280fc99fb90f10a41461a8ee33dbfba5f02d059d
SHA256cfa4f2c6c2a8f86896c5a6f9a16e81932734136c3dfde6b4ed44735e9c8115c2
SHA5121d5a8e80fb6805577258f87c4efd7c26a9ac1c69f7dea1553d6f26bcc462d2d9c01d4b94077f70110a33b39648c9aa3bb685e10534f19ba832d475e9ee6aa743
-
Filesize
15KB
MD53168ed3b48c1dc8d373c2abc036574cf
SHA17ffbcfb6cd9b262a0e9a55853d76055693f60c60
SHA2563e4d78fcc11eecb23af12a4eaa316114bb36d39561f6062a3921c08a43261321
SHA5129465640705c382bb736e468a2ffb303ecfb2637c55ddca759d1fb190279b98103def64a8c599deaa1439e58c41d7b2c2809332c2a5f18945e9ee3d6c046a5197
-
Filesize
9KB
MD5162fc8231b1bd62f1d24024bb70140d5
SHA17fa4601390f1a69b4824ee1334bee772c2941a24
SHA256c68a0fd93e8c64139a42af4fcd4670c6faea3a5d5d1e9dd35b197f7d5268d92b
SHA512a707b5ef0e914ba61e815be5224831441922ed8d933f7a2ffe8aecf41f5a1790a1e45981f19d86aa5eab5ea73d03b0c8e2ab6b9f398ab0154d1c828da6f6beda
-
Filesize
11KB
MD5c360851dfdf51b6ddc9cfcc62c584898
SHA1f8fbe6b98039d01700dc49eb454bb1c1d8cc4aa6
SHA2563456ebc9c6decef8b27b10d97f7f6d30a73b5da0024e1b8a0657e3b9a1cc93d9
SHA512a340a7d98b4b6f925a803805224e733433e76230a36c4ab17e28f9d5951b81280d776153414701b29bb05b496b726932683e35fb603587d7ff5b716a88fece8d
-
Filesize
13KB
MD504b833156f39fcc4cee4ae7a0e7224a1
SHA12ffa9577a21962532c26819f9f1e8cd71ab396bd
SHA256ebafaeb37464ed00e579dab5b573908e026cd0e3444079f398aada13fa9a6f66
SHA5128d3f6a900ebd63a3af74ab41ac54d3041de5fe47331a5e0d442d1707f72a8f557d93d2f527bbb857fb1c67dd8332961fd69acc87de81ba4f2006c37b575f9608
-
Filesize
5KB
MD5031fab3fb14a85334e7e49d62a5179fe
SHA112370185ef938a791609602245372e3e70db31be
SHA256467773ddffdb3f31027595313b70d1ea934c828b124d1063a4aa4dbe90f15961
SHA5127424a52bbb18a006816ee544d47f660e086557d13bb587d765631307da96aba56d8b9cd3d4e7d50c2a791815273910cef95ebe928bc03dd9c540b97ac7a86447
-
Filesize
5KB
MD56fcd6b5ef928a75655d6be51555288c7
SHA1eafdcc178343780b83f1280dad9d517aaedab9e4
SHA2563d45f022996cd6d9ebb659a202fbfd099795f9a39ed4e6bbd62ac6f6ed5f8c7b
SHA512635ba44d8d8ecfbdb83a88688126f68c9c607e452e67d19247dfe7c307c341dad9b1d2dc3eae56311c4b3e9617ab1ee2bd2a908570df632af6de1e1fa08bf905
-
Filesize
13KB
MD5bc3a8865b60ec692293679e3e400fd58
SHA12b43b69e6158f307fb60c47a70a606cd7e295341
SHA256f82bca639841fa7387ae9bbf9eca33295fab20fade57496e458152068c06f8a3
SHA5120d9820416802623e7cd5539d75871447f665481b81758c08f392f412bc0fd2ef12008be0960c108d1c1ce6f26422f1b16161705104d7a582df6a1006b0d1b610
-
Filesize
3KB
MD5ec4b365a67e7d7db46f095f1b3dcb046
SHA1d4506530b132ef4aad51fcbc0315dadc110c9b81
SHA256744275c515354ece1a997dd510f0b3ea607147bbf2b7d73f8fca61839675ba27
SHA5125e5d1e196fc6ac194589bc6c6ab24e259aed8cbd856999390495fd5ec4211f212c6898e1b63538bfbb4401a5b4da08f3a2e09bca1cfb2e9c2cee38e63190b2a2
-
Filesize
12KB
MD5c2d1221cd1c783b5d58b150f2d51aebf
SHA13bc9b6419a5f9dcf9064ae9ef3a76c699e750a60
SHA256c79ff7b9e67aed57f939343a3d5fd4fb01aa7412530693464571148b893b7132
SHA512c4ec596814b408e3c0aaf98864e2769c6175dba020f3014dd79f0190d81812020c932afca449e6b8b35233f36f2ab2efad0dc8d0d68dccdb40f6715fb1d050b4
-
Filesize
1KB
MD50a6b586fabd072bd7382b5e24194eac7
SHA160e3c7215c1a40fbfb3016d52c2de44592f8ca95
SHA2567912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951
SHA512b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4
-
Filesize
841B
MD5f8f6c0e030cb622f065fe47d61da91d7
SHA1cf6fa99747de8f35c6aea52df234c9c57583baa3
SHA256c16727881c47a40077dc5a1f1ea71cbb28e3f4e156c0ae7074c6d7f5ecece21d
SHA512b70c6d67dac5e6a0dbd17e3bcf570a95914482abad20d0304c02da22231070b4bc887720dbae972bc5066457e1273b68fde0805f1c1791e9466a5ca343485cde
-
Filesize
71KB
MD58c2c1df03574e935277addc6e151bdbe
SHA133f7eae718d6704ea99d7c7803207dbe0d1ea3a0
SHA2561074252f76e72e59a9da9d7e109c80ab131d53554c49cb3d69a180729bffc18e
SHA512735c438da7fd3e4e0e4738ac11c87a73ce3cacbaa24b21994ec76868e70fc485469337eb6e067e20bb92210995ffb3c385677fcc986c4c34f24bfde6b91ba0c8
-
Filesize
90KB
MD56f22a8ecc5a917c61f1478ef4ad53949
SHA1180c370698091e53f203d23eb6c839467deebfb9
SHA2562c5fa53e6eb07bddc22c7c5203ff7bbe707c4cf8803f144ceb031384b59831aa
SHA5128513f09da143983d436368c6067a62f1829d5d66776a168026f7562f8337d8e1bc8df2ff9ab421f4cc7d75757a0e9b8a75f3761c9e8aba7d0785d2fcb1b00a93
-
Filesize
85KB
MD5ff6003014eefc9c30abe20e3e1f5fbe8
SHA14a5bd05f94545f01efc10232385b8fecad300678
SHA256a522c5ea3250cdd538a9ce7b4a06dfd5123e7eb05eef67509f2b975a8e1d3067
SHA5123adc5c705bab7fa7b50517a5eb3301491f5150b56e1088ed436590458e963da204cd1875af75db89742403476a56a94c3f425c05327767bdb4bbee4859667ac2
-
Filesize
91KB
MD54d431f94a7d0945f4a7f13b7988632aa
SHA161461b14b57382eebb3bf4621b7dadb0cb2475b3
SHA256cb38381c0afdcb3465f71699addad7534ffd72702907b017708eba463dbc68b6
SHA512e4197801c20dfce7dc14d5d74aa572de18954dceaaca77a75bf989427c6ff7d5889085e5c325376a993ad290ee43ab25e0f6bea074fed3d5158e0fd4c785aeca
-
Filesize
89KB
MD5ef1ccfe8572cdaaefb1940efbbff6d80
SHA1b1d587c8fdb3ca82c320d08379ca7bd781253e3f
SHA256709ab0139c643b78c2dace7a35b9801e1a4b4e4c4e176c0d00f1b55a2a71d7a8
SHA51298538c82d56b6e0e9f0ca7cf47a6ce57e0acd18b2a64b90304a95a3c7270920efb835731272200afa16e45dfd461df94f95da04f39c2436915dc6969a4a0ebce
-
Filesize
76KB
MD56bfb58958d58bf38e9242b2056392b8c
SHA1f4c4653e061eb903ddae29f0d6a798db6ab5bdf4
SHA256f74006aaa2a19777fb0c3b81321aabf00d87107dc23ba0d2282092502e5cd332
SHA512672727552812c7d7b775896096d556851d6990b2d9c24c0e2c728f6c720b47c156d2ec2ce7ef23126fd222178969aff848f06568f695d154d6f7836ecf222d88
-
Filesize
74KB
MD5ba91e387d54b94689644ebd23ff264ba
SHA1267b0af1774b6440cac00fad6524f277fde09457
SHA25616fed8f279b0240f63dd90925150cd37782e9395af32a2693bdc0533c0809767
SHA51279e818ffc57880a9881d771c0ea607d64a2cbdad29b28a270138d4d03edb8b026e7536e89396968c8454c56c740d198e67a75cac3e2447ca120b7cffefa4c0bd
-
Filesize
87KB
MD59aac6ce2ad6c7aee5481e46ddb0ad0dd
SHA1dabd5e299a4595b1341f47313ac26c663d79a7c4
SHA2563de25f7b3fd91a8d5b7f7dd8eccf44e24b33b66133fc89519d21a426b489374e
SHA51297e00a50d3e8c8954854cc44f36049d63d8f1860e547a511feccf4214ff0560079b5512053aea4c2a40769d58738934d69c1a45186092ff11af1b907395dd126
-
Filesize
70KB
MD5208f1260b7145b19434a8c95ff7c0474
SHA16a0a74affdc8f988873841b7073f428056a8aa5d
SHA256f6d949f493cb9b1ba5ee053acc7363bc9675b9e8b3f25258080092001036e6f4
SHA5122e9cf1ed7944a6246a2f3febee99d0a36759191664e83aee3c14424b64785a134fe9c50e9e5deaaab1095ae298a2f49aac2037f64a127d250af973a077a7e03a
-
Filesize
90KB
MD5dbbe392a7536c76ec60a21e211eb3210
SHA1e1cead8b1e0fd41e9ed79f4921c5e40c2d739dda
SHA2568de447ae460de91144ec92381c8315a125b25020ac7601bbb721d56a92d0fd0f
SHA512f725bc786076947874cc58b9591445064b3f133c75865bb1d661e95f29f1a9556447ee3f385a38f9438561e35e6cfa8208dbc938d3304c415cc25ed85c29f15d
-
Filesize
222KB
MD57e641e6a0b456271745c20c3bb8a18f9
SHA1ae6cedcb81dc443611a310140ae4671789dbbf3a
SHA25634c5e7d7ea270ee67f92d34843d89603d6d3b6d9ef5247b43ae3c59c909d380d
SHA512f67d6bf69d094edcc93541332f31b326131ff89672edb30fd349def6952ad8bfd07dc2f0ca5967b48a7589eee5b7a14b9a2c1ebe0cba4ae2324f7957090ea903
-
Filesize
5KB
MD506fba95313f26e300917c6cea4480890
SHA131beee44776f114078fc403e405eaa5936c4bc3b
SHA256594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1
SHA5127dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB
