Overview

overview

10

Static

static

7

f46da10546...c6.exe

windows7-x64

10

f46da10546...c6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1s
  • max time network
    2s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/03/2025, 21:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe

  • Size

    1.2MB

  • MD5

    b47b227c2d8be3a9affe4c26db721b07

  • SHA1

    8dfcb71d2c8b4d7e7592a872b528f8abb083bc76

  • SHA256

    f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6

  • SHA512

    11d62792b0594fdf5ec87588997a84e70dec7c76585a6f6d8aba28bd1167ba2eb229b29a5de6039085547c5b31ee26fd5f1d9c267e2a8be142cf784d27177445

  • SSDEEP

    24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtiJ:WIwgMEuy+inDfp3/XoCw57XYBwKJ

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupxvmprotect

Malware Config

Signatures

  • Detect PurpleFox Rootkit 5 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 6 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 7 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe
    "C:\Users\Admin\AppData\Local\Temp\f46da10546c1175085ad9884da88e7f2ce36d785358e983ff65278d9dbc72fc6.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2712
    • C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2556
    • C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:2780
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2628
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
        PID:2660
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
      1⤵
        PID:1196
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:336
      • C:\Windows\SysWOW64\Ghiya.exe
        C:\Windows\SysWOW64\Ghiya.exe -auto
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Windows\SysWOW64\Ghiya.exe
          C:\Windows\SysWOW64\Ghiya.exe -acsi
          2⤵
          • Executes dropped EXE
          PID:2760

      Network

      • flag-us
        DNS
        cf1549064127.f3322.net
        Remote address:
        8.8.8.8:53
        Request
        cf1549064127.f3322.net
        IN A
        Response
      No results found
      • 8.8.8.8:53
        cf1549064127.f3322.net
        dns
        68 B
         129 B
         1
        1

        DNS Request

        cf1549064127.f3322.net

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Local\Temp\AK47.exe
        Filesize

        91KB

        MD5

        423eb994ed553294f8a6813619b8da87

        SHA1

        eca6a16ccd13adcfc27bc1041ddef97ec8081255

        SHA256

        050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

        SHA512

        fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

        Download Submit

      • \Users\Admin\AppData\Local\Temp\AK74.exe
        Filesize

        400KB

        MD5

        b0998aa7d5071d33daa5b60b9c3c9735

        SHA1

        9365a1ff0c6de244d6f36c8d84072cc916665d3c

        SHA256

        3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

        SHA512

        308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

        Download Submit

      • \Windows\SysWOW64\259440177.txt
        Filesize

        49KB

        MD5

        d1928007e76f6138401084487bd8401d

        SHA1

        7025ed913413ceb854584b5ea7c0a860cb6cdf88

        SHA256

        b62f5cde79dabd73ddb79576685e34fabacfe5e052bf2adc57bf07ca9013c943

        SHA512

        7a935542b30531cabb55a278f9e283090a80592ff639c3a1ce4fc13562e494084206b1c1e76e18ddf6d774b8f98f9d96022032c680205065a405ef104a4434ca

        Download Submit

      • memory/2224-0-0x0000000000400000-0x0000000000760000-memory.dmp

        Filesize

        3.4MB

        Download

      • memory/2224-1-0x0000000000400000-0x0000000000760000-memory.dmp

        Filesize

        3.4MB

        Download

      • memory/2720-28-0x0000000010000000-0x00000000101BA000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2720-26-0x0000000010000000-0x00000000101BA000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2720-29-0x0000000010000000-0x00000000101BA000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2760-49-0x0000000010000000-0x00000000101BA000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2760-53-0x0000000010000000-0x00000000101BA000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2760-56-0x0000000010000000-0x00000000101BA000-memory.dmp

        Filesize

        1.7MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.