Overview

overview

10

Static

static

7

3e6c3a0536...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2025, 06:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e6c3a0536fa8be8afecf727006d9465f142240aac22c137279ca4aa717fa497.exe

  • Size

    1.2MB

  • MD5

    4ec47043dc7edf196b1cb790d4740ec0

  • SHA1

    1951885af368fe342ce044762f5566e052912c05

  • SHA256

    3e6c3a0536fa8be8afecf727006d9465f142240aac22c137279ca4aa717fa497

  • SHA512

    7e327de2428e850d9ca045370a0f19261d6844b198ecf5c5d36da40e8b7e3116c0c3baf4cc3ae068c49c1db4ea1a0cf9b29e085e10f79bf3c971706861e7473f

  • SSDEEP

    24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtiC:WIwgMEuy+inDfp3/XoCw57XYBwKC

Score
10/10
gh0stratpurplefoxdiscoverypersistenceratrootkittrojanupxvmprotect

Malware Config

Signatures

  • Detect PurpleFox Rootkit 7 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 8 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • Drops file in Drivers directory 1 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 2 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 4 IoCs
  • VMProtect packed file 11 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 10 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e6c3a0536fa8be8afecf727006d9465f142240aac22c137279ca4aa717fa497.exe
    "C:\Users\Admin\AppData\Local\Temp\3e6c3a0536fa8be8afecf727006d9465f142240aac22c137279ca4aa717fa497.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      2⤵
      • Server Software Component: Terminal Services DLL
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:2304
    • C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:4308
    • C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:5896
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4504
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:6068
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
    1⤵
      PID:4792
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
      1⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
        C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240603515.txt",MainThread
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1092
    • C:\Windows\SysWOW64\Ghiya.exe
      C:\Windows\SysWOW64\Ghiya.exe -auto
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5156
      • C:\Windows\SysWOW64\Ghiya.exe
        C:\Windows\SysWOW64\Ghiya.exe -acsi
        2⤵
        • Drops file in Drivers directory
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        PID:4444
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4264
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5052
        • C:\Users\Admin\AppData\Local\Temp\AK47.exe
          "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
          3⤵
          • Server Software Component: Terminal Services DLL
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          PID:2436
        • C:\Users\Admin\AppData\Local\Temp\AK47.exe
          C:\Users\Admin\AppData\Local\Temp\\AK47.exe
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          PID:548
        • C:\Users\Admin\AppData\Local\Temp\AK74.exe
          C:\Users\Admin\AppData\Local\Temp\\AK74.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5612
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Suspicious use of WriteProcessMemory
            PID:4588
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 2 127.0.0.1
              5⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4196
    • C:\Windows\SysWOW64\Ghiya.exe
      C:\Windows\SysWOW64\Ghiya.exe -auto
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Windows\SysWOW64\Ghiya.exe
        C:\Windows\SysWOW64\Ghiya.exe -acsi
        2⤵
        • Executes dropped EXE
        PID:2332

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AK47.exe
      Filesize

      91KB

      MD5

      423eb994ed553294f8a6813619b8da87

      SHA1

      eca6a16ccd13adcfc27bc1041ddef97ec8081255

      SHA256

      050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

      SHA512

      fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AK74.exe
      Filesize

      400KB

      MD5

      b0998aa7d5071d33daa5b60b9c3c9735

      SHA1

      9365a1ff0c6de244d6f36c8d84072cc916665d3c

      SHA256

      3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

      SHA512

      308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
      Filesize

      92B

      MD5

      29ce53e2a4a446614ccc8d64d346bde4

      SHA1

      39a7aa5cc1124842aa0c25abb16ea94452125cbe

      SHA256

      56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df

      SHA512

      b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
      Filesize

      753B

      MD5

      319d5d19994b6887bbc0caebddbe2101

      SHA1

      45e5d98f1c9cd1c45c089eafabce4240df75159a

      SHA256

      ec5d4a6ef3641a2081083db862c8f331130af72806f4fea54d769c4d50d12a18

      SHA512

      9f9a7042c3cbd537e80dc68688062f032fa9a0298c385e6bda72c36627a41e6ff952640965b6317c6ca52de66b668927888d9852ff88402dd72253d6c049f092

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
      Filesize

      1.2MB

      MD5

      f91d6def22e394919636087f6cdcf648

      SHA1

      b942e5d7e695ff0deb66ece0560c5664c6e9372b

      SHA256

      ee64b75b74cb53812287c75a331e21778986fc09a8b9ca97801ee29cc78bfa18

      SHA512

      46a0e01df21378a4463cf827d82542d22a7d69721c24b11630385b1cb38a6deba596f8cdf8736e742f73681250d6d6831ba0171d8a883c55971af6a2d65650d9

      Download Submit

    • C:\Windows\SysWOW64\240603515.txt
      Filesize

      49KB

      MD5

      843c7b4ee5b5430f254088e9a137ecc1

      SHA1

      cc27a0f221cfe66e9a2306832366879e556761cd

      SHA256

      c4ba374d9f2f6897fa6bac103d51c2754170049dbb63020d9307f53f4886f6b1

      SHA512

      4b79db9fae6fe5bd6da17bd3914d23c84a2bcd57313a7742c0173925f48ba152f1d07e367ed7b14c6fddd6d946fabc9903cc1ec85f9ca04cb12a490415b7a70a

      Download Submit

    • C:\Windows\SysWOW64\ini.ini
      Filesize

      45B

      MD5

      fa54cdf2017ed7890bda53ff26c491af

      SHA1

      1a5448e6387c2adfbfd7bf4e3a342dfb7d1d5d32

      SHA256

      656a4059efab84150a01a51ad785a7af8fd524f2da114fe4e6303c18d5d05099

      SHA512

      d125c6a3ad9666d38089e9bd51c358fb515985f4afe2c07afcb062d5fe0dce34878c80d38b4abf901ba35974a5ad2eb3f536e6d08fee3af409d9f7331f2d6ab6

      Download Submit

    • C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
      Filesize

      60KB

      MD5

      889b99c52a60dd49227c5e485a016679

      SHA1

      8fa889e456aa646a4d0a4349977430ce5fa5e2d7

      SHA256

      6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

      SHA512

      08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

      Download Submit

    • memory/2668-31-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2668-30-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2668-28-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/3196-115-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3196-131-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3196-128-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3196-125-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3196-1-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3196-122-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3196-0-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3196-118-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3196-111-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4444-55-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/4444-54-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/4444-50-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/5052-106-0x0000000000400000-0x0000000000760000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/5156-39-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/5156-40-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/5156-38-0x0000000010000000-0x00000000101BA000-memory.dmp

      Filesize

      1.7MB

      Download