Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
01-07-2024 04:27
General
-
Target
ef3d13354adca34c32c772582fcc164eac5fea98027e08d29ad91a7e252ac3fc.exe
-
Size
2.6MB
-
MD5
25ceb82bd4d282e3649b12158e8fe97e
-
SHA1
5d56d7d73cf270ab19075c80e757d086d6dfdb48
-
SHA256
ef3d13354adca34c32c772582fcc164eac5fea98027e08d29ad91a7e252ac3fc
-
SHA512
c189900bc61c4607958c9709ebe66d423b7ad142b711fd6baff99f4b19a51c52dc5b6102a16931eac3517513516dacbc3b990bc06c78c701ff653f442c1ff7a3
-
SSDEEP
24576:KCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nHA:KCwsbCANnKXferL7Vwe/Gg0P+Whokv
Malware Config
Signatures
-
Detect PurpleFox Rootkit 7 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 8 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 7 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 6 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef3d13354adca34c32c772582fcc164eac5fea98027e08d29ad91a7e252ac3fc.exe"C:\Users\Admin\AppData\Local\Temp\ef3d13354adca34c32c772582fcc164eac5fea98027e08d29ad91a7e252ac3fc.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Remote Data.exe"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259394562.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
2.6MB
MD525ceb82bd4d282e3649b12158e8fe97e
SHA15d56d7d73cf270ab19075c80e757d086d6dfdb48
SHA256ef3d13354adca34c32c772582fcc164eac5fea98027e08d29ad91a7e252ac3fc
SHA512c189900bc61c4607958c9709ebe66d423b7ad142b711fd6baff99f4b19a51c52dc5b6102a16931eac3517513516dacbc3b990bc06c78c701ff653f442c1ff7a3
-
C:\Users\Admin\AppData\Local\Temp\R.exeFilesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
\Users\Admin\AppData\Local\Temp\N.exeFilesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
\Windows\SysWOW64\259394562.txtFilesize
899KB
MD57cdfc6568b02aae9503e2c8a65aaa778
SHA1576ef6edf27f2de386c14a38ecd1a3293cef6f4d
SHA2569f221a835982f64c1ea315522c8f16ec3bca01bf1fb4a159ef188fe23453b6d9
SHA5129a525be4c4dd831e738b9ea83cf59399659570bc2e581d2fce132767bae1edde841fb7ff31560eb8689a69f096220d863d043fa9b27eadfe949dfc9eade1edbb
-
\Windows\SysWOW64\Remote Data.exeFilesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
memory/2092-38-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2092-34-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2092-36-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2092-37-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2092-42-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2092-43-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2572-18-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2572-20-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2572-21-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB