Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 04:38
Static task
static1
Behavioral task
behavioral1
Sample
d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe
Resource
win7-20240221-en
General
-
Target
d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe
-
Size
7.1MB
-
MD5
53b97e44b1a8618188aea0d9b08d6794
-
SHA1
5c75fa722576d93ecea72dd5323be8bcf69ae71b
-
SHA256
d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8
-
SHA512
089503240bc5326ba2772508ccebf108f875578a6e9cef19d380a7aa39f5336eabcd3f015353a510232255cce3f3242e3ccd532e3791bb3a58bf468251a8ce59
-
SSDEEP
98304:bZJt4HINy2LkeeJJUAg8CUSEvP40DvHRtsHYeWA:diINy2LkeCfk4e
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1524-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1524-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1524-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3940-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3940-23-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1340-24-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3940-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3940-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1340-29-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1340-32-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1340-35-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/1524-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1524-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1524-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3940-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3940-23-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1340-24-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3940-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3940-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1340-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1340-32-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1340-35-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 4 IoCs
Processes:
RVN.exeTXPlatforn.exeTXPlatforn.exeHD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exepid process 1524 RVN.exe 3940 TXPlatforn.exe 1340 TXPlatforn.exe 4400 HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe -
Processes:
resource yara_rule behavioral2/memory/1524-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1524-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1524-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1524-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3940-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3940-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3940-23-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1340-24-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3940-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3940-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1340-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1340-32-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1340-35-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
RVN.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 5 IoCs
Processes:
d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exepid process 2112 d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe 2112 d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 1340 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RVN.exeTXPlatforn.exedescription pid process Token: SeIncBasePriorityPrivilege 1524 RVN.exe Token: SeLoadDriverPrivilege 1340 TXPlatforn.exe Token: 33 1340 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 1340 TXPlatforn.exe Token: 33 1340 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 1340 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exepid process 4400 HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe 4400 HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe 4400 HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe 4400 HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exepid process 4400 HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe 4400 HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe 4400 HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe 4400 HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exeHD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exepid process 2112 d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe 2112 d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe 4400 HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exeRVN.exeTXPlatforn.execmd.exedescription pid process target process PID 2112 wrote to memory of 1524 2112 d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe RVN.exe PID 2112 wrote to memory of 1524 2112 d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe RVN.exe PID 2112 wrote to memory of 1524 2112 d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe RVN.exe PID 1524 wrote to memory of 4776 1524 RVN.exe cmd.exe PID 1524 wrote to memory of 4776 1524 RVN.exe cmd.exe PID 1524 wrote to memory of 4776 1524 RVN.exe cmd.exe PID 3940 wrote to memory of 1340 3940 TXPlatforn.exe TXPlatforn.exe PID 3940 wrote to memory of 1340 3940 TXPlatforn.exe TXPlatforn.exe PID 3940 wrote to memory of 1340 3940 TXPlatforn.exe TXPlatforn.exe PID 2112 wrote to memory of 4400 2112 d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe PID 2112 wrote to memory of 4400 2112 d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe PID 2112 wrote to memory of 4400 2112 d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe PID 4776 wrote to memory of 4168 4776 cmd.exe PING.EXE PID 4776 wrote to memory of 4168 4776 cmd.exe PING.EXE PID 4776 wrote to memory of 4168 4776 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe"C:\Users\Admin\AppData\Local\Temp\d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exeC:\Users\Admin\AppData\Local\Temp\HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.1MB
MD56352922c914a01545eca32203bc93552
SHA110b8445ba32c7467e4b218ea8deb4dcf6a402438
SHA2569105acf455043aceeaac22120ec00682a23515460f226481c526ab131ec8acc4
SHA512b2f89b5840c37b73b926121e23da24420c95621fc060a27e8533ca364af88288c7773bb1b67363e093ededed7b0404529fadbff725b162a740a7f79802ca3694
-
C:\Users\Admin\AppData\Local\Temp\HD_d79419c4436bd9a4f87287e0a6f6be9cc3e840f92a9c3a33360f3cc54fcfc1e8.exeFilesize
6.0MB
MD55d6e7d23fd3a96d81ed5c37bbee6165c
SHA10253e1a726f5307c13316902d9e53e6eff23342b
SHA256838634973ba6ad554775d81a4dce7a0e3a41fcade6e034191c61aa48e8905677
SHA5129e3ff621effefa360d299062bd414ca58b9ca4ecb1dceb36a614e2b58d4008cebfd4432f3b01abf0e6dab431033627cf86f69e344169b399dc58cada6f514b62
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
memory/1340-29-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1340-24-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1340-32-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1340-35-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1524-6-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1524-10-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1524-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1524-4-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3940-13-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3940-15-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3940-23-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3940-17-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3940-16-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB