gh0strat | 8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c

Analysis

max time kernel
157s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
Size

2.0MB
MD5

c37ec28ac7d470aec71fbf5292cc29af
SHA1

bcaea4cd253a461bccde525a98a786b0fa1727c9
SHA256

8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c
SHA512

7edcdafdd29f653a96e9d1da440769d4c17a91afb494f963da714273a05dc5d60e0ae1cbc460412ca09a3a59536647bd48557a829f93b62da94298eacde4cb7e
SSDEEP

49152:zQZAdVyVT9n/Gg0P+WhozpeLEZPItx2apeapelI:0GdVyVT9nOgmhDLltUvlI

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 11 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/2304-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2304-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2304-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2592-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2592-17-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2592-16-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1856-25-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1856-27-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1856-31-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2592-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1856-38-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2304-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2304-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2304-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2592-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2592-17-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2592-16-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1856-25-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1856-27-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1856-31-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2592-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
C:\Windows\SysWOW64\240657062.txt	family_gh0strat
behavioral2/memory/1856-38-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe
Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

TXPlatforn.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe
Executes dropped EXE 5 IoCs

Processes:

svchost.exeTXPlatforn.exeTXPlatforn.exesvchos.exeHD_8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe

pid process

2304 svchost.exe
2592 TXPlatforn.exe
1856 TXPlatforn.exe
3780 svchos.exe
976 HD_8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
Loads dropped DLL 1 IoCs

Processes:

svchos.exe

pid process

3780 svchos.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

pid	process
2304	svchost.exe
2592	TXPlatforn.exe
1856	TXPlatforn.exe
3780	svchos.exe
976	HD_8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe

pid	process
3780	svchos.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2304-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2304-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2304-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2304-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2592-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2592-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2592-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2592-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1856-25-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1856-27-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1856-31-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2592-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1856-38-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

Processes:

svchost.exesvchos.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	svchost.exe
File created	C:\Windows\SysWOW64\240657062.txt	svchos.exe

Drops file in Program Files directory 5 IoCs

Processes:

8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4572 3780 WerFault.exe svchos.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5112 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe

pid process

4404 8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
4404 8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

1856 TXPlatforn.exe

pid	pid_target	process	target process
4572	3780	WerFault.exe	svchos.exe

pid	process
5112	PING.EXE

pid	process
4404	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
4404	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe

pid	process
1856	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2304	svchost.exe
Token: SeLoadDriverPrivilege	1856	TXPlatforn.exe
Token: 33	1856	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1856	TXPlatforn.exe
Token: 33	1856	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1856	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe

pid process

4404 8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
4404 8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe

pid	process
4404	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
4404	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exesvchost.exeTXPlatforn.execmd.exe

description	pid	process	target process
PID 4404 wrote to memory of 2304	4404	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchost.exe
PID 4404 wrote to memory of 2304	4404	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchost.exe
PID 4404 wrote to memory of 2304	4404	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchost.exe
PID 2304 wrote to memory of 2060	2304	svchost.exe	cmd.exe
PID 2304 wrote to memory of 2060	2304	svchost.exe	cmd.exe
PID 2304 wrote to memory of 2060	2304	svchost.exe	cmd.exe
PID 2592 wrote to memory of 1856	2592	TXPlatforn.exe	TXPlatforn.exe
PID 2592 wrote to memory of 1856	2592	TXPlatforn.exe	TXPlatforn.exe
PID 2592 wrote to memory of 1856	2592	TXPlatforn.exe	TXPlatforn.exe
PID 4404 wrote to memory of 3780	4404	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchos.exe
PID 4404 wrote to memory of 3780	4404	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchos.exe
PID 4404 wrote to memory of 3780	4404	8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe	svchos.exe
PID 2060 wrote to memory of 5112	2060	cmd.exe	PING.EXE
PID 2060 wrote to memory of 5112	2060	cmd.exe	PING.EXE
PID 2060 wrote to memory of 5112	2060	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
"C:\Users\Admin\AppData\Local\Temp\8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\\svchost.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:5112

C:\Users\Admin\AppData\Local\Temp\svchos.exe
C:\Users\Admin\AppData\Local\Temp\\svchos.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 448
3⤵
- Program crash
PID:4572

C:\Users\Admin\AppData\Local\Temp\HD_8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
C:\Users\Admin\AppData\Local\Temp\HD_8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
2⤵
- Executes dropped EXE
PID:976

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3780 -ip 3780
1⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_8500bf54b8f7229a05b72a352166448070cca37261eac5d316c4116210bb914c.exe
Filesize
645KB

MD5
00eae789b0aab1b0fbd23b830fbf1064

SHA1
e4e5fd089f6ae17c83f073cf91edc9db8189980d

SHA256
7addb2269266ac471a690802cab54539b40c2ae5b31e2120fdcf8dfb0ed15dc7

SHA512
23a0e06b39f8b5a932ae5b8f60704ba265332b341ac8bab5b74b2f31f04ce8c7fe6f77278d70c7685cfa894ab0e25a70d89990f5f643b54c07337f90fa5943fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.3MB

MD5
1d11509b592835454704b96d200d58f5

SHA1
8f27489600453cc398db7676247022b0de4ec725

SHA256
090b2121231418f48a63a21c7ef16a5e05d280898946c2a5850267088b23043c

SHA512
7d2766b44d03162f45206d49c917383dea801e1ec14af356efdf945839b7e344feae119ab6a0fdd5b3a628710248f6cb1511ede7d8fefe3a79931714c1ab9ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXC9F7.tmp
Filesize
1.3MB

MD5
c041e93894a2978b778ad7e9be9f80a4

SHA1
2baf22437daffc4e8f23737f94349b720c16f5b1

SHA256
77355a586870afbe925c08d15bc9f5f63d41a0c4249708f04a7a7c1978daef06

SHA512
f9c6000608803d41c1b54fdbe52237dc7ae4ddc2e806bd39cec192195b1cc22b19b0619d16f1eb2c85d3dd34ae31dafcdc160935bbf647d1bb313d6f8a263c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\X.ico
Filesize
69KB

MD5
e33fb6d686b1a8b171349572c5a33f67

SHA1
29f24fe536adf799b69b63c83efadc1bce457a54

SHA256
020c8e0963f89f4b14538b7d69e83c6fec44a29bbbd52fbb6deb2be5c697f450

SHA512
cf1f1d6a9efe53f84e5b4a8246b87c0b96496716605d1b00352d9aae30e664d3d2cbadebf598b4e690a9feef0b5785887a4e643cc5f68938ca744af1d3539e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchos.exe
Filesize
93KB

MD5
3b377ad877a942ec9f60ea285f7119a2

SHA1
60b23987b20d913982f723ab375eef50fafa6c70

SHA256
62954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84

SHA512
af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
377KB

MD5
a4329177954d4104005bce3020e5ef59

SHA1
23c29e295e2dbb8454012d619ca3f81e4c16e85a

SHA256
6156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd

SHA512
81e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208

Download Submit
C:\Windows\SysWOW64\240657062.txt
Filesize
50KB

MD5
a63efc712a5f168adc07c3114a7d065c

SHA1
b473194357ef6036d74a1f53efe9394c89bd1860

SHA256
bc72d5d4f5ad7468e88b180b7ed223ca37a20a6bfd12ef9b809f3ccc8d51c3d8

SHA512
61bf4804eefc3f9681cbf181f68b4f0c86185f5bce3b8db696ffd09479ffa53acbec6b000b204088dd2238b8edd753c52a485906e0082de3ae28f22cff9f248e

Download Submit
memory/1856-38-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1856-25-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1856-27-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1856-31-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2304-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2304-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2304-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2304-4-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2592-16-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2592-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2592-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2592-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2592-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download