Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 05:12
Static task
static1
Behavioral task
behavioral1
Sample
8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe
Resource
win7-20240220-en
General
-
Target
8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe
-
Size
2.4MB
-
MD5
b68549a3a99b06fa3663c73edf44939a
-
SHA1
28eca522fbf9d28e107cd2314fbfb667caaf6465
-
SHA256
8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3
-
SHA512
d6a22614541da397bafd48ae4a307b31290c846c2be0b81f32592457711b9f4eddaa9f98ff04a6432a61ffa392e65e3bbbd23fb18b2c7ab1b5e9e86e5294e18c
-
SSDEEP
49152:209XJt4HIN2H2tFvduyS4EZbUHpyfBFnxbzQz:nZJt4HINy2Lk4IAHpyf1XU
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3304-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3304-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3304-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/512-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/512-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/512-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/960-27-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/512-26-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/960-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/960-32-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/960-35-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/3304-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3304-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3304-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/512-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/512-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/512-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/960-27-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/512-26-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/960-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/960-32-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/960-35-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 4 IoCs
Processes:
RVN.exeTXPlatforn.exeTXPlatforn.exeHD_8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exepid process 3304 RVN.exe 512 TXPlatforn.exe 960 TXPlatforn.exe 4164 HD_8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe -
Processes:
resource yara_rule behavioral2/memory/3304-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3304-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3304-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3304-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/512-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/512-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/512-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/512-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/960-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/512-26-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/960-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/960-32-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/960-35-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
RVN.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 5 IoCs
Processes:
8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exepid process 4620 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe 4620 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 960 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RVN.exeTXPlatforn.exedescription pid process Token: SeIncBasePriorityPrivilege 3304 RVN.exe Token: SeLoadDriverPrivilege 960 TXPlatforn.exe Token: 33 960 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 960 TXPlatforn.exe Token: 33 960 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 960 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exeHD_8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exepid process 4620 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe 4620 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe 4164 HD_8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe 4164 HD_8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exeRVN.exeTXPlatforn.execmd.exedescription pid process target process PID 4620 wrote to memory of 3304 4620 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe RVN.exe PID 4620 wrote to memory of 3304 4620 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe RVN.exe PID 4620 wrote to memory of 3304 4620 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe RVN.exe PID 3304 wrote to memory of 752 3304 RVN.exe cmd.exe PID 3304 wrote to memory of 752 3304 RVN.exe cmd.exe PID 3304 wrote to memory of 752 3304 RVN.exe cmd.exe PID 512 wrote to memory of 960 512 TXPlatforn.exe TXPlatforn.exe PID 512 wrote to memory of 960 512 TXPlatforn.exe TXPlatforn.exe PID 512 wrote to memory of 960 512 TXPlatforn.exe TXPlatforn.exe PID 4620 wrote to memory of 4164 4620 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe HD_8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe PID 4620 wrote to memory of 4164 4620 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe HD_8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe PID 4620 wrote to memory of 4164 4620 8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe HD_8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe PID 752 wrote to memory of 4952 752 cmd.exe PING.EXE PID 752 wrote to memory of 4952 752 cmd.exe PING.EXE PID 752 wrote to memory of 4952 752 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe"C:\Users\Admin\AppData\Local\Temp\8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exeC:\Users\Admin\AppData\Local\Temp\HD_8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_8da0b4bfe23f16cd9d691ae5a8d4398683d43e0bd3963c6a9b797aea2b3d79a3.exeFilesize
1.3MB
MD59fe8c5842e0623b0797b9154c47fa358
SHA19c88b788ca29e4718bdd189209f2deee67ce6aa1
SHA256c9b8136337fbb8907199f1e26d1ba8b9303ba0add276ff69740c24c57696c75d
SHA512d59cd50df81ebca6d6470f664aa2715d9b324d2e312463bc4964b8d075fc1c07b9dd8f00513e647d530ec68543c506d39bec9e0f15db0e21c2e8476f6f3acf05
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.1MB
MD5e3ebb33b879923b6a684517ac5e97df8
SHA1c58f926bf3635048f9e5eaeb7bc0e18c0b0c8e94
SHA2566be2e57665ccdbdbb5f352b855ab5402ab5531144bcca57e024ae534208b1cfc
SHA5124e02d1e9dd5c9537343cf25121f80230a4a9f6c4de50b441a4ec3b923d63526cee846c1e7f5ce2726cc9fd5c2bb02e1cefe057159eccc1e16d40658fff6bf169
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
memory/512-17-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/512-26-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/512-13-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/512-16-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/512-15-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/960-30-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/960-27-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/960-32-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/960-35-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3304-4-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3304-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3304-10-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3304-6-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB