Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 05:13
Static task
static1
Behavioral task
behavioral1
Sample
3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe
Resource
win7-20240221-en
General
-
Target
3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe
-
Size
5.9MB
-
MD5
8baec3f11289a10ca1586d3565eb195b
-
SHA1
ec99ca2dc06a6237dd46ff53a36e04075379d18c
-
SHA256
3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7
-
SHA512
bd67afd1b1a8e83ee7023ae6f0de19c445d83fb8fff8a0ea99339f08ee85784e476527106979924ccdfeb2900206d8139d2a8c1eb9baaff27038c1548ab08ed8
-
SSDEEP
98304:GZJt4HINy2LkU9ExrG51s0pA5cCKUO8Rc9CMzuewKmjTyh5ppGIVwR9+daaYgoaq:siINy2LkU9rG2oTQ5pprVwR9+ZYPAyQY
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1652-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2656-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4444-27-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4444-35-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4444-32-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2656-23-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4444-24-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2656-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2656-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1652-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1652-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/1652-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2656-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4444-27-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4444-35-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4444-32-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2656-23-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4444-24-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2656-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2656-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1652-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1652-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 4 IoCs
Processes:
RVN.exeTXPlatforn.exeTXPlatforn.exeHD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exepid process 1652 RVN.exe 2656 TXPlatforn.exe 4444 TXPlatforn.exe 5108 HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe -
Processes:
resource yara_rule behavioral2/memory/1652-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2656-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4444-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4444-35-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4444-32-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2656-23-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4444-24-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2656-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2656-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2656-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1652-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1652-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1652-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
RVN.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 5 IoCs
Processes:
3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exeHD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exepid process 4824 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe 4824 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe 5108 HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe 5108 HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe 5108 HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe 5108 HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 4444 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
RVN.exeTXPlatforn.exeHD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exedescription pid process Token: SeIncBasePriorityPrivilege 1652 RVN.exe Token: SeLoadDriverPrivilege 4444 TXPlatforn.exe Token: SeDebugPrivilege 5108 HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe Token: SeDebugPrivilege 5108 HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe Token: 33 4444 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4444 TXPlatforn.exe Token: 33 4444 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4444 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exeHD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exepid process 4824 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe 4824 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe 5108 HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe 5108 HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exeRVN.exeTXPlatforn.execmd.exedescription pid process target process PID 4824 wrote to memory of 1652 4824 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe RVN.exe PID 4824 wrote to memory of 1652 4824 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe RVN.exe PID 4824 wrote to memory of 1652 4824 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe RVN.exe PID 1652 wrote to memory of 3556 1652 RVN.exe cmd.exe PID 1652 wrote to memory of 3556 1652 RVN.exe cmd.exe PID 1652 wrote to memory of 3556 1652 RVN.exe cmd.exe PID 2656 wrote to memory of 4444 2656 TXPlatforn.exe TXPlatforn.exe PID 2656 wrote to memory of 4444 2656 TXPlatforn.exe TXPlatforn.exe PID 2656 wrote to memory of 4444 2656 TXPlatforn.exe TXPlatforn.exe PID 4824 wrote to memory of 5108 4824 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe PID 4824 wrote to memory of 5108 4824 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe PID 4824 wrote to memory of 5108 4824 3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe PID 3556 wrote to memory of 3640 3556 cmd.exe PING.EXE PID 3556 wrote to memory of 3640 3556 cmd.exe PING.EXE PID 3556 wrote to memory of 3640 3556 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe"C:\Users\Admin\AppData\Local\Temp\3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exeC:\Users\Admin\AppData\Local\Temp\HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_3b8dc14de3d39e7093e713a8b63757405b086cec60e14897777756a0c4749ad7.exeFilesize
4.5MB
MD581a0d4fa8d22aad638379aa8b1d0c69e
SHA1734730784c748694e091dc2c1c688d229c7c931d
SHA256c34da741e82529ec5942079ecff532ad10e03d8882de262a6f0ac31842c4d20d
SHA5120a4bfb6693dbef4a6679a58d1958d9c0ac2fdc992a90c6d5f438a9ab0834428d3840a31a9ce685b0aa6eb00d5ad74071304fa7790d337f3b01a50c2a8aa3e198
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.3MB
MD5b7be7aae156d1245c00656cfe9bf7b05
SHA1c665995e6ce1ba8b14cfbe1c9ee6c793e8b575b2
SHA25644c1ea05f76711fd780daf7d49dec617ae338451e4f0bbcf6f173ae9616f533c
SHA512b232afc7e5658204e1737bff6d45a972c913fbd01a049a9090df17351bc9c4ad5f6b178fbc5eafeab9ff3866ce5b978d293324016a23f9f5d480faa165cd7960
-
C:\Windows\SysWOW64\TXPlatforn.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
memory/1652-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1652-4-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1652-6-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1652-10-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2656-13-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2656-17-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2656-23-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2656-15-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2656-16-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4444-24-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4444-32-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4444-35-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4444-27-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB