gh0strat | 737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747

Analysis

max time kernel
21s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe
Size

4.1MB
MD5

8190c0a1b9ea731687aa40a8f7069096
SHA1

5041fcc23bac4e89073ee12177cb3c3f04004829
SHA256

737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747
SHA512

d9e81e8c73f6a7dd5e7d710947bb79421c765bfc2739836f4e8a3569ee6f033881bf8def34be02061f65dd95d58b80760b49ccc26b41a308a0a45df31208491c
SSDEEP

49152:fCwsbCANnKXferL7Vwe/Gg0P+Whjy1hXJEIptTc6IfAyL4UMYMZ2RtB:Kws2ANnKXOaeOgmhIX6IA9oycUMYM

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 10 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/2660-14-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2660-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1516-25-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4248-42-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1516-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4248-53-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4248-49-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1516-24-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1516-23-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2660-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 11 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240613375.txt	family_gh0strat
behavioral2/memory/2660-14-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2660-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1516-25-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4248-42-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1516-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4248-53-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4248-49-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1516-24-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1516-23-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2660-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatfor.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe
Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

TXPlatfor.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatfor.exe
Executes dropped EXE 5 IoCs

Processes:

R.exeN.exeTXPlatfor.exeTXPlatfor.exeHD_737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe

pid process

3984 R.exe
2660 N.exe
1516 TXPlatfor.exe
4248 TXPlatfor.exe
3172 HD_737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe
Loads dropped DLL 1 IoCs

Processes:

R.exe

pid process

3984 R.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

pid	process
3984	R.exe
2660	N.exe
1516	TXPlatfor.exe
4248	TXPlatfor.exe
3172	HD_737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe

pid	process
3984	R.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2660-14-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2660-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2660-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1516-25-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4248-42-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1516-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4248-53-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4248-49-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1516-24-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1516-23-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1516-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2660-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

Processes:

R.exeN.exe

description ioc process

File created C:\Windows\SysWOW64\240613375.txt R.exe
File created C:\Windows\SysWOW64\TXPlatfor.exe N.exe
File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe N.exe
Drops file in Program Files directory 1 IoCs

Processes:

737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe

description ioc process

File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

2748 3984 WerFault.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2212 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe

pid process

2492 737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe
2492 737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatfor.exe

pid process

4248 TXPlatfor.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

N.exeTXPlatfor.exe

description pid process

Token: SeIncBasePriorityPrivilege 2660 N.exe
Token: SeLoadDriverPrivilege 4248 TXPlatfor.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe

pid process

2492 737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe
2492 737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe

description	ioc	process
File created	C:\Windows\SysWOW64\240613375.txt	R.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe

pid	pid_target	process
2748	3984	WerFault.exe

pid	process
2212	PING.EXE

pid	process
2492	737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe
2492	737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe

pid	process
4248	TXPlatfor.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2660	N.exe
Token: SeLoadDriverPrivilege	4248	TXPlatfor.exe

pid	process
2492	737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe
2492	737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exeN.exeTXPlatfor.execmd.exe

description	pid	process	target process
PID 2492 wrote to memory of 3984	2492	737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe	R.exe
PID 2492 wrote to memory of 3984	2492	737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe	R.exe
PID 2492 wrote to memory of 3984	2492	737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe	R.exe
PID 2492 wrote to memory of 2660	2492	737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe	N.exe
PID 2492 wrote to memory of 2660	2492	737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe	N.exe
PID 2492 wrote to memory of 2660	2492	737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe	N.exe
PID 2660 wrote to memory of 740	2660	N.exe	cmd.exe
PID 2660 wrote to memory of 740	2660	N.exe	cmd.exe
PID 2660 wrote to memory of 740	2660	N.exe	cmd.exe
PID 1516 wrote to memory of 4248	1516	TXPlatfor.exe	TXPlatfor.exe
PID 1516 wrote to memory of 4248	1516	TXPlatfor.exe	TXPlatfor.exe
PID 1516 wrote to memory of 4248	1516	TXPlatfor.exe	TXPlatfor.exe
PID 2492 wrote to memory of 3172	2492	737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe	HD_737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe
PID 2492 wrote to memory of 3172	2492	737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe	HD_737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe
PID 740 wrote to memory of 2212	740	cmd.exe	PING.EXE
PID 740 wrote to memory of 2212	740	cmd.exe	PING.EXE
PID 740 wrote to memory of 2212	740	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe
"C:\Users\Admin\AppData\Local\Temp\737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492

C:\Users\Admin\AppData\Local\Temp\R.exe
C:\Users\Admin\AppData\Local\Temp\\R.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 464
3⤵
- Program crash
PID:2748

C:\Users\Admin\AppData\Local\Temp\N.exe
C:\Users\Admin\AppData\Local\Temp\\N.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:2212

C:\Users\Admin\AppData\Local\Temp\HD_737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe
C:\Users\Admin\AppData\Local\Temp\HD_737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe
2⤵
- Executes dropped EXE
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3984 -ip 3984
1⤵
PID:1436

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4248

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_737a77f2dcf031fa49b9985c58f7acb16663c19baf4c75f6ac998e49e9316747.exe
Filesize
1.3MB

MD5
1699af833adaf5e8cd81638418d1adba

SHA1
2618ce0d6d461c60ca4c71afdeaad7a4f64a3b5e

SHA256
b3e17c2cc44565d7db9b33edfa847caf8218da44afa8dbb74bcf848bf127c2bc

SHA512
5f2fe8677cbacf0a1c13c8f3d16a47af12f5b56bac6cc0823c2cf9fd24791b7104a98bf845ff4dcde6f82f02e53c225c46d443839e5552339df628c5a047aee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
2.8MB

MD5
af3d4af0368b57484ecfd657b27d27f0

SHA1
c0711ee723b0d11a39f1faa8ad574de8ac763623

SHA256
26496bc50b0a030effdb6865d71e371c88564bc93599b3552f178fd9fe031e0a

SHA512
1dfd8adde5cbde08a32fac39cc05fddd81fe02b4d5276aa4f8185278ea83633ae79dc316392f7f33ee7f633fe6cbdc8e4ab2636695ec87132cef537761d866d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.exe
Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
C:\Windows\SysWOW64\240613375.txt
Filesize
899KB

MD5
e0490eb8b7a0f934636c33f748d1b4fd

SHA1
1d220b1883c726612f78c61e73894232e6d0f71f

SHA256
9f5fcb30afcaf3dd74c717a1f9c3f0f55552a35e11494b3076dd4b479c47ee54

SHA512
42e60fb7a6aafd875205705c811ff28fbade09c66344b255517334b7a7a95673415bf17dd4d84ef7b336faa19d82216c7f9de1443c83ba5be36864af5117f608

Download Submit
memory/1516-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1516-25-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1516-23-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1516-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1516-24-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2660-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2660-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2660-14-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2660-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4248-42-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4248-49-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4248-53-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download