gh0strat | d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
Size

1.5MB
MD5

640f80cb6ec06ea5c076b9c320e52c02
SHA1

a213cc1813613035740ce1811e74c7383af5559f
SHA256

d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3
SHA512

36173f7b481db3b19c655c0bc14dc73b5f5e3fcae9b7c8725b4e498bded3442a3ff57590298bfb46943acd5eafa58e6181f6de61af80c19610a435a3eefe46ab
SSDEEP

24576:+09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+Yrg3gVqj4NaZb0:+09XJt4HIN2H2tFvduyS2rgwVqcQZ4

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 8 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2092-12-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2092-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2612-32-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2612-36-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2612-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2756-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2092-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2612-45-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2092-12-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2092-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2612-32-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2612-36-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2612-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2756-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2092-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2612-45-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe
Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

TXPlatforn.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe
Executes dropped EXE 4 IoCs

Processes:

RVN.exeTXPlatforn.exeTXPlatforn.exeHD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe

pid process

2092 RVN.exe
2756 TXPlatforn.exe
2612 TXPlatforn.exe
2692 HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
Loads dropped DLL 3 IoCs

Processes:

d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exeTXPlatforn.exe

pid process

1780 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
2756 TXPlatforn.exe
1780 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

pid	process
2092	RVN.exe
2756	TXPlatforn.exe
2612	TXPlatforn.exe
2692	HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe

pid	process
1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
2756	TXPlatforn.exe
1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2092-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2092-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2092-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2612-32-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2612-36-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2612-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2756-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2092-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2612-45-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 4 IoCs

Processes:

d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2920 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe

pid process

1780 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

2612 TXPlatforn.exe

pid	process
2920	PING.EXE

pid	process
1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe

pid	process
2612	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RVN.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2092	RVN.exe
Token: SeLoadDriverPrivilege	2612	TXPlatforn.exe
Token: 33	2612	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2612	TXPlatforn.exe
Token: 33	2612	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2612	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe

pid process

1780 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
1780 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe

pid	process
1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exeRVN.exeTXPlatforn.execmd.exe

description	pid	process	target process
PID 1780 wrote to memory of 2092	1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe	RVN.exe
PID 1780 wrote to memory of 2092	1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe	RVN.exe
PID 1780 wrote to memory of 2092	1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe	RVN.exe
PID 1780 wrote to memory of 2092	1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe	RVN.exe
PID 1780 wrote to memory of 2092	1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe	RVN.exe
PID 1780 wrote to memory of 2092	1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe	RVN.exe
PID 1780 wrote to memory of 2092	1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe	RVN.exe
PID 2092 wrote to memory of 2416	2092	RVN.exe	cmd.exe
PID 2092 wrote to memory of 2416	2092	RVN.exe	cmd.exe
PID 2092 wrote to memory of 2416	2092	RVN.exe	cmd.exe
PID 2092 wrote to memory of 2416	2092	RVN.exe	cmd.exe
PID 2756 wrote to memory of 2612	2756	TXPlatforn.exe	TXPlatforn.exe
PID 2756 wrote to memory of 2612	2756	TXPlatforn.exe	TXPlatforn.exe
PID 2756 wrote to memory of 2612	2756	TXPlatforn.exe	TXPlatforn.exe
PID 2756 wrote to memory of 2612	2756	TXPlatforn.exe	TXPlatforn.exe
PID 2756 wrote to memory of 2612	2756	TXPlatforn.exe	TXPlatforn.exe
PID 2756 wrote to memory of 2612	2756	TXPlatforn.exe	TXPlatforn.exe
PID 2756 wrote to memory of 2612	2756	TXPlatforn.exe	TXPlatforn.exe
PID 1780 wrote to memory of 2692	1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe	HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
PID 1780 wrote to memory of 2692	1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe	HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
PID 1780 wrote to memory of 2692	1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe	HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
PID 1780 wrote to memory of 2692	1780	d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe	HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
PID 2416 wrote to memory of 2920	2416	cmd.exe	PING.EXE
PID 2416 wrote to memory of 2920	2416	cmd.exe	PING.EXE
PID 2416 wrote to memory of 2920	2416	cmd.exe	PING.EXE
PID 2416 wrote to memory of 2920	2416	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
"C:\Users\Admin\AppData\Local\Temp\d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:2920

C:\Users\Admin\AppData\Local\Temp\HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
C:\Users\Admin\AppData\Local\Temp\HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2612

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.3MB

MD5
1beac07fc7c63657f72cf3ce33256133

SHA1
e6ee4776c603fcb3c061eaa4cf8ff42c7660557b

SHA256
c83e5d3be090c2cfcae7e0586b4bf98e79baeb01ce0fbd053ff6acf7c835b258

SHA512
e5989fc89fd2b4687256a4f80ed3b821e03452aef1100cc22f23c3a95da9d0db277554cd3a55e6ec48a257c8912574b3e94b58d6fc4e86761c438b603a7f585e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
Filesize
226KB

MD5
d4c149a3b147d6a1917ea00cf7445233

SHA1
ce0b846fc7d16ea349607d8a87465ab4f0cde27d

SHA256
d597c0d5e16a52d7acd48ecf0f6e02ba3c6b4d3bd3454d2738f43d6f59bfb119

SHA512
afbdd991f090f614f4e224e82612093b074aad7b84d0d79172b8411a2bb9866d3503db6079f3ed0d2f1eecd8c58a16fa987290d109b128481cb1861d55deb5ea

Download Submit
C:\Windows\SysWOW64\TXPlatforn.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
memory/2092-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2092-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2092-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2092-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2612-32-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2612-36-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2612-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2612-45-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2692-38-0x000000006FD30000-0x000000006FD40000-memory.dmp

Filesize
64KB

Download
memory/2756-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download