Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
05-07-2024 05:17
Static task
static1
Behavioral task
behavioral1
Sample
d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
Resource
win7-20240508-en
General
-
Target
d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe
-
Size
1.5MB
-
MD5
640f80cb6ec06ea5c076b9c320e52c02
-
SHA1
a213cc1813613035740ce1811e74c7383af5559f
-
SHA256
d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3
-
SHA512
36173f7b481db3b19c655c0bc14dc73b5f5e3fcae9b7c8725b4e498bded3442a3ff57590298bfb46943acd5eafa58e6181f6de61af80c19610a435a3eefe46ab
-
SSDEEP
24576:+09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+Yrg3gVqj4NaZb0:+09XJt4HIN2H2tFvduyS2rgwVqcQZ4
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1928-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1928-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2544-46-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2544-32-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2544-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2544-52-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2748-27-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2748-19-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2748-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2748-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1928-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/1928-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1928-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2544-46-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2544-32-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2544-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2544-52-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2748-27-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2748-19-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2748-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2748-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1928-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 4 IoCs
Processes:
RVN.exeTXPlatforn.exeTXPlatforn.exeHD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exepid process 1928 RVN.exe 2748 TXPlatforn.exe 2544 TXPlatforn.exe 3088 HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe -
Processes:
resource yara_rule behavioral2/memory/1928-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1928-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2544-46-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2544-32-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2544-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2544-52-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2748-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2748-19-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2748-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2748-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2748-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1928-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1928-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
Processes:
RVN.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 5 IoCs
Processes:
d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exepid process 2032 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe 2032 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 2544 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RVN.exeTXPlatforn.exedescription pid process Token: SeIncBasePriorityPrivilege 1928 RVN.exe Token: SeLoadDriverPrivilege 2544 TXPlatforn.exe Token: 33 2544 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2544 TXPlatforn.exe Token: 33 2544 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2544 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exepid process 2032 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe 2032 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exeRVN.exeTXPlatforn.execmd.exedescription pid process target process PID 2032 wrote to memory of 1928 2032 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe RVN.exe PID 2032 wrote to memory of 1928 2032 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe RVN.exe PID 2032 wrote to memory of 1928 2032 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe RVN.exe PID 1928 wrote to memory of 1732 1928 RVN.exe cmd.exe PID 1928 wrote to memory of 1732 1928 RVN.exe cmd.exe PID 1928 wrote to memory of 1732 1928 RVN.exe cmd.exe PID 2748 wrote to memory of 2544 2748 TXPlatforn.exe TXPlatforn.exe PID 2748 wrote to memory of 2544 2748 TXPlatforn.exe TXPlatforn.exe PID 2748 wrote to memory of 2544 2748 TXPlatforn.exe TXPlatforn.exe PID 2032 wrote to memory of 3088 2032 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe PID 2032 wrote to memory of 3088 2032 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe PID 2032 wrote to memory of 3088 2032 d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe PID 1732 wrote to memory of 4400 1732 cmd.exe PING.EXE PID 1732 wrote to memory of 4400 1732 cmd.exe PING.EXE PID 1732 wrote to memory of 4400 1732 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe"C:\Users\Admin\AppData\Local\Temp\d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exeC:\Users\Admin\AppData\Local\Temp\HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.3MB
MD51beac07fc7c63657f72cf3ce33256133
SHA1e6ee4776c603fcb3c061eaa4cf8ff42c7660557b
SHA256c83e5d3be090c2cfcae7e0586b4bf98e79baeb01ce0fbd053ff6acf7c835b258
SHA512e5989fc89fd2b4687256a4f80ed3b821e03452aef1100cc22f23c3a95da9d0db277554cd3a55e6ec48a257c8912574b3e94b58d6fc4e86761c438b603a7f585e
-
C:\Users\Admin\AppData\Local\Temp\HD_d22e300daba510b0a871ff3e1ef1b78a35ac73d87a91e97ce2073d73f2edb2f3.exeFilesize
226KB
MD5d4c149a3b147d6a1917ea00cf7445233
SHA1ce0b846fc7d16ea349607d8a87465ab4f0cde27d
SHA256d597c0d5e16a52d7acd48ecf0f6e02ba3c6b4d3bd3454d2738f43d6f59bfb119
SHA512afbdd991f090f614f4e224e82612093b074aad7b84d0d79172b8411a2bb9866d3503db6079f3ed0d2f1eecd8c58a16fa987290d109b128481cb1861d55deb5ea
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
memory/1928-10-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1928-6-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1928-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1928-4-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2544-46-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2544-52-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2544-30-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2544-32-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2748-27-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2748-19-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2748-16-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2748-15-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2748-13-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3088-29-0x000000006FCD0000-0x000000006FCE0000-memory.dmpFilesize
64KB