Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2022 11:51
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
General
-
Target
tmp.exe
-
Size
392KB
-
MD5
2f99005e926985ec16ad11e7c95e11b6
-
SHA1
540599b46fb10facdaf9f47ab987880a44aa1eff
-
SHA256
dd06f7e555b0db061ef0f4a44eef9875d0b13341c0c701ae13274d5f473d2b90
-
SHA512
bb171884a014b66e6690e4bf12466143140102813afff3ce2b61cb38eaec619795f62086442b7e7f7b1e5a325bf5447b54bc8cf7fb419f590b3807775dfa17a0
-
SSDEEP
6144:VRjbUHOvGUNIE/FDjBazqjWgR+MSEtvlZTONpRGX5B4PY3mA0O0Gp8Nhh5JodPU0:Ljbh9tDjiuT+xEtl0u4w3mAZyadMd
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1092-134-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/1092-135-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/1092-138-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/5016-141-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/5016-142-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/5016-146-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/4648-151-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/4648-150-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/4648-152-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/4648-153-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 10 IoCs
Processes:
resource yara_rule behavioral2/memory/1092-134-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/1092-135-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/1092-138-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/5016-141-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/5016-142-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/5016-146-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/4648-151-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/4648-150-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/4648-152-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/4648-153-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
Skcsk.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys Skcsk.exe -
Executes dropped EXE 2 IoCs
Processes:
Skcsk.exeSkcsk.exepid process 5016 Skcsk.exe 4648 Skcsk.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
Skcsk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Skcsk.exe -
Processes:
resource yara_rule behavioral2/memory/1092-132-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/1092-134-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/1092-135-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/1092-138-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/5016-139-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/5016-141-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/5016-142-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/5016-146-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4648-148-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4648-151-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4648-150-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4648-152-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4648-153-0x0000000010000000-0x00000000101A5000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Skcsk.exedescription ioc process File opened (read-only) \??\N: Skcsk.exe File opened (read-only) \??\P: Skcsk.exe File opened (read-only) \??\J: Skcsk.exe File opened (read-only) \??\M: Skcsk.exe File opened (read-only) \??\W: Skcsk.exe File opened (read-only) \??\Z: Skcsk.exe File opened (read-only) \??\F: Skcsk.exe File opened (read-only) \??\G: Skcsk.exe File opened (read-only) \??\K: Skcsk.exe File opened (read-only) \??\O: Skcsk.exe File opened (read-only) \??\S: Skcsk.exe File opened (read-only) \??\Q: Skcsk.exe File opened (read-only) \??\R: Skcsk.exe File opened (read-only) \??\T: Skcsk.exe File opened (read-only) \??\B: Skcsk.exe File opened (read-only) \??\E: Skcsk.exe File opened (read-only) \??\H: Skcsk.exe File opened (read-only) \??\I: Skcsk.exe File opened (read-only) \??\L: Skcsk.exe File opened (read-only) \??\U: Skcsk.exe File opened (read-only) \??\V: Skcsk.exe File opened (read-only) \??\X: Skcsk.exe File opened (read-only) \??\Y: Skcsk.exe -
Drops file in Windows directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Windows\Skcsk.exe tmp.exe File opened for modification C:\Windows\Skcsk.exe tmp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Skcsk.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Skcsk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Skcsk.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
Skcsk.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Skcsk.exe Key created \REGISTRY\USER\.DEFAULT\Software Skcsk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Skcsk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Skcsk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Skcsk.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Skcsk.exepid process 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe 4648 Skcsk.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
Skcsk.exepid process 4648 Skcsk.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
tmp.exeSkcsk.exedescription pid process Token: SeIncBasePriorityPrivilege 1092 tmp.exe Token: SeLoadDriverPrivilege 4648 Skcsk.exe Token: 33 4648 Skcsk.exe Token: SeIncBasePriorityPrivilege 4648 Skcsk.exe Token: 33 4648 Skcsk.exe Token: SeIncBasePriorityPrivilege 4648 Skcsk.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
tmp.exeSkcsk.execmd.exedescription pid process target process PID 1092 wrote to memory of 4124 1092 tmp.exe cmd.exe PID 1092 wrote to memory of 4124 1092 tmp.exe cmd.exe PID 1092 wrote to memory of 4124 1092 tmp.exe cmd.exe PID 5016 wrote to memory of 4648 5016 Skcsk.exe Skcsk.exe PID 5016 wrote to memory of 4648 5016 Skcsk.exe Skcsk.exe PID 5016 wrote to memory of 4648 5016 Skcsk.exe Skcsk.exe PID 4124 wrote to memory of 2256 4124 cmd.exe PING.EXE PID 4124 wrote to memory of 2256 4124 cmd.exe PING.EXE PID 4124 wrote to memory of 2256 4124 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\tmp.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\Skcsk.exeC:\Windows\Skcsk.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Skcsk.exeC:\Windows\Skcsk.exe -acsi2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Skcsk.exeFilesize
392KB
MD52f99005e926985ec16ad11e7c95e11b6
SHA1540599b46fb10facdaf9f47ab987880a44aa1eff
SHA256dd06f7e555b0db061ef0f4a44eef9875d0b13341c0c701ae13274d5f473d2b90
SHA512bb171884a014b66e6690e4bf12466143140102813afff3ce2b61cb38eaec619795f62086442b7e7f7b1e5a325bf5447b54bc8cf7fb419f590b3807775dfa17a0
-
C:\Windows\Skcsk.exeFilesize
392KB
MD52f99005e926985ec16ad11e7c95e11b6
SHA1540599b46fb10facdaf9f47ab987880a44aa1eff
SHA256dd06f7e555b0db061ef0f4a44eef9875d0b13341c0c701ae13274d5f473d2b90
SHA512bb171884a014b66e6690e4bf12466143140102813afff3ce2b61cb38eaec619795f62086442b7e7f7b1e5a325bf5447b54bc8cf7fb419f590b3807775dfa17a0
-
C:\Windows\Skcsk.exeFilesize
392KB
MD52f99005e926985ec16ad11e7c95e11b6
SHA1540599b46fb10facdaf9f47ab987880a44aa1eff
SHA256dd06f7e555b0db061ef0f4a44eef9875d0b13341c0c701ae13274d5f473d2b90
SHA512bb171884a014b66e6690e4bf12466143140102813afff3ce2b61cb38eaec619795f62086442b7e7f7b1e5a325bf5447b54bc8cf7fb419f590b3807775dfa17a0
-
memory/1092-132-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/1092-134-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/1092-135-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/1092-138-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/2256-147-0x0000000000000000-mapping.dmp
-
memory/4124-143-0x0000000000000000-mapping.dmp
-
memory/4648-151-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4648-144-0x0000000000000000-mapping.dmp
-
memory/4648-152-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4648-150-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4648-153-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4648-148-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/5016-142-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/5016-146-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/5016-141-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/5016-139-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB