Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
10-10-2022 07:15
Behavioral task
behavioral1
Sample
aba5bf4e71345463ba7f9fb36f4bd276.exe
Resource
win7-20220901-en
General
-
Target
aba5bf4e71345463ba7f9fb36f4bd276.exe
-
Size
1.0MB
-
MD5
aba5bf4e71345463ba7f9fb36f4bd276
-
SHA1
9a59e13c0af858d2e28801a90adb8823409bdb22
-
SHA256
45525f906d657ef715cdb0b6c468945821f5165f9cf2ef95789a24db4412e8a2
-
SHA512
4df480e0a6a116bac41267d4f76a39ac6c643509bb471c4e76a5874776212d4dfd7d39ba9d1f09679097599c1d2f13a9fde6f13afcc9bd37f8d4c1dc04253ade
-
SSDEEP
24576:QrKscUvFhMCDcwwHubRgRG0WNVTSA4I0dvElhf9ouOFPk:MKpuhMCv6+O0SxTqh2vh
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1380-56-0x0000000010000000-0x0000000010192000-memory.dmp purplefox_rootkit behavioral1/memory/1380-62-0x0000000000400000-0x00000000006A2000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1380-56-0x0000000010000000-0x0000000010192000-memory.dmp family_gh0strat behavioral1/memory/1380-62-0x0000000000400000-0x00000000006A2000-memory.dmp family_gh0strat -
Processes:
resource yara_rule behavioral1/memory/1380-54-0x0000000000400000-0x00000000006A2000-memory.dmp vmprotect behavioral1/memory/1380-62-0x0000000000400000-0x00000000006A2000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
aba5bf4e71345463ba7f9fb36f4bd276.exedescription ioc process File opened (read-only) \??\X: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\I: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\O: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\S: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\T: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\P: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\U: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\W: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\Z: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\E: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\F: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\G: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\H: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\L: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\N: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\V: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\Q: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\R: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\Y: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\B: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\J: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\K: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\M: aba5bf4e71345463ba7f9fb36f4bd276.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
aba5bf4e71345463ba7f9fb36f4bd276.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aba5bf4e71345463ba7f9fb36f4bd276.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz aba5bf4e71345463ba7f9fb36f4bd276.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
aba5bf4e71345463ba7f9fb36f4bd276.exepid process 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe 1380 aba5bf4e71345463ba7f9fb36f4bd276.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1380-54-0x0000000000400000-0x00000000006A2000-memory.dmpFilesize
2.6MB
-
memory/1380-55-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1380-56-0x0000000010000000-0x0000000010192000-memory.dmpFilesize
1.6MB
-
memory/1380-62-0x0000000000400000-0x00000000006A2000-memory.dmpFilesize
2.6MB