Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2022 07:15
Behavioral task
behavioral1
Sample
aba5bf4e71345463ba7f9fb36f4bd276.exe
Resource
win7-20220901-en
General
-
Target
aba5bf4e71345463ba7f9fb36f4bd276.exe
-
Size
1.0MB
-
MD5
aba5bf4e71345463ba7f9fb36f4bd276
-
SHA1
9a59e13c0af858d2e28801a90adb8823409bdb22
-
SHA256
45525f906d657ef715cdb0b6c468945821f5165f9cf2ef95789a24db4412e8a2
-
SHA512
4df480e0a6a116bac41267d4f76a39ac6c643509bb471c4e76a5874776212d4dfd7d39ba9d1f09679097599c1d2f13a9fde6f13afcc9bd37f8d4c1dc04253ade
-
SSDEEP
24576:QrKscUvFhMCDcwwHubRgRG0WNVTSA4I0dvElhf9ouOFPk:MKpuhMCv6+O0SxTqh2vh
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/568-133-0x0000000000400000-0x00000000006A2000-memory.dmp purplefox_rootkit behavioral2/memory/568-134-0x0000000010000000-0x0000000010192000-memory.dmp purplefox_rootkit behavioral2/memory/568-140-0x0000000000400000-0x00000000006A2000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/568-133-0x0000000000400000-0x00000000006A2000-memory.dmp family_gh0strat behavioral2/memory/568-134-0x0000000010000000-0x0000000010192000-memory.dmp family_gh0strat behavioral2/memory/568-140-0x0000000000400000-0x00000000006A2000-memory.dmp family_gh0strat -
Processes:
resource yara_rule behavioral2/memory/568-132-0x0000000000400000-0x00000000006A2000-memory.dmp vmprotect behavioral2/memory/568-133-0x0000000000400000-0x00000000006A2000-memory.dmp vmprotect behavioral2/memory/568-140-0x0000000000400000-0x00000000006A2000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
aba5bf4e71345463ba7f9fb36f4bd276.exedescription ioc process File opened (read-only) \??\H: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\I: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\J: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\L: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\P: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\W: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\B: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\E: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\Z: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\U: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\Y: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\G: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\N: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\V: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\Q: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\S: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\M: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\O: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\R: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\T: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\X: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\F: aba5bf4e71345463ba7f9fb36f4bd276.exe File opened (read-only) \??\K: aba5bf4e71345463ba7f9fb36f4bd276.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5028 568 WerFault.exe aba5bf4e71345463ba7f9fb36f4bd276.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
aba5bf4e71345463ba7f9fb36f4bd276.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz aba5bf4e71345463ba7f9fb36f4bd276.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aba5bf4e71345463ba7f9fb36f4bd276.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
aba5bf4e71345463ba7f9fb36f4bd276.exepid process 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe 568 aba5bf4e71345463ba7f9fb36f4bd276.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aba5bf4e71345463ba7f9fb36f4bd276.exe"C:\Users\Admin\AppData\Local\Temp\aba5bf4e71345463ba7f9fb36f4bd276.exe"1⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 2522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 568 -ip 5681⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/568-132-0x0000000000400000-0x00000000006A2000-memory.dmpFilesize
2.6MB
-
memory/568-133-0x0000000000400000-0x00000000006A2000-memory.dmpFilesize
2.6MB
-
memory/568-134-0x0000000010000000-0x0000000010192000-memory.dmpFilesize
1.6MB
-
memory/568-140-0x0000000000400000-0x00000000006A2000-memory.dmpFilesize
2.6MB