Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-10-2022 14:09
Behavioral task
behavioral1
Sample
d13d7ec96f4f7ad8b024d5018c06de34.exe
Resource
win7-20220812-en
General
-
Target
d13d7ec96f4f7ad8b024d5018c06de34.exe
-
Size
1.0MB
-
MD5
d13d7ec96f4f7ad8b024d5018c06de34
-
SHA1
e155f7daff40731e1e218f627e4ab48f36fb8314
-
SHA256
326fdf4522442f9bf2d93d495540f76dd00d623e5ad448a797eb7f8b329ea45e
-
SHA512
35009d4fed3354438d6f69789d5150e6271b615c8828221c1344447d0fdc66d5904c93ef57180cead8de9b9f32136a2bcb7b4b10cead54f96de9b5bfdc569ee6
-
SSDEEP
24576:etf3hBENnua4KhbDaK+787d/BoXVxmACTC70MhFPk:etPhBwrFbDgSdZEx7CTC70ch
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1988-56-0x0000000010000000-0x0000000010192000-memory.dmp purplefox_rootkit behavioral1/memory/1988-62-0x0000000000400000-0x00000000006A6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1988-56-0x0000000010000000-0x0000000010192000-memory.dmp family_gh0strat behavioral1/memory/1988-62-0x0000000000400000-0x00000000006A6000-memory.dmp family_gh0strat -
Processes:
resource yara_rule behavioral1/memory/1988-54-0x0000000000400000-0x00000000006A6000-memory.dmp vmprotect behavioral1/memory/1988-62-0x0000000000400000-0x00000000006A6000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
d13d7ec96f4f7ad8b024d5018c06de34.exedescription ioc process File opened (read-only) \??\Z: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\G: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\K: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\L: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\M: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\R: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\B: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\I: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\S: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\U: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\X: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\Y: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\N: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\P: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\T: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\V: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\W: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\Q: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\E: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\F: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\H: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\J: d13d7ec96f4f7ad8b024d5018c06de34.exe File opened (read-only) \??\O: d13d7ec96f4f7ad8b024d5018c06de34.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
d13d7ec96f4f7ad8b024d5018c06de34.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d13d7ec96f4f7ad8b024d5018c06de34.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz d13d7ec96f4f7ad8b024d5018c06de34.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
d13d7ec96f4f7ad8b024d5018c06de34.exepid process 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe 1988 d13d7ec96f4f7ad8b024d5018c06de34.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1988-54-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB
-
memory/1988-55-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB
-
memory/1988-56-0x0000000010000000-0x0000000010192000-memory.dmpFilesize
1.6MB
-
memory/1988-62-0x0000000000400000-0x00000000006A6000-memory.dmpFilesize
2.6MB