Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-10-2022 14:17
Behavioral task
behavioral1
Sample
60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exe
Resource
win7-20220812-en
General
-
Target
60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exe
-
Size
919KB
-
MD5
5a73f5e451b5c009494c49fd484e58af
-
SHA1
532b2702b09a1831cce9490de7b506510365c8bf
-
SHA256
60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2
-
SHA512
bd5acbdcf3ca500ca9da2a9a9e7ce24777ca163bf4099303bfa001566aae40de0a3337a03deff08c765bad686a57ae544b8590956ba541a44d61f8704d8abe9f
-
SSDEEP
24576:6Jc26tUVSEg0BpT5kBYandPYi95LXNxVKhIN8+e+dLeT9pDT:6O26I8u+2andPYCNVQIiz+d
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1728-55-0x0000000010000000-0x0000000010192000-memory.dmp purplefox_rootkit behavioral1/memory/1728-61-0x0000000000400000-0x000000000066C000-memory.dmp purplefox_rootkit behavioral1/memory/1728-71-0x0000000000400000-0x000000000066C000-memory.dmp purplefox_rootkit behavioral1/memory/1292-76-0x0000000000400000-0x000000000066C000-memory.dmp purplefox_rootkit behavioral1/memory/436-83-0x0000000000400000-0x000000000066C000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-55-0x0000000010000000-0x0000000010192000-memory.dmp family_gh0strat behavioral1/memory/1728-61-0x0000000000400000-0x000000000066C000-memory.dmp family_gh0strat behavioral1/memory/1728-71-0x0000000000400000-0x000000000066C000-memory.dmp family_gh0strat behavioral1/memory/1292-76-0x0000000000400000-0x000000000066C000-memory.dmp family_gh0strat behavioral1/memory/436-83-0x0000000000400000-0x000000000066C000-memory.dmp family_gh0strat -
Executes dropped EXE 2 IoCs
Processes:
Qhyph.exeQhyph.exepid process 1292 Qhyph.exe 436 Qhyph.exe -
Processes:
resource yara_rule behavioral1/memory/1728-61-0x0000000000400000-0x000000000066C000-memory.dmp upx C:\Windows\SysWOW64\Qhyph.exe upx C:\Windows\SysWOW64\Qhyph.exe upx behavioral1/memory/1728-71-0x0000000000400000-0x000000000066C000-memory.dmp upx C:\Windows\SysWOW64\Qhyph.exe upx behavioral1/memory/1292-76-0x0000000000400000-0x000000000066C000-memory.dmp upx behavioral1/memory/436-83-0x0000000000400000-0x000000000066C000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1792 cmd.exe -
Drops file in System32 directory 2 IoCs
Processes:
60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exedescription ioc process File created C:\Windows\SysWOW64\Qhyph.exe 60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exe File opened for modification C:\Windows\SysWOW64\Qhyph.exe 60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exedescription pid process Token: SeIncBasePriorityPrivilege 1728 60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exeQhyph.exeQhyph.exepid process 1728 60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exe 1292 Qhyph.exe 436 Qhyph.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exeQhyph.execmd.exedescription pid process target process PID 1728 wrote to memory of 1792 1728 60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exe cmd.exe PID 1728 wrote to memory of 1792 1728 60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exe cmd.exe PID 1728 wrote to memory of 1792 1728 60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exe cmd.exe PID 1728 wrote to memory of 1792 1728 60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exe cmd.exe PID 1292 wrote to memory of 436 1292 Qhyph.exe Qhyph.exe PID 1292 wrote to memory of 436 1292 Qhyph.exe Qhyph.exe PID 1292 wrote to memory of 436 1292 Qhyph.exe Qhyph.exe PID 1292 wrote to memory of 436 1292 Qhyph.exe Qhyph.exe PID 1792 wrote to memory of 1000 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 1000 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 1000 1792 cmd.exe PING.EXE PID 1792 wrote to memory of 1000 1792 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exe"C:\Users\Admin\AppData\Local\Temp\60f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\60F5F9~1.EXE > nul2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\Qhyph.exeC:\Windows\SysWOW64\Qhyph.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Qhyph.exeC:\Windows\SysWOW64\Qhyph.exe -acsi2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Qhyph.exeFilesize
919KB
MD55a73f5e451b5c009494c49fd484e58af
SHA1532b2702b09a1831cce9490de7b506510365c8bf
SHA25660f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2
SHA512bd5acbdcf3ca500ca9da2a9a9e7ce24777ca163bf4099303bfa001566aae40de0a3337a03deff08c765bad686a57ae544b8590956ba541a44d61f8704d8abe9f
-
C:\Windows\SysWOW64\Qhyph.exeFilesize
919KB
MD55a73f5e451b5c009494c49fd484e58af
SHA1532b2702b09a1831cce9490de7b506510365c8bf
SHA25660f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2
SHA512bd5acbdcf3ca500ca9da2a9a9e7ce24777ca163bf4099303bfa001566aae40de0a3337a03deff08c765bad686a57ae544b8590956ba541a44d61f8704d8abe9f
-
C:\Windows\SysWOW64\Qhyph.exeFilesize
919KB
MD55a73f5e451b5c009494c49fd484e58af
SHA1532b2702b09a1831cce9490de7b506510365c8bf
SHA25660f5f9100f9c5793cba2c7bbd85e6ea7703dff4bb12d8f5d44620050642f47e2
SHA512bd5acbdcf3ca500ca9da2a9a9e7ce24777ca163bf4099303bfa001566aae40de0a3337a03deff08c765bad686a57ae544b8590956ba541a44d61f8704d8abe9f
-
memory/436-73-0x0000000000000000-mapping.dmp
-
memory/436-83-0x0000000000400000-0x000000000066C000-memory.dmpFilesize
2.4MB
-
memory/1000-84-0x0000000000000000-mapping.dmp
-
memory/1292-76-0x0000000000400000-0x000000000066C000-memory.dmpFilesize
2.4MB
-
memory/1728-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/1728-55-0x0000000010000000-0x0000000010192000-memory.dmpFilesize
1.6MB
-
memory/1728-61-0x0000000000400000-0x000000000066C000-memory.dmpFilesize
2.4MB
-
memory/1728-71-0x0000000000400000-0x000000000066C000-memory.dmpFilesize
2.4MB
-
memory/1792-70-0x0000000000000000-mapping.dmp