Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-11-2022 20:56
Static task
static1
Behavioral task
behavioral1
Sample
717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe
Resource
win7-20220901-en
General
-
Target
717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe
-
Size
420KB
-
MD5
3265ada4c9107a76c5399c6c5a6264c9
-
SHA1
600a2885904818ad7ac6ae81712ec785cfd27dce
-
SHA256
717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a
-
SHA512
eae837c8be00968dcaf389eff1a4a1a6dc76a5a11344e8546cdc67e34b9b2ff5fe1b2c2c0650bcf769324bb9b41edf3519778b6e24f6943dc04702a210dd1ec0
-
SSDEEP
6144:hEg2/FmkfKc+Mz6aEctnbbWj/VI1N5kvsWT6kRXAfAarxGEEXXUOCwKHmpvN:etUsz6aEcV6rVI/HWTxRXAoi6v
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1200-55-0x00000000033A0000-0x0000000003546000-memory.dmp purplefox_rootkit behavioral1/memory/1200-56-0x0000000003260000-0x0000000003399000-memory.dmp purplefox_rootkit behavioral1/memory/1200-57-0x00000000033A0000-0x0000000003546000-memory.dmp purplefox_rootkit behavioral1/memory/1608-68-0x00000000020D0000-0x0000000002276000-memory.dmp purplefox_rootkit behavioral1/memory/1200-70-0x00000000033A0000-0x0000000003546000-memory.dmp purplefox_rootkit behavioral1/memory/1608-73-0x00000000020D0000-0x0000000002276000-memory.dmp purplefox_rootkit behavioral1/memory/1608-77-0x00000000020D0000-0x0000000002276000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1200-55-0x00000000033A0000-0x0000000003546000-memory.dmp family_gh0strat behavioral1/memory/1200-56-0x0000000003260000-0x0000000003399000-memory.dmp family_gh0strat behavioral1/memory/1200-57-0x00000000033A0000-0x0000000003546000-memory.dmp family_gh0strat behavioral1/memory/1608-68-0x00000000020D0000-0x0000000002276000-memory.dmp family_gh0strat behavioral1/memory/1200-70-0x00000000033A0000-0x0000000003546000-memory.dmp family_gh0strat behavioral1/memory/1608-73-0x00000000020D0000-0x0000000002276000-memory.dmp family_gh0strat behavioral1/memory/1608-77-0x00000000020D0000-0x0000000002276000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
windows.exepid process 1608 windows.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 632 attrib.exe 1848 attrib.exe -
Loads dropped DLL 1 IoCs
Processes:
717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exepid process 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
windows.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window°²È«·À»¤ÖÐÐÄÄ£¿é = "C:\\ProgramData\\Micros\\svchost.exe" windows.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
windows.exedescription ioc process File opened (read-only) \??\W: windows.exe File opened (read-only) \??\X: windows.exe File opened (read-only) \??\Y: windows.exe File opened (read-only) \??\N: windows.exe File opened (read-only) \??\R: windows.exe File opened (read-only) \??\G: windows.exe File opened (read-only) \??\K: windows.exe File opened (read-only) \??\P: windows.exe File opened (read-only) \??\Z: windows.exe File opened (read-only) \??\E: windows.exe File opened (read-only) \??\F: windows.exe File opened (read-only) \??\M: windows.exe File opened (read-only) \??\Q: windows.exe File opened (read-only) \??\S: windows.exe File opened (read-only) \??\U: windows.exe File opened (read-only) \??\B: windows.exe File opened (read-only) \??\L: windows.exe File opened (read-only) \??\J: windows.exe File opened (read-only) \??\O: windows.exe File opened (read-only) \??\T: windows.exe File opened (read-only) \??\V: windows.exe File opened (read-only) \??\H: windows.exe File opened (read-only) \??\I: windows.exe -
Drops file in Program Files directory 1 IoCs
Processes:
attrib.exedescription ioc process File opened for modification C:\PROGRA~3\windows.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
windows.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz windows.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 windows.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exewindows.exepid process 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe 1608 windows.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exewindows.exedescription pid process Token: SeIncBasePriorityPrivilege 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe Token: SeIncBasePriorityPrivilege 1608 windows.exe Token: 33 1608 windows.exe Token: SeIncBasePriorityPrivilege 1608 windows.exe Token: 33 1608 windows.exe Token: SeIncBasePriorityPrivilege 1608 windows.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exewindows.exepid process 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe 1608 windows.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.execmd.exewindows.execmd.exedescription pid process target process PID 1200 wrote to memory of 1360 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe cmd.exe PID 1200 wrote to memory of 1360 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe cmd.exe PID 1200 wrote to memory of 1360 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe cmd.exe PID 1200 wrote to memory of 1360 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe cmd.exe PID 1200 wrote to memory of 1896 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe cmd.exe PID 1200 wrote to memory of 1896 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe cmd.exe PID 1200 wrote to memory of 1896 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe cmd.exe PID 1200 wrote to memory of 1896 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe cmd.exe PID 1200 wrote to memory of 1764 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe cmd.exe PID 1200 wrote to memory of 1764 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe cmd.exe PID 1200 wrote to memory of 1764 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe cmd.exe PID 1200 wrote to memory of 1764 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe cmd.exe PID 1360 wrote to memory of 632 1360 cmd.exe attrib.exe PID 1360 wrote to memory of 632 1360 cmd.exe attrib.exe PID 1360 wrote to memory of 632 1360 cmd.exe attrib.exe PID 1360 wrote to memory of 632 1360 cmd.exe attrib.exe PID 1200 wrote to memory of 1608 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe windows.exe PID 1200 wrote to memory of 1608 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe windows.exe PID 1200 wrote to memory of 1608 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe windows.exe PID 1200 wrote to memory of 1608 1200 717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe windows.exe PID 1608 wrote to memory of 992 1608 windows.exe cmd.exe PID 1608 wrote to memory of 992 1608 windows.exe cmd.exe PID 1608 wrote to memory of 992 1608 windows.exe cmd.exe PID 1608 wrote to memory of 992 1608 windows.exe cmd.exe PID 992 wrote to memory of 1848 992 cmd.exe attrib.exe PID 992 wrote to memory of 1848 992 cmd.exe attrib.exe PID 992 wrote to memory of 1848 992 cmd.exe attrib.exe PID 992 wrote to memory of 1848 992 cmd.exe attrib.exe PID 1608 wrote to memory of 1568 1608 windows.exe cmd.exe PID 1608 wrote to memory of 1568 1608 windows.exe cmd.exe PID 1608 wrote to memory of 1568 1608 windows.exe cmd.exe PID 1608 wrote to memory of 1568 1608 windows.exe cmd.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 632 attrib.exe 1848 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe"C:\Users\Admin\AppData\Local\Temp\717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\Users\Admin\AppData\Local\Temp\717735~1.EXE +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Users\Admin\AppData\Local\Temp\717735~1.EXE +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\Micros2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\Micros2⤵
-
C:\ProgramData\windows.exeC:\ProgramData\windows.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\PROGRA~3\windows.exe +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib C:\PROGRA~3\windows.exe +s +h4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\ru3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\windows.exeFilesize
420KB
MD53265ada4c9107a76c5399c6c5a6264c9
SHA1600a2885904818ad7ac6ae81712ec785cfd27dce
SHA256717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a
SHA512eae837c8be00968dcaf389eff1a4a1a6dc76a5a11344e8546cdc67e34b9b2ff5fe1b2c2c0650bcf769324bb9b41edf3519778b6e24f6943dc04702a210dd1ec0
-
C:\ProgramData\Micros\1.txtFilesize
76KB
MD5a0174e9945895fa8ace11f6bb4a64298
SHA1527c4ebc005deb88f29edd83a23ac977735d76c4
SHA2562dcd521895377ae3463dd61369c7fc6aafd8610e020592bf29b88888fc295ca0
SHA512974f26161cc94c42fbe781db476562ccee90051f5c419ad156d4d17ab63231fa62a064c32cf1acc648e06d01d7f69e785f1421407859f2d78976d76a89b27dec
-
C:\ProgramData\Micros\2.txtFilesize
44KB
MD596d097045736a2a1526d63c2d83a6b22
SHA1dde933d7fcc22e41f981d043a3aa835e3b19f86e
SHA256abbd451b402243bf00ad76f253d2b1c3f80d1d6f6c7f5b2f0d5e3fdd7f9c06e5
SHA512e6ef5a7f25af760fef212b46b1796b8b386575e258a8b02a4c74510bb600e7fac3d344cceae14ef4b72a2520022e7cc611b34a56f737892ed4970ed1150945bd
-
C:\ProgramData\SHELL.TXTFilesize
1.2MB
MD5399dbed89b6eb31237ab085dbc18728a
SHA12ec1384fcbeef7122fc3ef97cb6a18ead214f7b8
SHA2569d1d6b9d33f33fb777706e4a48fe3efec12f32a0b19d16db45995451d71ed44a
SHA5124b4f7fd02754209b7527a7f1e68d87e072485e1bf12324850917afb384e59dc783170a0b11ec39acad2fea6753492ab07d8f610199074c1808a5bb3c7f42a1c4
-
C:\ProgramData\SHELL.iniFilesize
92B
MD5f1c9d622e621cdbdb0c6f2e3a22e0f2b
SHA13e0c97a7ab4965c7def4bc64efee5ecf62f0bec0
SHA256c19f380144fb4d440735d4089d2a485f3eb70a55f404e5752eea94551cb0ee71
SHA512baaf1840c8f0f72cc7541aa45db4e34ddb108e146bceeaf6045adfbd13d2a065e95f49e17c7ed57b873c65442f11cbaf068fca19559815e8c46e51cb5edbc1f2
-
C:\ProgramData\windows.exeFilesize
420KB
MD53265ada4c9107a76c5399c6c5a6264c9
SHA1600a2885904818ad7ac6ae81712ec785cfd27dce
SHA256717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a
SHA512eae837c8be00968dcaf389eff1a4a1a6dc76a5a11344e8546cdc67e34b9b2ff5fe1b2c2c0650bcf769324bb9b41edf3519778b6e24f6943dc04702a210dd1ec0
-
\ProgramData\windows.exeFilesize
420KB
MD53265ada4c9107a76c5399c6c5a6264c9
SHA1600a2885904818ad7ac6ae81712ec785cfd27dce
SHA256717735cf8936daeecd12f694691829fb0490450784e20bed99fc09c3814a957a
SHA512eae837c8be00968dcaf389eff1a4a1a6dc76a5a11344e8546cdc67e34b9b2ff5fe1b2c2c0650bcf769324bb9b41edf3519778b6e24f6943dc04702a210dd1ec0
-
memory/632-61-0x0000000000000000-mapping.dmp
-
memory/992-69-0x0000000000000000-mapping.dmp
-
memory/1200-57-0x00000000033A0000-0x0000000003546000-memory.dmpFilesize
1.6MB
-
memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB
-
memory/1200-56-0x0000000003260000-0x0000000003399000-memory.dmpFilesize
1.2MB
-
memory/1200-55-0x00000000033A0000-0x0000000003546000-memory.dmpFilesize
1.6MB
-
memory/1200-70-0x00000000033A0000-0x0000000003546000-memory.dmpFilesize
1.6MB
-
memory/1360-58-0x0000000000000000-mapping.dmp
-
memory/1568-74-0x0000000000000000-mapping.dmp
-
memory/1608-63-0x0000000000000000-mapping.dmp
-
memory/1608-73-0x00000000020D0000-0x0000000002276000-memory.dmpFilesize
1.6MB
-
memory/1608-68-0x00000000020D0000-0x0000000002276000-memory.dmpFilesize
1.6MB
-
memory/1608-77-0x00000000020D0000-0x0000000002276000-memory.dmpFilesize
1.6MB
-
memory/1764-60-0x0000000000000000-mapping.dmp
-
memory/1848-71-0x0000000000000000-mapping.dmp
-
memory/1896-59-0x0000000000000000-mapping.dmp