Analysis
-
max time kernel
179s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 17:32
Static task
static1
Behavioral task
behavioral1
Sample
785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe
Resource
win7-20220901-en
General
-
Target
785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe
-
Size
720KB
-
MD5
1503f941f4342798b87e4cca4a32c41b
-
SHA1
997d4799a979b008d546987eb03fea32e921f7de
-
SHA256
785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86
-
SHA512
af07c073534c4a2bce5f8183b2f98013d25c7c01fa653d6dc0e7b8787cd3915df9c097f2583cea78f7655533f33d5e28e5ee65535b11cc40a4201c6e3fc6f0eb
-
SSDEEP
6144:IFyGTrwC+pSxlKuIxYQPkMhNjufnlGqo2Hu8vFqR8FB3jey9uDyVuMgLB6M/cRxu:IrEdjQnlGqo/EER4ZeUuyuFkM/ci
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4656-132-0x0000000002FB0000-0x0000000003156000-memory.dmp purplefox_rootkit behavioral2/memory/4656-137-0x0000000002E70000-0x0000000002FA9000-memory.dmp purplefox_rootkit behavioral2/memory/4656-138-0x0000000002FB0000-0x0000000003156000-memory.dmp purplefox_rootkit behavioral2/memory/3776-144-0x00000000023D0000-0x0000000002576000-memory.dmp purplefox_rootkit behavioral2/memory/3776-147-0x00000000023D0000-0x0000000002576000-memory.dmp purplefox_rootkit behavioral2/memory/3776-151-0x00000000023D0000-0x0000000002576000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/4656-132-0x0000000002FB0000-0x0000000003156000-memory.dmp family_gh0strat behavioral2/memory/4656-137-0x0000000002E70000-0x0000000002FA9000-memory.dmp family_gh0strat behavioral2/memory/4656-138-0x0000000002FB0000-0x0000000003156000-memory.dmp family_gh0strat behavioral2/memory/3776-144-0x00000000023D0000-0x0000000002576000-memory.dmp family_gh0strat behavioral2/memory/3776-147-0x00000000023D0000-0x0000000002576000-memory.dmp family_gh0strat behavioral2/memory/3776-151-0x00000000023D0000-0x0000000002576000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
windows.exepid process 3776 windows.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4832 attrib.exe 4288 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exewindows.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation windows.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
windows.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window°²È«·À»¤ÖÐÐÄÄ£¿é = "C:\\ProgramData\\Micros\\svchost.exe" windows.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
windows.exedescription ioc process File opened (read-only) \??\H: windows.exe File opened (read-only) \??\N: windows.exe File opened (read-only) \??\V: windows.exe File opened (read-only) \??\Y: windows.exe File opened (read-only) \??\B: windows.exe File opened (read-only) \??\G: windows.exe File opened (read-only) \??\L: windows.exe File opened (read-only) \??\Q: windows.exe File opened (read-only) \??\W: windows.exe File opened (read-only) \??\X: windows.exe File opened (read-only) \??\J: windows.exe File opened (read-only) \??\P: windows.exe File opened (read-only) \??\R: windows.exe File opened (read-only) \??\U: windows.exe File opened (read-only) \??\Z: windows.exe File opened (read-only) \??\T: windows.exe File opened (read-only) \??\E: windows.exe File opened (read-only) \??\F: windows.exe File opened (read-only) \??\I: windows.exe File opened (read-only) \??\K: windows.exe File opened (read-only) \??\M: windows.exe File opened (read-only) \??\O: windows.exe File opened (read-only) \??\S: windows.exe -
Drops file in Program Files directory 1 IoCs
Processes:
attrib.exedescription ioc process File opened for modification C:\PROGRA~3\windows.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
windows.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 windows.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz windows.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exewindows.exepid process 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe 3776 windows.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exewindows.exedescription pid process Token: SeIncBasePriorityPrivilege 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe Token: SeIncBasePriorityPrivilege 3776 windows.exe Token: 33 3776 windows.exe Token: SeIncBasePriorityPrivilege 3776 windows.exe Token: 33 3776 windows.exe Token: SeIncBasePriorityPrivilege 3776 windows.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exewindows.exepid process 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe 3776 windows.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.execmd.exewindows.execmd.exedescription pid process target process PID 4656 wrote to memory of 764 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe cmd.exe PID 4656 wrote to memory of 764 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe cmd.exe PID 4656 wrote to memory of 764 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe cmd.exe PID 4656 wrote to memory of 392 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe cmd.exe PID 4656 wrote to memory of 392 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe cmd.exe PID 4656 wrote to memory of 392 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe cmd.exe PID 4656 wrote to memory of 4972 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe cmd.exe PID 4656 wrote to memory of 4972 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe cmd.exe PID 4656 wrote to memory of 4972 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe cmd.exe PID 764 wrote to memory of 4832 764 cmd.exe attrib.exe PID 764 wrote to memory of 4832 764 cmd.exe attrib.exe PID 764 wrote to memory of 4832 764 cmd.exe attrib.exe PID 4656 wrote to memory of 3776 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe windows.exe PID 4656 wrote to memory of 3776 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe windows.exe PID 4656 wrote to memory of 3776 4656 785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe windows.exe PID 3776 wrote to memory of 2316 3776 windows.exe cmd.exe PID 3776 wrote to memory of 2316 3776 windows.exe cmd.exe PID 3776 wrote to memory of 2316 3776 windows.exe cmd.exe PID 2316 wrote to memory of 4288 2316 cmd.exe attrib.exe PID 2316 wrote to memory of 4288 2316 cmd.exe attrib.exe PID 2316 wrote to memory of 4288 2316 cmd.exe attrib.exe PID 3776 wrote to memory of 4316 3776 windows.exe cmd.exe PID 3776 wrote to memory of 4316 3776 windows.exe cmd.exe PID 3776 wrote to memory of 4316 3776 windows.exe cmd.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4288 attrib.exe 4832 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe"C:\Users\Admin\AppData\Local\Temp\785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\Users\Admin\AppData\Local\Temp\785A96~1.EXE +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Users\Admin\AppData\Local\Temp\785A96~1.EXE +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\Micros2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\Micros2⤵
-
C:\ProgramData\windows.exeC:\ProgramData\windows.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\PROGRA~3\windows.exe +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib C:\PROGRA~3\windows.exe +s +h4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\ru3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Micros\1.txtFilesize
76KB
MD5a0174e9945895fa8ace11f6bb4a64298
SHA1527c4ebc005deb88f29edd83a23ac977735d76c4
SHA2562dcd521895377ae3463dd61369c7fc6aafd8610e020592bf29b88888fc295ca0
SHA512974f26161cc94c42fbe781db476562ccee90051f5c419ad156d4d17ab63231fa62a064c32cf1acc648e06d01d7f69e785f1421407859f2d78976d76a89b27dec
-
C:\ProgramData\Micros\2.txtFilesize
44KB
MD596d097045736a2a1526d63c2d83a6b22
SHA1dde933d7fcc22e41f981d043a3aa835e3b19f86e
SHA256abbd451b402243bf00ad76f253d2b1c3f80d1d6f6c7f5b2f0d5e3fdd7f9c06e5
SHA512e6ef5a7f25af760fef212b46b1796b8b386575e258a8b02a4c74510bb600e7fac3d344cceae14ef4b72a2520022e7cc611b34a56f737892ed4970ed1150945bd
-
C:\ProgramData\SHELL.TXTFilesize
1.2MB
MD5399dbed89b6eb31237ab085dbc18728a
SHA12ec1384fcbeef7122fc3ef97cb6a18ead214f7b8
SHA2569d1d6b9d33f33fb777706e4a48fe3efec12f32a0b19d16db45995451d71ed44a
SHA5124b4f7fd02754209b7527a7f1e68d87e072485e1bf12324850917afb384e59dc783170a0b11ec39acad2fea6753492ab07d8f610199074c1808a5bb3c7f42a1c4
-
C:\ProgramData\SHELL.iniFilesize
92B
MD5f1c9d622e621cdbdb0c6f2e3a22e0f2b
SHA13e0c97a7ab4965c7def4bc64efee5ecf62f0bec0
SHA256c19f380144fb4d440735d4089d2a485f3eb70a55f404e5752eea94551cb0ee71
SHA512baaf1840c8f0f72cc7541aa45db4e34ddb108e146bceeaf6045adfbd13d2a065e95f49e17c7ed57b873c65442f11cbaf068fca19559815e8c46e51cb5edbc1f2
-
C:\ProgramData\windows.exeFilesize
720KB
MD51503f941f4342798b87e4cca4a32c41b
SHA1997d4799a979b008d546987eb03fea32e921f7de
SHA256785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86
SHA512af07c073534c4a2bce5f8183b2f98013d25c7c01fa653d6dc0e7b8787cd3915df9c097f2583cea78f7655533f33d5e28e5ee65535b11cc40a4201c6e3fc6f0eb
-
C:\ProgramData\windows.exeFilesize
720KB
MD51503f941f4342798b87e4cca4a32c41b
SHA1997d4799a979b008d546987eb03fea32e921f7de
SHA256785a96f2f975b6126b7951124a80961b53f513f2536ceea5d547a7926f951f86
SHA512af07c073534c4a2bce5f8183b2f98013d25c7c01fa653d6dc0e7b8787cd3915df9c097f2583cea78f7655533f33d5e28e5ee65535b11cc40a4201c6e3fc6f0eb
-
memory/392-134-0x0000000000000000-mapping.dmp
-
memory/764-133-0x0000000000000000-mapping.dmp
-
memory/2316-145-0x0000000000000000-mapping.dmp
-
memory/3776-147-0x00000000023D0000-0x0000000002576000-memory.dmpFilesize
1.6MB
-
memory/3776-139-0x0000000000000000-mapping.dmp
-
memory/3776-144-0x00000000023D0000-0x0000000002576000-memory.dmpFilesize
1.6MB
-
memory/3776-151-0x00000000023D0000-0x0000000002576000-memory.dmpFilesize
1.6MB
-
memory/4288-146-0x0000000000000000-mapping.dmp
-
memory/4316-148-0x0000000000000000-mapping.dmp
-
memory/4656-138-0x0000000002FB0000-0x0000000003156000-memory.dmpFilesize
1.6MB
-
memory/4656-137-0x0000000002E70000-0x0000000002FA9000-memory.dmpFilesize
1.2MB
-
memory/4656-132-0x0000000002FB0000-0x0000000003156000-memory.dmpFilesize
1.6MB
-
memory/4832-136-0x0000000000000000-mapping.dmp
-
memory/4972-135-0x0000000000000000-mapping.dmp