Analysis
-
max time kernel
152s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 19:57
Static task
static1
Behavioral task
behavioral1
Sample
e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe
Resource
win7-20221111-en
General
-
Target
e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe
-
Size
1.5MB
-
MD5
de6e54980d24a1bb736104e73f477244
-
SHA1
0024bed717c493f30a3d9901a71e049c4c89e0b3
-
SHA256
e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589
-
SHA512
ecb5f424834527cb66cdee34811b66840e4f3e9846434950a2de0273cc96cb61dd414ced6970ecd81c04c24fb160a57c85af4cfe4d76c6ed5483b6a4f5333151
-
SSDEEP
49152:FxCIL3egIrU3Vu98kE98kICoqg3Or5Qm:FxCIL3eg+U3k98kE98k2J3Oy
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2068-132-0x0000000003080000-0x0000000003226000-memory.dmp purplefox_rootkit behavioral2/memory/2068-133-0x0000000002F40000-0x0000000003079000-memory.dmp purplefox_rootkit behavioral2/memory/2068-134-0x0000000003080000-0x0000000003226000-memory.dmp purplefox_rootkit behavioral2/memory/208-144-0x0000000002510000-0x00000000026B6000-memory.dmp purplefox_rootkit behavioral2/memory/2068-145-0x0000000003080000-0x0000000003226000-memory.dmp purplefox_rootkit behavioral2/memory/208-147-0x0000000002510000-0x00000000026B6000-memory.dmp purplefox_rootkit behavioral2/memory/208-152-0x0000000002510000-0x00000000026B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/2068-132-0x0000000003080000-0x0000000003226000-memory.dmp family_gh0strat behavioral2/memory/2068-133-0x0000000002F40000-0x0000000003079000-memory.dmp family_gh0strat behavioral2/memory/2068-134-0x0000000003080000-0x0000000003226000-memory.dmp family_gh0strat behavioral2/memory/208-144-0x0000000002510000-0x00000000026B6000-memory.dmp family_gh0strat behavioral2/memory/2068-145-0x0000000003080000-0x0000000003226000-memory.dmp family_gh0strat behavioral2/memory/208-147-0x0000000002510000-0x00000000026B6000-memory.dmp family_gh0strat behavioral2/memory/208-152-0x0000000002510000-0x00000000026B6000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
windows.exepid process 208 windows.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2464 attrib.exe 4516 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exewindows.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation windows.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
windows.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window°²È«·À»¤ÖÐÐÄÄ£¿é = "C:\\ProgramData\\Micros\\svchost.exe" windows.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
windows.exedescription ioc process File opened (read-only) \??\N: windows.exe File opened (read-only) \??\P: windows.exe File opened (read-only) \??\T: windows.exe File opened (read-only) \??\E: windows.exe File opened (read-only) \??\G: windows.exe File opened (read-only) \??\L: windows.exe File opened (read-only) \??\Q: windows.exe File opened (read-only) \??\U: windows.exe File opened (read-only) \??\X: windows.exe File opened (read-only) \??\Y: windows.exe File opened (read-only) \??\B: windows.exe File opened (read-only) \??\H: windows.exe File opened (read-only) \??\I: windows.exe File opened (read-only) \??\M: windows.exe File opened (read-only) \??\O: windows.exe File opened (read-only) \??\R: windows.exe File opened (read-only) \??\S: windows.exe File opened (read-only) \??\V: windows.exe File opened (read-only) \??\F: windows.exe File opened (read-only) \??\J: windows.exe File opened (read-only) \??\K: windows.exe File opened (read-only) \??\W: windows.exe File opened (read-only) \??\Z: windows.exe -
Drops file in Program Files directory 1 IoCs
Processes:
attrib.exedescription ioc process File opened for modification C:\PROGRA~3\windows.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
windows.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 windows.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz windows.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exewindows.exepid process 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe 208 windows.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exewindows.exedescription pid process Token: SeIncBasePriorityPrivilege 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe Token: SeIncBasePriorityPrivilege 208 windows.exe Token: 33 208 windows.exe Token: SeIncBasePriorityPrivilege 208 windows.exe Token: 33 208 windows.exe Token: SeIncBasePriorityPrivilege 208 windows.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exewindows.exepid process 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe 208 windows.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.execmd.exewindows.execmd.exedescription pid process target process PID 2068 wrote to memory of 2052 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe cmd.exe PID 2068 wrote to memory of 2052 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe cmd.exe PID 2068 wrote to memory of 2052 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe cmd.exe PID 2068 wrote to memory of 3900 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe cmd.exe PID 2068 wrote to memory of 3900 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe cmd.exe PID 2068 wrote to memory of 3900 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe cmd.exe PID 2068 wrote to memory of 3848 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe cmd.exe PID 2068 wrote to memory of 3848 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe cmd.exe PID 2068 wrote to memory of 3848 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe cmd.exe PID 2052 wrote to memory of 2464 2052 cmd.exe attrib.exe PID 2052 wrote to memory of 2464 2052 cmd.exe attrib.exe PID 2052 wrote to memory of 2464 2052 cmd.exe attrib.exe PID 2068 wrote to memory of 208 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe windows.exe PID 2068 wrote to memory of 208 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe windows.exe PID 2068 wrote to memory of 208 2068 e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe windows.exe PID 208 wrote to memory of 1900 208 windows.exe cmd.exe PID 208 wrote to memory of 1900 208 windows.exe cmd.exe PID 208 wrote to memory of 1900 208 windows.exe cmd.exe PID 1900 wrote to memory of 4516 1900 cmd.exe attrib.exe PID 1900 wrote to memory of 4516 1900 cmd.exe attrib.exe PID 1900 wrote to memory of 4516 1900 cmd.exe attrib.exe PID 208 wrote to memory of 1424 208 windows.exe cmd.exe PID 208 wrote to memory of 1424 208 windows.exe cmd.exe PID 208 wrote to memory of 1424 208 windows.exe cmd.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2464 attrib.exe 4516 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe"C:\Users\Admin\AppData\Local\Temp\e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\Users\Admin\AppData\Local\Temp\E4F66C~1.EXE +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Users\Admin\AppData\Local\Temp\E4F66C~1.EXE +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\Micros2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\Micros2⤵
-
C:\ProgramData\windows.exeC:\ProgramData\windows.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\PROGRA~3\windows.exe +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib C:\PROGRA~3\windows.exe +s +h4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\ru3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Micros\1.txtFilesize
76KB
MD5a0174e9945895fa8ace11f6bb4a64298
SHA1527c4ebc005deb88f29edd83a23ac977735d76c4
SHA2562dcd521895377ae3463dd61369c7fc6aafd8610e020592bf29b88888fc295ca0
SHA512974f26161cc94c42fbe781db476562ccee90051f5c419ad156d4d17ab63231fa62a064c32cf1acc648e06d01d7f69e785f1421407859f2d78976d76a89b27dec
-
C:\ProgramData\Micros\2.txtFilesize
44KB
MD596d097045736a2a1526d63c2d83a6b22
SHA1dde933d7fcc22e41f981d043a3aa835e3b19f86e
SHA256abbd451b402243bf00ad76f253d2b1c3f80d1d6f6c7f5b2f0d5e3fdd7f9c06e5
SHA512e6ef5a7f25af760fef212b46b1796b8b386575e258a8b02a4c74510bb600e7fac3d344cceae14ef4b72a2520022e7cc611b34a56f737892ed4970ed1150945bd
-
C:\ProgramData\SHELL.TXTFilesize
1.2MB
MD53a609e0c8a5d9c5f8ca058f767fa20cf
SHA1791ddf60a63150bffee4e7453679a78853ffcb7c
SHA256f6386b915a9a1344fd7d40850132bca0f54a8cfb43721021049e968c32536799
SHA512fbe66dd84b9bad885d843c662992aa3a9b3d25b14a3acfcdb13b04547836295c37b0f9cf4fb8b7c0537de9601992e1c4275e9e1a841a130f3efb2b1e7fb34f35
-
C:\ProgramData\SHELL.iniFilesize
49B
MD51079769c430170e45a0f245e54537d09
SHA1ead0cbc04cf944f3d588fa83ffd4505cbb6b8970
SHA25629524392d7f67f4c06df97be0167bfe407812a34eb31872806c852fe720b11ad
SHA5120a22c01800a3e2611d02c03f6e25c6b7afa361bb5f55272bd915628faa2a09f7833fc08f75d80575c01b7796156cd7cdefdd76c8d1ceb89a03f0f0e761cf661c
-
C:\ProgramData\windows.exeFilesize
1.5MB
MD5de6e54980d24a1bb736104e73f477244
SHA10024bed717c493f30a3d9901a71e049c4c89e0b3
SHA256e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589
SHA512ecb5f424834527cb66cdee34811b66840e4f3e9846434950a2de0273cc96cb61dd414ced6970ecd81c04c24fb160a57c85af4cfe4d76c6ed5483b6a4f5333151
-
C:\ProgramData\windows.exeFilesize
1.5MB
MD5de6e54980d24a1bb736104e73f477244
SHA10024bed717c493f30a3d9901a71e049c4c89e0b3
SHA256e4f66c7778f27297573d38308dc9c073168ed13e84ea5977c302f433af62a589
SHA512ecb5f424834527cb66cdee34811b66840e4f3e9846434950a2de0273cc96cb61dd414ced6970ecd81c04c24fb160a57c85af4cfe4d76c6ed5483b6a4f5333151
-
memory/208-147-0x0000000002510000-0x00000000026B6000-memory.dmpFilesize
1.6MB
-
memory/208-139-0x0000000000000000-mapping.dmp
-
memory/208-144-0x0000000002510000-0x00000000026B6000-memory.dmpFilesize
1.6MB
-
memory/208-152-0x0000000002510000-0x00000000026B6000-memory.dmpFilesize
1.6MB
-
memory/1424-149-0x0000000000000000-mapping.dmp
-
memory/1900-146-0x0000000000000000-mapping.dmp
-
memory/2052-135-0x0000000000000000-mapping.dmp
-
memory/2068-145-0x0000000003080000-0x0000000003226000-memory.dmpFilesize
1.6MB
-
memory/2068-132-0x0000000003080000-0x0000000003226000-memory.dmpFilesize
1.6MB
-
memory/2068-134-0x0000000003080000-0x0000000003226000-memory.dmpFilesize
1.6MB
-
memory/2068-133-0x0000000002F40000-0x0000000003079000-memory.dmpFilesize
1.2MB
-
memory/2464-138-0x0000000000000000-mapping.dmp
-
memory/3848-137-0x0000000000000000-mapping.dmp
-
memory/3900-136-0x0000000000000000-mapping.dmp
-
memory/4516-148-0x0000000000000000-mapping.dmp