Analysis
-
max time kernel
19s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 08:55
Static task
static1
Behavioral task
behavioral1
Sample
6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe
Resource
win7-20221111-en
General
-
Target
6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe
-
Size
5.9MB
-
MD5
32b5d810d53f87579985106a8e51d3ee
-
SHA1
adb3818622e47920d56f97bf01c34d616c0da989
-
SHA256
6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa
-
SHA512
61fd5e3d08bb1189451ac8530cc31db174a1cf019660e6f9a52d25dd626898c0216d612b7d914313fcd0da0feb791f3db8e4ecadd1e55ada821e0a82e024da11
-
SSDEEP
98304:I4uTo0ZeXgtCs0ItubSsLUYl5ahDynBhSpeRdJWBRcRE4q0Y:I4em0tuWBy02nqeVWXcs
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3896-154-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/3488-162-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/3708-171-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3896-154-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/3488-162-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/3708-171-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
Sklme.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys Sklme.exe -
Executes dropped EXE 5 IoCs
Processes:
¼Ó1.exeHMCL-3.3.180.exe23666.exeSklme.exeSklme.exepid process 4092 ¼Ó1.exe 4688 HMCL-3.3.180.exe 3896 23666.exe 3488 Sklme.exe 3708 Sklme.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
Sklme.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Sklme.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe¼Ó1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ¼Ó1.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Sklme.exedescription ioc process File opened (read-only) \??\L: Sklme.exe File opened (read-only) \??\O: Sklme.exe File opened (read-only) \??\F: Sklme.exe File opened (read-only) \??\H: Sklme.exe File opened (read-only) \??\K: Sklme.exe File opened (read-only) \??\M: Sklme.exe File opened (read-only) \??\P: Sklme.exe File opened (read-only) \??\Q: Sklme.exe File opened (read-only) \??\R: Sklme.exe File opened (read-only) \??\X: Sklme.exe File opened (read-only) \??\I: Sklme.exe File opened (read-only) \??\J: Sklme.exe File opened (read-only) \??\V: Sklme.exe File opened (read-only) \??\W: Sklme.exe File opened (read-only) \??\Y: Sklme.exe File opened (read-only) \??\G: Sklme.exe File opened (read-only) \??\U: Sklme.exe File opened (read-only) \??\N: Sklme.exe File opened (read-only) \??\S: Sklme.exe File opened (read-only) \??\T: Sklme.exe File opened (read-only) \??\Z: Sklme.exe File opened (read-only) \??\B: Sklme.exe File opened (read-only) \??\E: Sklme.exe -
Drops file in System32 directory 2 IoCs
Processes:
23666.exedescription ioc process File created C:\Windows\SysWOW64\Sklme.exe 23666.exe File opened for modification C:\Windows\SysWOW64\Sklme.exe 23666.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
¼Ó1.exepid process 4092 ¼Ó1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Sklme.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Sklme.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Sklme.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
Sklme.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Sklme.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Sklme.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Sklme.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Sklme.exe Key created \REGISTRY\USER\.DEFAULT\Software Sklme.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Sklme.exepid process 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe 3708 Sklme.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
Sklme.exepid process 3708 Sklme.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
23666.exeSklme.exedescription pid process Token: SeIncBasePriorityPrivilege 3896 23666.exe Token: SeLoadDriverPrivilege 3708 Sklme.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe¼Ó1.exepid process 4928 6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe 4928 6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe 4092 ¼Ó1.exe 4092 ¼Ó1.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exeHMCL-3.3.180.exe¼Ó1.exe23666.exeSklme.exedescription pid process target process PID 4928 wrote to memory of 4092 4928 6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe ¼Ó1.exe PID 4928 wrote to memory of 4092 4928 6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe ¼Ó1.exe PID 4928 wrote to memory of 4092 4928 6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe ¼Ó1.exe PID 4928 wrote to memory of 4688 4928 6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe HMCL-3.3.180.exe PID 4928 wrote to memory of 4688 4928 6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe HMCL-3.3.180.exe PID 4928 wrote to memory of 4688 4928 6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe HMCL-3.3.180.exe PID 4688 wrote to memory of 1748 4688 HMCL-3.3.180.exe javaw.exe PID 4688 wrote to memory of 1748 4688 HMCL-3.3.180.exe javaw.exe PID 4092 wrote to memory of 3896 4092 ¼Ó1.exe 23666.exe PID 4092 wrote to memory of 3896 4092 ¼Ó1.exe 23666.exe PID 4092 wrote to memory of 3896 4092 ¼Ó1.exe 23666.exe PID 3896 wrote to memory of 2504 3896 23666.exe cmd.exe PID 3896 wrote to memory of 2504 3896 23666.exe cmd.exe PID 3896 wrote to memory of 2504 3896 23666.exe cmd.exe PID 3488 wrote to memory of 3708 3488 Sklme.exe Sklme.exe PID 3488 wrote to memory of 3708 3488 Sklme.exe Sklme.exe PID 3488 wrote to memory of 3708 3488 Sklme.exe Sklme.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe"C:\Users\Admin\AppData\Local\Temp\6421213667f578589550be5d821ff9d67ab6bd851688fa9f8d01f9326640defa.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\¼Ó1.exe"C:\Users\Admin\AppData\Roaming\¼Ó1.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\23666.exe"C:\Users\Admin\AppData\Local\Temp\23666.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\23666.exe > nul4⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.15⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\HMCL-3.3.180.exe"C:\Users\Admin\AppData\Roaming\HMCL-3.3.180.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=15 -jar "C:\Users\Admin\AppData\Roaming\HMCL-3.3.180.exe"3⤵
-
C:\Windows\SysWOW64\Sklme.exeC:\Windows\SysWOW64\Sklme.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Sklme.exeC:\Windows\SysWOW64\Sklme.exe -acsi2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\23666.exeFilesize
1.3MB
MD5d06934e3b2d93ac67c39adef69f7a094
SHA13c55137848a51e20cbe7f04ec3045c0d3656b7d5
SHA256c437aa78f3ff9baeb3ad981ab1f60a80e22a078fb1f4ccf7725b02fb40604fde
SHA512b9219f772bdfa6378ba2bd724751f8a098fe2d3b2ec5d540c0d89f9be9bc1bba8aa001c379128b695def31267dc5ca04fbcbf30afcf259d101ca3a3fc9d5ac4b
-
C:\Users\Admin\AppData\Local\Temp\23666.exeFilesize
1.3MB
MD5d06934e3b2d93ac67c39adef69f7a094
SHA13c55137848a51e20cbe7f04ec3045c0d3656b7d5
SHA256c437aa78f3ff9baeb3ad981ab1f60a80e22a078fb1f4ccf7725b02fb40604fde
SHA512b9219f772bdfa6378ba2bd724751f8a098fe2d3b2ec5d540c0d89f9be9bc1bba8aa001c379128b695def31267dc5ca04fbcbf30afcf259d101ca3a3fc9d5ac4b
-
C:\Users\Admin\AppData\Roaming\HMCL-3.3.180.exeFilesize
2.9MB
MD5c368b71f5c632902d9db5d224529c6d1
SHA1dad7ae3128253abbc917131c96e158ad1aba2b11
SHA25633b81559da1c88239668499400638b6547a451eed2e45ad8cc6c60ef8fcd96ff
SHA512910036c736ce984970a664801971a341f61410c135432827f40c8e560da58e6232d0a5e046f2a58753becb37f4ccf60333ad1b6bcfd4e7a398a557b928a7cec8
-
C:\Users\Admin\AppData\Roaming\HMCL-3.3.180.exeFilesize
2.9MB
MD5c368b71f5c632902d9db5d224529c6d1
SHA1dad7ae3128253abbc917131c96e158ad1aba2b11
SHA25633b81559da1c88239668499400638b6547a451eed2e45ad8cc6c60ef8fcd96ff
SHA512910036c736ce984970a664801971a341f61410c135432827f40c8e560da58e6232d0a5e046f2a58753becb37f4ccf60333ad1b6bcfd4e7a398a557b928a7cec8
-
C:\Users\Admin\AppData\Roaming\¼Ó1.exeFilesize
2.2MB
MD513008aa40eff08862d2a38db9601acb7
SHA19f8d24925b2d78df0f16f26a71372c425e058330
SHA256395b6284ebb2fc43165a0f8c0fb3de015bcdf95dace9dbe12394024fdc404c17
SHA5125b551a5270a8cb8e9dae312e284f3c3b4a6763e8f9c2fdedbdb2f5e7b952d8fc0f6ae9169228d13f4bced97c749ba026c443096fecd00f0c7be4f2d6ffe92a25
-
C:\Users\Admin\AppData\Roaming\¼Ó1.exeFilesize
2.2MB
MD513008aa40eff08862d2a38db9601acb7
SHA19f8d24925b2d78df0f16f26a71372c425e058330
SHA256395b6284ebb2fc43165a0f8c0fb3de015bcdf95dace9dbe12394024fdc404c17
SHA5125b551a5270a8cb8e9dae312e284f3c3b4a6763e8f9c2fdedbdb2f5e7b952d8fc0f6ae9169228d13f4bced97c749ba026c443096fecd00f0c7be4f2d6ffe92a25
-
C:\Windows\SysWOW64\Sklme.exeFilesize
1.3MB
MD5d06934e3b2d93ac67c39adef69f7a094
SHA13c55137848a51e20cbe7f04ec3045c0d3656b7d5
SHA256c437aa78f3ff9baeb3ad981ab1f60a80e22a078fb1f4ccf7725b02fb40604fde
SHA512b9219f772bdfa6378ba2bd724751f8a098fe2d3b2ec5d540c0d89f9be9bc1bba8aa001c379128b695def31267dc5ca04fbcbf30afcf259d101ca3a3fc9d5ac4b
-
C:\Windows\SysWOW64\Sklme.exeFilesize
1.3MB
MD5d06934e3b2d93ac67c39adef69f7a094
SHA13c55137848a51e20cbe7f04ec3045c0d3656b7d5
SHA256c437aa78f3ff9baeb3ad981ab1f60a80e22a078fb1f4ccf7725b02fb40604fde
SHA512b9219f772bdfa6378ba2bd724751f8a098fe2d3b2ec5d540c0d89f9be9bc1bba8aa001c379128b695def31267dc5ca04fbcbf30afcf259d101ca3a3fc9d5ac4b
-
C:\Windows\SysWOW64\Sklme.exeFilesize
1.3MB
MD5d06934e3b2d93ac67c39adef69f7a094
SHA13c55137848a51e20cbe7f04ec3045c0d3656b7d5
SHA256c437aa78f3ff9baeb3ad981ab1f60a80e22a078fb1f4ccf7725b02fb40604fde
SHA512b9219f772bdfa6378ba2bd724751f8a098fe2d3b2ec5d540c0d89f9be9bc1bba8aa001c379128b695def31267dc5ca04fbcbf30afcf259d101ca3a3fc9d5ac4b
-
memory/1748-144-0x0000000002E90000-0x0000000003E90000-memory.dmpFilesize
16.0MB
-
memory/1748-215-0x0000000002E90000-0x0000000003E90000-memory.dmpFilesize
16.0MB
-
memory/1748-211-0x0000000002E90000-0x0000000003E90000-memory.dmpFilesize
16.0MB
-
memory/1748-202-0x0000000002E90000-0x0000000003E90000-memory.dmpFilesize
16.0MB
-
memory/1748-138-0x0000000000000000-mapping.dmp
-
memory/1748-197-0x0000000002E90000-0x0000000003E90000-memory.dmpFilesize
16.0MB
-
memory/2340-199-0x0000000000000000-mapping.dmp
-
memory/2504-168-0x0000000000000000-mapping.dmp
-
memory/3488-162-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/3708-169-0x0000000000000000-mapping.dmp
-
memory/3708-171-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/3896-150-0x0000000000000000-mapping.dmp
-
memory/3896-154-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/4092-132-0x0000000000000000-mapping.dmp
-
memory/4092-141-0x0000000000400000-0x00000000005BC000-memory.dmpFilesize
1.7MB
-
memory/4092-153-0x0000000000400000-0x00000000005BC000-memory.dmpFilesize
1.7MB
-
memory/4688-135-0x0000000000000000-mapping.dmp