Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-12-2022 20:00
Static task
static1
Behavioral task
behavioral1
Sample
3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe
Resource
win7-20220812-en
General
-
Target
3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe
-
Size
460KB
-
MD5
3971006fbc82286597136e9104621b6f
-
SHA1
e26a94ad7b28be42c5717846d07d08b3dfb8357e
-
SHA256
3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41
-
SHA512
1a643106df2fc60be097d87d2a066c1d3e36241948679e5ad192585ede05a8ec60d073fc00d9b558d8cc506d95eae02b864dbe1a67678c7c30b4f4b773d0c68f
-
SSDEEP
6144:QYrOnQRCjKoIlzTop+q1nkCHE9hGBnVHOZ5mLwRHG1dlV2wQL6tm/mdIp5b+:3X0KoIl3S+q+dGZonYwRHGzyLnp5i
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1196-55-0x0000000003110000-0x00000000032B6000-memory.dmp purplefox_rootkit behavioral1/memory/1196-60-0x0000000002E60000-0x0000000003024000-memory.dmp purplefox_rootkit behavioral1/memory/1196-61-0x0000000003110000-0x00000000032B6000-memory.dmp purplefox_rootkit behavioral1/memory/1560-68-0x0000000002210000-0x00000000023B6000-memory.dmp purplefox_rootkit behavioral1/memory/1560-72-0x00000000020D0000-0x0000000002209000-memory.dmp purplefox_rootkit behavioral1/memory/1560-73-0x0000000002210000-0x00000000023B6000-memory.dmp purplefox_rootkit behavioral1/memory/1560-77-0x0000000002210000-0x00000000023B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1196-55-0x0000000003110000-0x00000000032B6000-memory.dmp family_gh0strat behavioral1/memory/1196-61-0x0000000003110000-0x00000000032B6000-memory.dmp family_gh0strat behavioral1/memory/1560-68-0x0000000002210000-0x00000000023B6000-memory.dmp family_gh0strat behavioral1/memory/1560-72-0x00000000020D0000-0x0000000002209000-memory.dmp family_gh0strat behavioral1/memory/1560-73-0x0000000002210000-0x00000000023B6000-memory.dmp family_gh0strat behavioral1/memory/1560-77-0x0000000002210000-0x00000000023B6000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
windows.exepid process 1560 windows.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 756 attrib.exe 1696 attrib.exe -
Loads dropped DLL 1 IoCs
Processes:
3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exepid process 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
windows.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window°²È«·À»¤ÖÐÐÄÄ£¿é = "C:\\ProgramData\\Micros\\svchost.exe" windows.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
windows.exedescription ioc process File opened (read-only) \??\G: windows.exe File opened (read-only) \??\K: windows.exe File opened (read-only) \??\Q: windows.exe File opened (read-only) \??\S: windows.exe File opened (read-only) \??\X: windows.exe File opened (read-only) \??\Y: windows.exe File opened (read-only) \??\H: windows.exe File opened (read-only) \??\O: windows.exe File opened (read-only) \??\P: windows.exe File opened (read-only) \??\T: windows.exe File opened (read-only) \??\Z: windows.exe File opened (read-only) \??\E: windows.exe File opened (read-only) \??\F: windows.exe File opened (read-only) \??\J: windows.exe File opened (read-only) \??\L: windows.exe File opened (read-only) \??\N: windows.exe File opened (read-only) \??\U: windows.exe File opened (read-only) \??\V: windows.exe File opened (read-only) \??\B: windows.exe File opened (read-only) \??\I: windows.exe File opened (read-only) \??\M: windows.exe File opened (read-only) \??\R: windows.exe File opened (read-only) \??\W: windows.exe -
Drops file in Program Files directory 1 IoCs
Processes:
attrib.exedescription ioc process File opened for modification C:\PROGRA~3\windows.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
windows.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 windows.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz windows.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exewindows.exepid process 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe 1560 windows.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exewindows.exedescription pid process Token: SeIncBasePriorityPrivilege 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe Token: SeIncBasePriorityPrivilege 1560 windows.exe Token: 33 1560 windows.exe Token: SeIncBasePriorityPrivilege 1560 windows.exe Token: 33 1560 windows.exe Token: SeIncBasePriorityPrivilege 1560 windows.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exewindows.exepid process 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe 1560 windows.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.execmd.exewindows.execmd.exedescription pid process target process PID 1196 wrote to memory of 1488 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe cmd.exe PID 1196 wrote to memory of 1488 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe cmd.exe PID 1196 wrote to memory of 1488 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe cmd.exe PID 1196 wrote to memory of 1488 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe cmd.exe PID 1196 wrote to memory of 1296 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe cmd.exe PID 1196 wrote to memory of 1296 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe cmd.exe PID 1196 wrote to memory of 1296 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe cmd.exe PID 1196 wrote to memory of 1296 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe cmd.exe PID 1196 wrote to memory of 572 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe cmd.exe PID 1196 wrote to memory of 572 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe cmd.exe PID 1196 wrote to memory of 572 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe cmd.exe PID 1196 wrote to memory of 572 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe cmd.exe PID 1488 wrote to memory of 756 1488 cmd.exe attrib.exe PID 1488 wrote to memory of 756 1488 cmd.exe attrib.exe PID 1488 wrote to memory of 756 1488 cmd.exe attrib.exe PID 1488 wrote to memory of 756 1488 cmd.exe attrib.exe PID 1196 wrote to memory of 1560 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe windows.exe PID 1196 wrote to memory of 1560 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe windows.exe PID 1196 wrote to memory of 1560 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe windows.exe PID 1196 wrote to memory of 1560 1196 3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe windows.exe PID 1560 wrote to memory of 1540 1560 windows.exe cmd.exe PID 1560 wrote to memory of 1540 1560 windows.exe cmd.exe PID 1560 wrote to memory of 1540 1560 windows.exe cmd.exe PID 1560 wrote to memory of 1540 1560 windows.exe cmd.exe PID 1540 wrote to memory of 1696 1540 cmd.exe attrib.exe PID 1540 wrote to memory of 1696 1540 cmd.exe attrib.exe PID 1540 wrote to memory of 1696 1540 cmd.exe attrib.exe PID 1540 wrote to memory of 1696 1540 cmd.exe attrib.exe PID 1560 wrote to memory of 1636 1560 windows.exe cmd.exe PID 1560 wrote to memory of 1636 1560 windows.exe cmd.exe PID 1560 wrote to memory of 1636 1560 windows.exe cmd.exe PID 1560 wrote to memory of 1636 1560 windows.exe cmd.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 756 attrib.exe 1696 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe"C:\Users\Admin\AppData\Local\Temp\3af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\Users\Admin\AppData\Local\Temp\3AF906~1.EXE +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Users\Admin\AppData\Local\Temp\3AF906~1.EXE +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\Micros2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\Micros2⤵
-
C:\ProgramData\windows.exeC:\ProgramData\windows.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\PROGRA~3\windows.exe +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib C:\PROGRA~3\windows.exe +s +h4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\ru3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\windows.exeFilesize
460KB
MD53971006fbc82286597136e9104621b6f
SHA1e26a94ad7b28be42c5717846d07d08b3dfb8357e
SHA2563af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41
SHA5121a643106df2fc60be097d87d2a066c1d3e36241948679e5ad192585ede05a8ec60d073fc00d9b558d8cc506d95eae02b864dbe1a67678c7c30b4f4b773d0c68f
-
C:\ProgramData\Micros\1.txtFilesize
76KB
MD5a0174e9945895fa8ace11f6bb4a64298
SHA1527c4ebc005deb88f29edd83a23ac977735d76c4
SHA2562dcd521895377ae3463dd61369c7fc6aafd8610e020592bf29b88888fc295ca0
SHA512974f26161cc94c42fbe781db476562ccee90051f5c419ad156d4d17ab63231fa62a064c32cf1acc648e06d01d7f69e785f1421407859f2d78976d76a89b27dec
-
C:\ProgramData\Micros\2.txtFilesize
44KB
MD596d097045736a2a1526d63c2d83a6b22
SHA1dde933d7fcc22e41f981d043a3aa835e3b19f86e
SHA256abbd451b402243bf00ad76f253d2b1c3f80d1d6f6c7f5b2f0d5e3fdd7f9c06e5
SHA512e6ef5a7f25af760fef212b46b1796b8b386575e258a8b02a4c74510bb600e7fac3d344cceae14ef4b72a2520022e7cc611b34a56f737892ed4970ed1150945bd
-
C:\ProgramData\SHELL.TXTFilesize
1MB
MD53a609e0c8a5d9c5f8ca058f767fa20cf
SHA1791ddf60a63150bffee4e7453679a78853ffcb7c
SHA256f6386b915a9a1344fd7d40850132bca0f54a8cfb43721021049e968c32536799
SHA512fbe66dd84b9bad885d843c662992aa3a9b3d25b14a3acfcdb13b04547836295c37b0f9cf4fb8b7c0537de9601992e1c4275e9e1a841a130f3efb2b1e7fb34f35
-
C:\ProgramData\SHELL.iniFilesize
49B
MD56f415b6df7f2f6858d0ca9f4de095ff5
SHA1b5abbe56cbbadb38cc645422b3df1b6c2935a8f9
SHA256fb5a2e50dde8d004759f71297ab1c83fb2d16cd516b04a069948d98bc2bc06c6
SHA51259cb30200bf199802d97c808c283ce1d3870b8f1d23dac42e67e33576b10bbcbc92f1510698c65afea7a70cc6c8860f53ef5d77d99a8f226c7b63d0584ebdfcd
-
C:\ProgramData\windows.exeFilesize
460KB
MD53971006fbc82286597136e9104621b6f
SHA1e26a94ad7b28be42c5717846d07d08b3dfb8357e
SHA2563af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41
SHA5121a643106df2fc60be097d87d2a066c1d3e36241948679e5ad192585ede05a8ec60d073fc00d9b558d8cc506d95eae02b864dbe1a67678c7c30b4f4b773d0c68f
-
\ProgramData\windows.exeFilesize
460KB
MD53971006fbc82286597136e9104621b6f
SHA1e26a94ad7b28be42c5717846d07d08b3dfb8357e
SHA2563af9063baf12a4bba385387dae90de868e795346fde803ad771fa830f3244b41
SHA5121a643106df2fc60be097d87d2a066c1d3e36241948679e5ad192585ede05a8ec60d073fc00d9b558d8cc506d95eae02b864dbe1a67678c7c30b4f4b773d0c68f
-
memory/572-58-0x0000000000000000-mapping.dmp
-
memory/756-59-0x0000000000000000-mapping.dmp
-
memory/1196-60-0x0000000002E60000-0x0000000003024000-memory.dmpFilesize
1MB
-
memory/1196-55-0x0000000003110000-0x00000000032B6000-memory.dmpFilesize
1MB
-
memory/1196-61-0x0000000003110000-0x00000000032B6000-memory.dmpFilesize
1MB
-
memory/1196-54-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/1296-57-0x0000000000000000-mapping.dmp
-
memory/1488-56-0x0000000000000000-mapping.dmp
-
memory/1540-69-0x0000000000000000-mapping.dmp
-
memory/1560-68-0x0000000002210000-0x00000000023B6000-memory.dmpFilesize
1MB
-
memory/1560-77-0x0000000002210000-0x00000000023B6000-memory.dmpFilesize
1MB
-
memory/1560-72-0x00000000020D0000-0x0000000002209000-memory.dmpFilesize
1MB
-
memory/1560-73-0x0000000002210000-0x00000000023B6000-memory.dmpFilesize
1MB
-
memory/1560-63-0x0000000000000000-mapping.dmp
-
memory/1636-74-0x0000000000000000-mapping.dmp
-
memory/1696-70-0x0000000000000000-mapping.dmp