Analysis
-
max time kernel
91s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2022 04:30
Static task
static1
Behavioral task
behavioral1
Sample
61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe
Resource
win7-20221111-en
General
-
Target
61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe
-
Size
2.3MB
-
MD5
5630cbc8bab9ae8c880016900504284a
-
SHA1
ad94ae9fbf49ac02793078030097632349eebfa8
-
SHA256
61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85
-
SHA512
3afbc54695dd186c39d28189450acfddd1ac80bf51e2e58a4e88dc6c294dea1bfa483edc4c21d60bf08f04ad7ad4df11b09be856d34389b227bd3a9e5c15bb52
-
SSDEEP
49152:NvyXDbhPJiugp5H3fMOMdw9bjkxiIiFYh/oc51IXa+UI5moW:NvuVQFp5PMOzQyFYh/ZnIhv5mo
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4604-137-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral2/memory/4576-152-0x0000000000400000-0x00000000005B490F-memory.dmp purplefox_rootkit behavioral2/memory/4604-154-0x0000000000400000-0x00000000005B490F-memory.dmp purplefox_rootkit behavioral2/memory/4576-156-0x0000000000400000-0x00000000005B490F-memory.dmp purplefox_rootkit behavioral2/memory/3348-164-0x0000000000400000-0x00000000005B490F-memory.dmp purplefox_rootkit -
Gh0st RAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4604-137-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral2/memory/4576-152-0x0000000000400000-0x00000000005B490F-memory.dmp family_gh0strat behavioral2/memory/4604-154-0x0000000000400000-0x00000000005B490F-memory.dmp family_gh0strat behavioral2/memory/4576-156-0x0000000000400000-0x00000000005B490F-memory.dmp family_gh0strat behavioral2/memory/3348-164-0x0000000000400000-0x00000000005B490F-memory.dmp family_gh0strat -
Executes dropped EXE 3 IoCs
Processes:
675.exeSSkGcsk.exeSSkGcsk.exepid process 4604 675.exe 4576 SSkGcsk.exe 3348 SSkGcsk.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
SSkGcsk.exedescription ioc process File opened (read-only) \??\J: SSkGcsk.exe File opened (read-only) \??\L: SSkGcsk.exe File opened (read-only) \??\R: SSkGcsk.exe File opened (read-only) \??\Y: SSkGcsk.exe File opened (read-only) \??\X: SSkGcsk.exe File opened (read-only) \??\B: SSkGcsk.exe File opened (read-only) \??\E: SSkGcsk.exe File opened (read-only) \??\G: SSkGcsk.exe File opened (read-only) \??\K: SSkGcsk.exe File opened (read-only) \??\P: SSkGcsk.exe File opened (read-only) \??\S: SSkGcsk.exe File opened (read-only) \??\V: SSkGcsk.exe File opened (read-only) \??\F: SSkGcsk.exe File opened (read-only) \??\H: SSkGcsk.exe File opened (read-only) \??\I: SSkGcsk.exe File opened (read-only) \??\O: SSkGcsk.exe File opened (read-only) \??\U: SSkGcsk.exe File opened (read-only) \??\Z: SSkGcsk.exe File opened (read-only) \??\M: SSkGcsk.exe File opened (read-only) \??\N: SSkGcsk.exe File opened (read-only) \??\Q: SSkGcsk.exe File opened (read-only) \??\T: SSkGcsk.exe File opened (read-only) \??\W: SSkGcsk.exe -
Drops file in System32 directory 4 IoCs
Processes:
675.exe61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exedescription ioc process File created C:\Windows\SysWOW64\SSkGcsk.exe 675.exe File opened for modification C:\Windows\SysWOW64\SSkGcsk.exe 675.exe File opened for modification C:\Windows\SysWOW64\675.exe 675.exe File created C:\Windows\SysWOW64\675.exe 61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exepid process 4872 61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe 4872 61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe 4872 61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SSkGcsk.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SSkGcsk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SSkGcsk.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
SSkGcsk.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software SSkGcsk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SSkGcsk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SSkGcsk.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" SSkGcsk.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum SSkGcsk.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SSkGcsk.exepid process 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe 3348 SSkGcsk.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exepid process 4872 61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
675.exedescription pid process Token: SeIncBasePriorityPrivilege 4604 675.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exepid process 4872 61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe 4872 61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe 4872 61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe675.exeSSkGcsk.execmd.exedescription pid process target process PID 4872 wrote to memory of 4604 4872 61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe 675.exe PID 4872 wrote to memory of 4604 4872 61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe 675.exe PID 4872 wrote to memory of 4604 4872 61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe 675.exe PID 4604 wrote to memory of 4660 4604 675.exe cmd.exe PID 4604 wrote to memory of 4660 4604 675.exe cmd.exe PID 4604 wrote to memory of 4660 4604 675.exe cmd.exe PID 4576 wrote to memory of 3348 4576 SSkGcsk.exe SSkGcsk.exe PID 4576 wrote to memory of 3348 4576 SSkGcsk.exe SSkGcsk.exe PID 4576 wrote to memory of 3348 4576 SSkGcsk.exe SSkGcsk.exe PID 4660 wrote to memory of 1112 4660 cmd.exe PING.EXE PID 4660 wrote to memory of 1112 4660 cmd.exe PING.EXE PID 4660 wrote to memory of 1112 4660 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe"C:\Users\Admin\AppData\Local\Temp\61c2dd595a4b99156cb45d62dda03eedd80e4fb4cb5ed2537fe14e72485c0c85.exe"1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\675.exeC:\Windows\System32\675.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Windows\SysWOW64\675.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\SSkGcsk.exeC:\Windows\SysWOW64\SSkGcsk.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SSkGcsk.exeC:\Windows\SysWOW64\SSkGcsk.exe -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\675.exeFilesize
706KB
MD506b76d8bf89d24277e1f21de6037681f
SHA14b3fa3b2495500458ecc0eae1b40049d03d35924
SHA2562a21847b38a710e2e2079184560014c8f72183d2ba32ae2f62198ab0f5e91447
SHA51245434af995c413e5eeb56d703c5925363b916b87521deef418c3ef6fbdebaf72ef5caef10ec5dc330b438c46dd0c6be24a45c10097fdd27935749f9a9818454e
-
C:\Windows\SysWOW64\675.exeFilesize
706KB
MD506b76d8bf89d24277e1f21de6037681f
SHA14b3fa3b2495500458ecc0eae1b40049d03d35924
SHA2562a21847b38a710e2e2079184560014c8f72183d2ba32ae2f62198ab0f5e91447
SHA51245434af995c413e5eeb56d703c5925363b916b87521deef418c3ef6fbdebaf72ef5caef10ec5dc330b438c46dd0c6be24a45c10097fdd27935749f9a9818454e
-
C:\Windows\SysWOW64\SSkGcsk.exeFilesize
706KB
MD506b76d8bf89d24277e1f21de6037681f
SHA14b3fa3b2495500458ecc0eae1b40049d03d35924
SHA2562a21847b38a710e2e2079184560014c8f72183d2ba32ae2f62198ab0f5e91447
SHA51245434af995c413e5eeb56d703c5925363b916b87521deef418c3ef6fbdebaf72ef5caef10ec5dc330b438c46dd0c6be24a45c10097fdd27935749f9a9818454e
-
C:\Windows\SysWOW64\SSkGcsk.exeFilesize
706KB
MD506b76d8bf89d24277e1f21de6037681f
SHA14b3fa3b2495500458ecc0eae1b40049d03d35924
SHA2562a21847b38a710e2e2079184560014c8f72183d2ba32ae2f62198ab0f5e91447
SHA51245434af995c413e5eeb56d703c5925363b916b87521deef418c3ef6fbdebaf72ef5caef10ec5dc330b438c46dd0c6be24a45c10097fdd27935749f9a9818454e
-
C:\Windows\SysWOW64\SSkGcsk.exeFilesize
706KB
MD506b76d8bf89d24277e1f21de6037681f
SHA14b3fa3b2495500458ecc0eae1b40049d03d35924
SHA2562a21847b38a710e2e2079184560014c8f72183d2ba32ae2f62198ab0f5e91447
SHA51245434af995c413e5eeb56d703c5925363b916b87521deef418c3ef6fbdebaf72ef5caef10ec5dc330b438c46dd0c6be24a45c10097fdd27935749f9a9818454e
-
memory/1112-162-0x0000000000000000-mapping.dmp
-
memory/3348-153-0x0000000000000000-mapping.dmp
-
memory/3348-164-0x0000000000400000-0x00000000005B490F-memory.dmpFilesize
1.7MB
-
memory/4576-156-0x0000000000400000-0x00000000005B490F-memory.dmpFilesize
1.7MB
-
memory/4576-152-0x0000000000400000-0x00000000005B490F-memory.dmpFilesize
1.7MB
-
memory/4604-136-0x0000000000400000-0x00000000005B490F-memory.dmpFilesize
1.7MB
-
memory/4604-154-0x0000000000400000-0x00000000005B490F-memory.dmpFilesize
1.7MB
-
memory/4604-137-0x0000000010000000-0x00000000101A0000-memory.dmpFilesize
1.6MB
-
memory/4604-133-0x0000000000000000-mapping.dmp
-
memory/4660-151-0x0000000000000000-mapping.dmp
-
memory/4872-132-0x0000000000400000-0x0000000000943000-memory.dmpFilesize
5.3MB
-
memory/4872-165-0x0000000000400000-0x0000000000943000-memory.dmpFilesize
5.3MB
-
memory/4872-166-0x0000000000400000-0x0000000000943000-memory.dmpFilesize
5.3MB