Analysis
-
max time kernel
50s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2022 03:51
Static task
static1
Behavioral task
behavioral1
Sample
640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe
Resource
win7-20221111-en
General
-
Target
640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe
-
Size
2.3MB
-
MD5
54da7310e3ebd8f05fa9b91977d1f00d
-
SHA1
628ed25a7d610df5bae3d79ad7ba17845e6f76f3
-
SHA256
640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050
-
SHA512
6ccf3cc084f7f2b5b53d539368900f75f8768f251f238760224e4d8e9b25d450b5ac9a220b1eedbc8d5fd6c6267541f51c875108efe490c8a3f14ed137d435e6
-
SSDEEP
49152:icFdPgoYUlOeODCRL1QU5/soxzl+Es3wSF9:17UiJQNo1AEs3w
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2436-136-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral2/memory/2436-138-0x0000000000400000-0x00000000005A090F-memory.dmp purplefox_rootkit behavioral2/memory/2436-154-0x0000000000400000-0x00000000005A090F-memory.dmp purplefox_rootkit behavioral2/memory/2124-155-0x0000000000400000-0x00000000005A090F-memory.dmp purplefox_rootkit behavioral2/memory/364-159-0x0000000000400000-0x00000000005A090F-memory.dmp purplefox_rootkit -
Gh0st RAT payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2436-136-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral2/memory/2436-138-0x0000000000400000-0x00000000005A090F-memory.dmp family_gh0strat behavioral2/memory/2436-154-0x0000000000400000-0x00000000005A090F-memory.dmp family_gh0strat behavioral2/memory/2124-155-0x0000000000400000-0x00000000005A090F-memory.dmp family_gh0strat behavioral2/memory/364-159-0x0000000000400000-0x00000000005A090F-memory.dmp family_gh0strat -
Executes dropped EXE 3 IoCs
Processes:
5431.exeAqiyq.exeAqiyq.exepid process 2436 5431.exe 2124 Aqiyq.exe 364 Aqiyq.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Aqiyq.exedescription ioc process File opened (read-only) \??\F: Aqiyq.exe File opened (read-only) \??\G: Aqiyq.exe File opened (read-only) \??\M: Aqiyq.exe File opened (read-only) \??\U: Aqiyq.exe File opened (read-only) \??\W: Aqiyq.exe File opened (read-only) \??\B: Aqiyq.exe File opened (read-only) \??\E: Aqiyq.exe File opened (read-only) \??\L: Aqiyq.exe File opened (read-only) \??\S: Aqiyq.exe File opened (read-only) \??\X: Aqiyq.exe File opened (read-only) \??\Z: Aqiyq.exe File opened (read-only) \??\I: Aqiyq.exe File opened (read-only) \??\J: Aqiyq.exe File opened (read-only) \??\K: Aqiyq.exe File opened (read-only) \??\N: Aqiyq.exe File opened (read-only) \??\O: Aqiyq.exe File opened (read-only) \??\Q: Aqiyq.exe File opened (read-only) \??\H: Aqiyq.exe File opened (read-only) \??\P: Aqiyq.exe File opened (read-only) \??\R: Aqiyq.exe File opened (read-only) \??\T: Aqiyq.exe File opened (read-only) \??\V: Aqiyq.exe File opened (read-only) \??\Y: Aqiyq.exe -
Drops file in System32 directory 4 IoCs
Processes:
640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe5431.exedescription ioc process File created C:\Windows\SysWOW64\5431.exe 640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe File created C:\Windows\SysWOW64\Aqiyq.exe 5431.exe File opened for modification C:\Windows\SysWOW64\Aqiyq.exe 5431.exe File opened for modification C:\Windows\SysWOW64\5431.exe 5431.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exepid process 2240 640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe 2240 640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe 2240 640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Aqiyq.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Aqiyq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Aqiyq.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
Aqiyq.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Aqiyq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Aqiyq.exe Key created \REGISTRY\USER\.DEFAULT\Software Aqiyq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Aqiyq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Aqiyq.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Aqiyq.exepid process 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe 364 Aqiyq.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exepid process 2240 640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5431.exedescription pid process Token: SeIncBasePriorityPrivilege 2436 5431.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exepid process 2240 640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe 2240 640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe 2240 640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe5431.exeAqiyq.execmd.exedescription pid process target process PID 2240 wrote to memory of 2436 2240 640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe 5431.exe PID 2240 wrote to memory of 2436 2240 640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe 5431.exe PID 2240 wrote to memory of 2436 2240 640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe 5431.exe PID 2436 wrote to memory of 4288 2436 5431.exe cmd.exe PID 2436 wrote to memory of 4288 2436 5431.exe cmd.exe PID 2436 wrote to memory of 4288 2436 5431.exe cmd.exe PID 2124 wrote to memory of 364 2124 Aqiyq.exe Aqiyq.exe PID 2124 wrote to memory of 364 2124 Aqiyq.exe Aqiyq.exe PID 2124 wrote to memory of 364 2124 Aqiyq.exe Aqiyq.exe PID 4288 wrote to memory of 3332 4288 cmd.exe PING.EXE PID 4288 wrote to memory of 3332 4288 cmd.exe PING.EXE PID 4288 wrote to memory of 3332 4288 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe"C:\Users\Admin\AppData\Local\Temp\640b857fd0573bf62985066188dd6585cf803e7700ee3fc98f74843dba7e2050.exe"1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\5431.exeC:\Windows\System32\5431.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Windows\SysWOW64\5431.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\Aqiyq.exeC:\Windows\SysWOW64\Aqiyq.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Aqiyq.exeC:\Windows\SysWOW64\Aqiyq.exe -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\5431.exeFilesize
706KB
MD550d46fc90ba5281eb40dc8fb43131423
SHA12ad97ea7fb904f06a1d1835218dfc41933910328
SHA256d75c97a7e2f8dd4f58093177457fbb95d3a66e74bc4af34176a0330ac0f0bcf1
SHA512cc1388cebc00a0fdbe276ed63d7cfcba1db4cd549cb989a3ab80bb9fec261bd63471232918fc796a875f21b9bdf5ee5eaa7a05299b1752efd1f7d362705fb6d7
-
C:\Windows\SysWOW64\5431.exeFilesize
706KB
MD550d46fc90ba5281eb40dc8fb43131423
SHA12ad97ea7fb904f06a1d1835218dfc41933910328
SHA256d75c97a7e2f8dd4f58093177457fbb95d3a66e74bc4af34176a0330ac0f0bcf1
SHA512cc1388cebc00a0fdbe276ed63d7cfcba1db4cd549cb989a3ab80bb9fec261bd63471232918fc796a875f21b9bdf5ee5eaa7a05299b1752efd1f7d362705fb6d7
-
C:\Windows\SysWOW64\Aqiyq.exeFilesize
706KB
MD550d46fc90ba5281eb40dc8fb43131423
SHA12ad97ea7fb904f06a1d1835218dfc41933910328
SHA256d75c97a7e2f8dd4f58093177457fbb95d3a66e74bc4af34176a0330ac0f0bcf1
SHA512cc1388cebc00a0fdbe276ed63d7cfcba1db4cd549cb989a3ab80bb9fec261bd63471232918fc796a875f21b9bdf5ee5eaa7a05299b1752efd1f7d362705fb6d7
-
C:\Windows\SysWOW64\Aqiyq.exeFilesize
706KB
MD550d46fc90ba5281eb40dc8fb43131423
SHA12ad97ea7fb904f06a1d1835218dfc41933910328
SHA256d75c97a7e2f8dd4f58093177457fbb95d3a66e74bc4af34176a0330ac0f0bcf1
SHA512cc1388cebc00a0fdbe276ed63d7cfcba1db4cd549cb989a3ab80bb9fec261bd63471232918fc796a875f21b9bdf5ee5eaa7a05299b1752efd1f7d362705fb6d7
-
C:\Windows\SysWOW64\Aqiyq.exeFilesize
706KB
MD550d46fc90ba5281eb40dc8fb43131423
SHA12ad97ea7fb904f06a1d1835218dfc41933910328
SHA256d75c97a7e2f8dd4f58093177457fbb95d3a66e74bc4af34176a0330ac0f0bcf1
SHA512cc1388cebc00a0fdbe276ed63d7cfcba1db4cd549cb989a3ab80bb9fec261bd63471232918fc796a875f21b9bdf5ee5eaa7a05299b1752efd1f7d362705fb6d7
-
memory/364-159-0x0000000000400000-0x00000000005A090F-memory.dmpFilesize
1.6MB
-
memory/364-152-0x0000000000000000-mapping.dmp
-
memory/2124-155-0x0000000000400000-0x00000000005A090F-memory.dmpFilesize
1.6MB
-
memory/2240-165-0x0000000000400000-0x0000000000944000-memory.dmpFilesize
5.3MB
-
memory/2240-132-0x0000000000400000-0x0000000000944000-memory.dmpFilesize
5.3MB
-
memory/2240-164-0x0000000000400000-0x0000000000944000-memory.dmpFilesize
5.3MB
-
memory/2436-136-0x0000000010000000-0x00000000101A0000-memory.dmpFilesize
1.6MB
-
memory/2436-154-0x0000000000400000-0x00000000005A090F-memory.dmpFilesize
1.6MB
-
memory/2436-138-0x0000000000400000-0x00000000005A090F-memory.dmpFilesize
1.6MB
-
memory/2436-133-0x0000000000000000-mapping.dmp
-
memory/3332-163-0x0000000000000000-mapping.dmp
-
memory/4288-151-0x0000000000000000-mapping.dmp