Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
09-01-2023 09:17
Static task
static1
Behavioral task
behavioral1
Sample
ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe
Resource
win7-20220901-en
General
-
Target
ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe
-
Size
1.6MB
-
MD5
786e1083e402c760a01f5bbb3a30394c
-
SHA1
9209554639aacf9618ca5984fec28099762df7ed
-
SHA256
ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6
-
SHA512
c6bb4e7b16d72215833f61bae5faf1e027c5067f173d6833749a0c64811f94ec3ec672652aa864ecc947508b3006cb7cd4821281b0fe882d5cb0f8c7a7015474
-
SSDEEP
24576:+NfyIrXxi199zh0eROY2ZvVSlVFwxInPkOgWhBMDN:+Nt4FYY2puFwxIsOaN
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1724-55-0x0000000010000000-0x00000000101A6000-memory.dmp purplefox_rootkit behavioral1/memory/1864-70-0x0000000010000000-0x00000000101A6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1724-55-0x0000000010000000-0x00000000101A6000-memory.dmp family_gh0strat behavioral1/memory/1864-70-0x0000000010000000-0x00000000101A6000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
windows.exepid process 1864 windows.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 108 attrib.exe 1680 attrib.exe -
Loads dropped DLL 2 IoCs
Processes:
ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exepid process 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
windows.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window°²È«·À»¤ÖÐÐÄÄ£¿é = "C:\\ProgramData\\Micros\\svchost.exe" windows.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
windows.exedescription ioc process File opened (read-only) \??\S: windows.exe File opened (read-only) \??\U: windows.exe File opened (read-only) \??\I: windows.exe File opened (read-only) \??\L: windows.exe File opened (read-only) \??\P: windows.exe File opened (read-only) \??\M: windows.exe File opened (read-only) \??\Q: windows.exe File opened (read-only) \??\T: windows.exe File opened (read-only) \??\X: windows.exe File opened (read-only) \??\E: windows.exe File opened (read-only) \??\F: windows.exe File opened (read-only) \??\J: windows.exe File opened (read-only) \??\K: windows.exe File opened (read-only) \??\N: windows.exe File opened (read-only) \??\O: windows.exe File opened (read-only) \??\R: windows.exe File opened (read-only) \??\B: windows.exe File opened (read-only) \??\G: windows.exe File opened (read-only) \??\H: windows.exe File opened (read-only) \??\Z: windows.exe File opened (read-only) \??\V: windows.exe File opened (read-only) \??\W: windows.exe File opened (read-only) \??\Y: windows.exe -
Drops file in Program Files directory 1 IoCs
Processes:
attrib.exedescription ioc process File opened for modification C:\PROGRA~3\windows.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
windows.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 windows.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz windows.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exewindows.exepid process 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe 1864 windows.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exewindows.exedescription pid process Token: SeIncBasePriorityPrivilege 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe Token: SeIncBasePriorityPrivilege 1864 windows.exe Token: 33 1864 windows.exe Token: SeIncBasePriorityPrivilege 1864 windows.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exewindows.exepid process 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe 1864 windows.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.execmd.exewindows.execmd.exedescription pid process target process PID 1724 wrote to memory of 768 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe cmd.exe PID 1724 wrote to memory of 768 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe cmd.exe PID 1724 wrote to memory of 768 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe cmd.exe PID 1724 wrote to memory of 768 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe cmd.exe PID 1724 wrote to memory of 560 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe cmd.exe PID 1724 wrote to memory of 560 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe cmd.exe PID 1724 wrote to memory of 560 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe cmd.exe PID 1724 wrote to memory of 560 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe cmd.exe PID 1724 wrote to memory of 1932 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe cmd.exe PID 1724 wrote to memory of 1932 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe cmd.exe PID 1724 wrote to memory of 1932 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe cmd.exe PID 1724 wrote to memory of 1932 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe cmd.exe PID 768 wrote to memory of 108 768 cmd.exe attrib.exe PID 768 wrote to memory of 108 768 cmd.exe attrib.exe PID 768 wrote to memory of 108 768 cmd.exe attrib.exe PID 768 wrote to memory of 108 768 cmd.exe attrib.exe PID 1724 wrote to memory of 1864 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe windows.exe PID 1724 wrote to memory of 1864 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe windows.exe PID 1724 wrote to memory of 1864 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe windows.exe PID 1724 wrote to memory of 1864 1724 ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe windows.exe PID 1864 wrote to memory of 1604 1864 windows.exe cmd.exe PID 1864 wrote to memory of 1604 1864 windows.exe cmd.exe PID 1864 wrote to memory of 1604 1864 windows.exe cmd.exe PID 1864 wrote to memory of 1604 1864 windows.exe cmd.exe PID 1604 wrote to memory of 1680 1604 cmd.exe attrib.exe PID 1604 wrote to memory of 1680 1604 cmd.exe attrib.exe PID 1604 wrote to memory of 1680 1604 cmd.exe attrib.exe PID 1604 wrote to memory of 1680 1604 cmd.exe attrib.exe PID 1864 wrote to memory of 316 1864 windows.exe cmd.exe PID 1864 wrote to memory of 316 1864 windows.exe cmd.exe PID 1864 wrote to memory of 316 1864 windows.exe cmd.exe PID 1864 wrote to memory of 316 1864 windows.exe cmd.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 108 attrib.exe 1680 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe"C:\Users\Admin\AppData\Local\Temp\ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\Users\Admin\AppData\Local\Temp\ECF9E3~1.EXE +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Users\Admin\AppData\Local\Temp\ECF9E3~1.EXE +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\Micros2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\Micros2⤵
-
C:\ProgramData\windows.exeC:\ProgramData\windows.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\PROGRA~3\windows.exe +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib C:\PROGRA~3\windows.exe +s +h4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\ru3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\windows.exeFilesize
1.6MB
MD5786e1083e402c760a01f5bbb3a30394c
SHA19209554639aacf9618ca5984fec28099762df7ed
SHA256ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6
SHA512c6bb4e7b16d72215833f61bae5faf1e027c5067f173d6833749a0c64811f94ec3ec672652aa864ecc947508b3006cb7cd4821281b0fe882d5cb0f8c7a7015474
-
C:\ProgramData\Micros\1.txtFilesize
76KB
MD5a0174e9945895fa8ace11f6bb4a64298
SHA1527c4ebc005deb88f29edd83a23ac977735d76c4
SHA2562dcd521895377ae3463dd61369c7fc6aafd8610e020592bf29b88888fc295ca0
SHA512974f26161cc94c42fbe781db476562ccee90051f5c419ad156d4d17ab63231fa62a064c32cf1acc648e06d01d7f69e785f1421407859f2d78976d76a89b27dec
-
C:\ProgramData\Micros\2.txtFilesize
44KB
MD5fad8ce9ef436709815a1cec228cf2ceb
SHA1397b2d26ede8e205b8b6b5d57d2234dc797e7680
SHA256675fa1a3d7c443b8b8634e35351bdc96942b944ef1083b0a0347671d5e4bf28e
SHA51266c2649b97f86b276030de64fedb3f110c59dd8cd6a9b76752fbef520fdcb87d60311ae44d647afac8b5bc0ccac6b9f22f1c27ada41cc0cc89e5106ea1223de4
-
C:\ProgramData\windows.exeFilesize
1.6MB
MD5786e1083e402c760a01f5bbb3a30394c
SHA19209554639aacf9618ca5984fec28099762df7ed
SHA256ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6
SHA512c6bb4e7b16d72215833f61bae5faf1e027c5067f173d6833749a0c64811f94ec3ec672652aa864ecc947508b3006cb7cd4821281b0fe882d5cb0f8c7a7015474
-
\ProgramData\windows.exeFilesize
1.6MB
MD5786e1083e402c760a01f5bbb3a30394c
SHA19209554639aacf9618ca5984fec28099762df7ed
SHA256ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6
SHA512c6bb4e7b16d72215833f61bae5faf1e027c5067f173d6833749a0c64811f94ec3ec672652aa864ecc947508b3006cb7cd4821281b0fe882d5cb0f8c7a7015474
-
\ProgramData\windows.exeFilesize
1.6MB
MD5786e1083e402c760a01f5bbb3a30394c
SHA19209554639aacf9618ca5984fec28099762df7ed
SHA256ecf9e328df5c1c75dd26f7503d58fec21092271352754f2397773949934fd8b6
SHA512c6bb4e7b16d72215833f61bae5faf1e027c5067f173d6833749a0c64811f94ec3ec672652aa864ecc947508b3006cb7cd4821281b0fe882d5cb0f8c7a7015474
-
memory/108-64-0x0000000000000000-mapping.dmp
-
memory/316-79-0x0000000000000000-mapping.dmp
-
memory/560-62-0x0000000000000000-mapping.dmp
-
memory/768-61-0x0000000000000000-mapping.dmp
-
memory/1604-76-0x0000000000000000-mapping.dmp
-
memory/1680-77-0x0000000000000000-mapping.dmp
-
memory/1724-54-0x0000000075111000-0x0000000075113000-memory.dmpFilesize
8KB
-
memory/1724-55-0x0000000010000000-0x00000000101A6000-memory.dmpFilesize
1.6MB
-
memory/1864-70-0x0000000010000000-0x00000000101A6000-memory.dmpFilesize
1.6MB
-
memory/1864-67-0x0000000000000000-mapping.dmp
-
memory/1932-63-0x0000000000000000-mapping.dmp