Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
10-01-2023 01:07
Static task
static1
Behavioral task
behavioral1
Sample
6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe
Resource
win7-20221111-en
General
-
Target
6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe
-
Size
104KB
-
MD5
c55df3ccf34d0c3d4d900d8a8f6a88c0
-
SHA1
50859414fa92a09c2df73151d913269f1bfe01f8
-
SHA256
6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d
-
SHA512
9f1fa0d525d8b6075fd79f3dc0eb0d91b017394f3cc74aec5c3fbc2d709521223eeff904ab1c11cdb9fbbb8db43d808fe73de2202b6c019326dae21c349908d5
-
SSDEEP
1536:4H3ccHYvlcaFUdw9Teh/+2wX9yB5aW2SXZH:H9caJBeJGw5fLpH
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/852-55-0x0000000002E20000-0x0000000002FC6000-memory.dmp purplefox_rootkit behavioral1/memory/852-60-0x0000000002BE0000-0x0000000002DA4000-memory.dmp purplefox_rootkit behavioral1/memory/852-61-0x0000000002E20000-0x0000000002FC6000-memory.dmp purplefox_rootkit behavioral1/memory/1108-69-0x0000000001F30000-0x00000000020D6000-memory.dmp purplefox_rootkit behavioral1/memory/1108-70-0x0000000001D00000-0x0000000001E39000-memory.dmp purplefox_rootkit behavioral1/memory/1108-72-0x0000000001F30000-0x00000000020D6000-memory.dmp purplefox_rootkit behavioral1/memory/1108-78-0x0000000001F30000-0x00000000020D6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/852-55-0x0000000002E20000-0x0000000002FC6000-memory.dmp family_gh0strat behavioral1/memory/852-61-0x0000000002E20000-0x0000000002FC6000-memory.dmp family_gh0strat behavioral1/memory/1108-69-0x0000000001F30000-0x00000000020D6000-memory.dmp family_gh0strat behavioral1/memory/1108-70-0x0000000001D00000-0x0000000001E39000-memory.dmp family_gh0strat behavioral1/memory/1108-72-0x0000000001F30000-0x00000000020D6000-memory.dmp family_gh0strat behavioral1/memory/1108-78-0x0000000001F30000-0x00000000020D6000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
windows.exepid process 1108 windows.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 1912 attrib.exe 1808 attrib.exe -
Loads dropped DLL 2 IoCs
Processes:
6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exepid process 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
windows.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window°²È«·À»¤ÖÐÐÄÄ£¿é = "C:\\ProgramData\\Micros\\svchost.exe" windows.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
windows.exedescription ioc process File opened (read-only) \??\V: windows.exe File opened (read-only) \??\G: windows.exe File opened (read-only) \??\L: windows.exe File opened (read-only) \??\M: windows.exe File opened (read-only) \??\O: windows.exe File opened (read-only) \??\P: windows.exe File opened (read-only) \??\Y: windows.exe File opened (read-only) \??\B: windows.exe File opened (read-only) \??\H: windows.exe File opened (read-only) \??\I: windows.exe File opened (read-only) \??\S: windows.exe File opened (read-only) \??\T: windows.exe File opened (read-only) \??\E: windows.exe File opened (read-only) \??\F: windows.exe File opened (read-only) \??\N: windows.exe File opened (read-only) \??\R: windows.exe File opened (read-only) \??\X: windows.exe File opened (read-only) \??\Z: windows.exe File opened (read-only) \??\J: windows.exe File opened (read-only) \??\K: windows.exe File opened (read-only) \??\Q: windows.exe File opened (read-only) \??\U: windows.exe File opened (read-only) \??\W: windows.exe -
Drops file in Program Files directory 1 IoCs
Processes:
attrib.exedescription ioc process File opened for modification C:\PROGRA~3\windows.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
windows.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 windows.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz windows.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exewindows.exepid process 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe 1108 windows.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exewindows.exedescription pid process Token: SeIncBasePriorityPrivilege 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe Token: SeIncBasePriorityPrivilege 1108 windows.exe Token: 33 1108 windows.exe Token: SeIncBasePriorityPrivilege 1108 windows.exe Token: 33 1108 windows.exe Token: SeIncBasePriorityPrivilege 1108 windows.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exewindows.exepid process 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe 1108 windows.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.execmd.exewindows.execmd.exedescription pid process target process PID 852 wrote to memory of 396 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe cmd.exe PID 852 wrote to memory of 396 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe cmd.exe PID 852 wrote to memory of 396 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe cmd.exe PID 852 wrote to memory of 396 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe cmd.exe PID 852 wrote to memory of 1708 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe cmd.exe PID 852 wrote to memory of 1708 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe cmd.exe PID 852 wrote to memory of 1708 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe cmd.exe PID 852 wrote to memory of 1708 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe cmd.exe PID 852 wrote to memory of 604 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe cmd.exe PID 852 wrote to memory of 604 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe cmd.exe PID 852 wrote to memory of 604 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe cmd.exe PID 852 wrote to memory of 604 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe cmd.exe PID 396 wrote to memory of 1808 396 cmd.exe attrib.exe PID 396 wrote to memory of 1808 396 cmd.exe attrib.exe PID 396 wrote to memory of 1808 396 cmd.exe attrib.exe PID 396 wrote to memory of 1808 396 cmd.exe attrib.exe PID 852 wrote to memory of 1108 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe windows.exe PID 852 wrote to memory of 1108 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe windows.exe PID 852 wrote to memory of 1108 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe windows.exe PID 852 wrote to memory of 1108 852 6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe windows.exe PID 1108 wrote to memory of 636 1108 windows.exe cmd.exe PID 1108 wrote to memory of 636 1108 windows.exe cmd.exe PID 1108 wrote to memory of 636 1108 windows.exe cmd.exe PID 1108 wrote to memory of 636 1108 windows.exe cmd.exe PID 636 wrote to memory of 1912 636 cmd.exe attrib.exe PID 636 wrote to memory of 1912 636 cmd.exe attrib.exe PID 636 wrote to memory of 1912 636 cmd.exe attrib.exe PID 636 wrote to memory of 1912 636 cmd.exe attrib.exe PID 1108 wrote to memory of 552 1108 windows.exe cmd.exe PID 1108 wrote to memory of 552 1108 windows.exe cmd.exe PID 1108 wrote to memory of 552 1108 windows.exe cmd.exe PID 1108 wrote to memory of 552 1108 windows.exe cmd.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1808 attrib.exe 1912 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe"C:\Users\Admin\AppData\Local\Temp\6655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\Users\Admin\AppData\Local\Temp\6655C4~1.EXE +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib C:\Users\Admin\AppData\Local\Temp\6655C4~1.EXE +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\Micros2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\Micros2⤵
-
C:\ProgramData\windows.exeC:\ProgramData\windows.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib C:\PROGRA~3\windows.exe +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib C:\PROGRA~3\windows.exe +s +h4⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c md C:\ProgramData\ru3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\windows.exeFilesize
104KB
MD5c55df3ccf34d0c3d4d900d8a8f6a88c0
SHA150859414fa92a09c2df73151d913269f1bfe01f8
SHA2566655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d
SHA5129f1fa0d525d8b6075fd79f3dc0eb0d91b017394f3cc74aec5c3fbc2d709521223eeff904ab1c11cdb9fbbb8db43d808fe73de2202b6c019326dae21c349908d5
-
C:\ProgramData\Micros\1.txtFilesize
76KB
MD5a0174e9945895fa8ace11f6bb4a64298
SHA1527c4ebc005deb88f29edd83a23ac977735d76c4
SHA2562dcd521895377ae3463dd61369c7fc6aafd8610e020592bf29b88888fc295ca0
SHA512974f26161cc94c42fbe781db476562ccee90051f5c419ad156d4d17ab63231fa62a064c32cf1acc648e06d01d7f69e785f1421407859f2d78976d76a89b27dec
-
C:\ProgramData\Micros\2.txtFilesize
44KB
MD5fad8ce9ef436709815a1cec228cf2ceb
SHA1397b2d26ede8e205b8b6b5d57d2234dc797e7680
SHA256675fa1a3d7c443b8b8634e35351bdc96942b944ef1083b0a0347671d5e4bf28e
SHA51266c2649b97f86b276030de64fedb3f110c59dd8cd6a9b76752fbef520fdcb87d60311ae44d647afac8b5bc0ccac6b9f22f1c27ada41cc0cc89e5106ea1223de4
-
C:\ProgramData\SHELL.TXTFilesize
1.2MB
MD5f8e4629ba915fda41e718cd3f0e249a5
SHA18c5c6b4bbfd56753316cef6d4720e4e8b092d485
SHA2565893e1ba760d79477725daf1cd5bb5bdc7400a1c238cfb9b1ecc6b36b8d812d3
SHA5122c4291e09feaa82928a2a509eb4120d01c711ce6c1b1cf9369c718d7bb2ff5fd4d2abf9ff153f6fabff4b279074ee5ca8d06eff8c2f42bb772fa19656eee7602
-
C:\ProgramData\SHELL.iniFilesize
49B
MD5fc40128d051467f662e0b1618e79d9bf
SHA12932bea9eac3be340fd61e83e4a19a57b00fc22a
SHA2561d3b8f8845588676f44b33149fcfb06652c604aed65aff7eec0f51e52d93844b
SHA5129542a9a6a9e67951f420057eaf3f95d86773dec9e6c9249d4282f75aea24c43429e2c153aab393177e731ac575a25d7b82eb74b1b5adaa979db43c21de941c15
-
C:\ProgramData\windows.exeFilesize
104KB
MD5c55df3ccf34d0c3d4d900d8a8f6a88c0
SHA150859414fa92a09c2df73151d913269f1bfe01f8
SHA2566655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d
SHA5129f1fa0d525d8b6075fd79f3dc0eb0d91b017394f3cc74aec5c3fbc2d709521223eeff904ab1c11cdb9fbbb8db43d808fe73de2202b6c019326dae21c349908d5
-
\ProgramData\windows.exeFilesize
104KB
MD5c55df3ccf34d0c3d4d900d8a8f6a88c0
SHA150859414fa92a09c2df73151d913269f1bfe01f8
SHA2566655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d
SHA5129f1fa0d525d8b6075fd79f3dc0eb0d91b017394f3cc74aec5c3fbc2d709521223eeff904ab1c11cdb9fbbb8db43d808fe73de2202b6c019326dae21c349908d5
-
\ProgramData\windows.exeFilesize
104KB
MD5c55df3ccf34d0c3d4d900d8a8f6a88c0
SHA150859414fa92a09c2df73151d913269f1bfe01f8
SHA2566655c46137af5c739e95a0f356efda3a471336d03cff18d8bc2edfd063d76a3d
SHA5129f1fa0d525d8b6075fd79f3dc0eb0d91b017394f3cc74aec5c3fbc2d709521223eeff904ab1c11cdb9fbbb8db43d808fe73de2202b6c019326dae21c349908d5
-
memory/396-56-0x0000000000000000-mapping.dmp
-
memory/552-75-0x0000000000000000-mapping.dmp
-
memory/604-58-0x0000000000000000-mapping.dmp
-
memory/636-71-0x0000000000000000-mapping.dmp
-
memory/852-61-0x0000000002E20000-0x0000000002FC6000-memory.dmpFilesize
1.6MB
-
memory/852-60-0x0000000002BE0000-0x0000000002DA4000-memory.dmpFilesize
1.8MB
-
memory/852-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmpFilesize
8KB
-
memory/852-55-0x0000000002E20000-0x0000000002FC6000-memory.dmpFilesize
1.6MB
-
memory/1108-64-0x0000000000000000-mapping.dmp
-
memory/1108-72-0x0000000001F30000-0x00000000020D6000-memory.dmpFilesize
1.6MB
-
memory/1108-70-0x0000000001D00000-0x0000000001E39000-memory.dmpFilesize
1.2MB
-
memory/1108-69-0x0000000001F30000-0x00000000020D6000-memory.dmpFilesize
1.6MB
-
memory/1108-78-0x0000000001F30000-0x00000000020D6000-memory.dmpFilesize
1.6MB
-
memory/1708-57-0x0000000000000000-mapping.dmp
-
memory/1808-59-0x0000000000000000-mapping.dmp
-
memory/1912-73-0x0000000000000000-mapping.dmp