Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
13-02-2023 19:45
Static task
static1
Behavioral task
behavioral1
Sample
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe
Resource
win7-20221111-en
General
-
Target
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe
-
Size
3.4MB
-
MD5
af9dca636b9df90a6aa8a61fb8c8d6f5
-
SHA1
e67601914fdda13d89e78958e64e3227c60bdfe8
-
SHA256
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893
-
SHA512
7628465ebd4a9c7d401cec334b40271545b063759321e1b89ca6e706ec6477031fc8f086411d82780a38b103d291f3c5f47d3c219468840f43c5c4e61697dac9
-
SSDEEP
98304:+HMhhgXx9n4IKBq22aYo+lsALZgpypO5fdmsPFT2:wM3gD3sq22aYo4sALepyo5ff
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1212-61-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral1/memory/1212-81-0x0000000000400000-0x000000000062C340-memory.dmp purplefox_rootkit behavioral1/memory/1680-82-0x0000000000400000-0x000000000062C340-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1212-61-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral1/memory/1212-81-0x0000000000400000-0x000000000062C340-memory.dmp family_gh0strat behavioral1/memory/1680-82-0x0000000000400000-0x000000000062C340-memory.dmp family_gh0strat -
Executes dropped EXE 3 IoCs
Processes:
8574984654.exePhxph.exePhxph.exepid process 1212 8574984654.exe 1680 Phxph.exe 436 Phxph.exe -
Loads dropped DLL 2 IoCs
Processes:
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exePhxph.exepid process 1704 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe 1680 Phxph.exe -
Drops file in System32 directory 4 IoCs
Processes:
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe8574984654.exedescription ioc process File created C:\Windows\SysWOW64\8574984654.exe e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe File created C:\Windows\SysWOW64\Phxph.exe 8574984654.exe File opened for modification C:\Windows\SysWOW64\Phxph.exe 8574984654.exe File opened for modification C:\Windows\SysWOW64\857498~1.EXE 8574984654.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
Processes:
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exepid process 1704 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8574984654.exedescription pid process Token: SeIncBasePriorityPrivilege 1212 8574984654.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exepid process 1704 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe8574984654.exePhxph.execmd.exedescription pid process target process PID 1704 wrote to memory of 1212 1704 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe 8574984654.exe PID 1704 wrote to memory of 1212 1704 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe 8574984654.exe PID 1704 wrote to memory of 1212 1704 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe 8574984654.exe PID 1704 wrote to memory of 1212 1704 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe 8574984654.exe PID 1704 wrote to memory of 1212 1704 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe 8574984654.exe PID 1704 wrote to memory of 1212 1704 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe 8574984654.exe PID 1704 wrote to memory of 1212 1704 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe 8574984654.exe PID 1212 wrote to memory of 592 1212 8574984654.exe cmd.exe PID 1212 wrote to memory of 592 1212 8574984654.exe cmd.exe PID 1212 wrote to memory of 592 1212 8574984654.exe cmd.exe PID 1212 wrote to memory of 592 1212 8574984654.exe cmd.exe PID 1680 wrote to memory of 436 1680 Phxph.exe Phxph.exe PID 1680 wrote to memory of 436 1680 Phxph.exe Phxph.exe PID 1680 wrote to memory of 436 1680 Phxph.exe Phxph.exe PID 1680 wrote to memory of 436 1680 Phxph.exe Phxph.exe PID 1680 wrote to memory of 436 1680 Phxph.exe Phxph.exe PID 1680 wrote to memory of 436 1680 Phxph.exe Phxph.exe PID 1680 wrote to memory of 436 1680 Phxph.exe Phxph.exe PID 592 wrote to memory of 1312 592 cmd.exe PING.EXE PID 592 wrote to memory of 1312 592 cmd.exe PING.EXE PID 592 wrote to memory of 1312 592 cmd.exe PING.EXE PID 592 wrote to memory of 1312 592 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe"C:\Users\Admin\AppData\Local\Temp\e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\8574984654.exeC:\Windows\System32\8574984654.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Windows\SysWOW64\857498~1.EXE > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\Phxph.exeC:\Windows\SysWOW64\Phxph.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Phxph.exeC:\Windows\SysWOW64\Phxph.exe -acsi2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\8574984654.exeFilesize
1024KB
MD541863c7667ff5112217248be09050640
SHA1b605797daafafe0236d4e4ed6f7c9bd7a0a40ce6
SHA256198c29ff12d08fbdca29794b413b85db79f04b01d3a3ffc78c402cf11328d85f
SHA5127a8eceb2c7ae66faa243b5b2d109b3d3fb56fa1d051628b856d9075c3278355ef72232d1f79cb3c68db8d0f92421fa9d107328721c7c5bb1f52bd646c25eac5e
-
C:\Windows\SysWOW64\8574984654.exeFilesize
1024KB
MD541863c7667ff5112217248be09050640
SHA1b605797daafafe0236d4e4ed6f7c9bd7a0a40ce6
SHA256198c29ff12d08fbdca29794b413b85db79f04b01d3a3ffc78c402cf11328d85f
SHA5127a8eceb2c7ae66faa243b5b2d109b3d3fb56fa1d051628b856d9075c3278355ef72232d1f79cb3c68db8d0f92421fa9d107328721c7c5bb1f52bd646c25eac5e
-
C:\Windows\SysWOW64\Phxph.exeFilesize
1024KB
MD541863c7667ff5112217248be09050640
SHA1b605797daafafe0236d4e4ed6f7c9bd7a0a40ce6
SHA256198c29ff12d08fbdca29794b413b85db79f04b01d3a3ffc78c402cf11328d85f
SHA5127a8eceb2c7ae66faa243b5b2d109b3d3fb56fa1d051628b856d9075c3278355ef72232d1f79cb3c68db8d0f92421fa9d107328721c7c5bb1f52bd646c25eac5e
-
C:\Windows\SysWOW64\Phxph.exeFilesize
1024KB
MD541863c7667ff5112217248be09050640
SHA1b605797daafafe0236d4e4ed6f7c9bd7a0a40ce6
SHA256198c29ff12d08fbdca29794b413b85db79f04b01d3a3ffc78c402cf11328d85f
SHA5127a8eceb2c7ae66faa243b5b2d109b3d3fb56fa1d051628b856d9075c3278355ef72232d1f79cb3c68db8d0f92421fa9d107328721c7c5bb1f52bd646c25eac5e
-
C:\Windows\SysWOW64\Phxph.exeFilesize
1024KB
MD541863c7667ff5112217248be09050640
SHA1b605797daafafe0236d4e4ed6f7c9bd7a0a40ce6
SHA256198c29ff12d08fbdca29794b413b85db79f04b01d3a3ffc78c402cf11328d85f
SHA5127a8eceb2c7ae66faa243b5b2d109b3d3fb56fa1d051628b856d9075c3278355ef72232d1f79cb3c68db8d0f92421fa9d107328721c7c5bb1f52bd646c25eac5e
-
\Windows\SysWOW64\8574984654.exeFilesize
1024KB
MD541863c7667ff5112217248be09050640
SHA1b605797daafafe0236d4e4ed6f7c9bd7a0a40ce6
SHA256198c29ff12d08fbdca29794b413b85db79f04b01d3a3ffc78c402cf11328d85f
SHA5127a8eceb2c7ae66faa243b5b2d109b3d3fb56fa1d051628b856d9075c3278355ef72232d1f79cb3c68db8d0f92421fa9d107328721c7c5bb1f52bd646c25eac5e
-
\Windows\SysWOW64\Phxph.exeFilesize
1024KB
MD541863c7667ff5112217248be09050640
SHA1b605797daafafe0236d4e4ed6f7c9bd7a0a40ce6
SHA256198c29ff12d08fbdca29794b413b85db79f04b01d3a3ffc78c402cf11328d85f
SHA5127a8eceb2c7ae66faa243b5b2d109b3d3fb56fa1d051628b856d9075c3278355ef72232d1f79cb3c68db8d0f92421fa9d107328721c7c5bb1f52bd646c25eac5e
-
memory/436-79-0x0000000000000000-mapping.dmp
-
memory/436-85-0x0000000000400000-0x000000000062C340-memory.dmpFilesize
2.2MB
-
memory/592-78-0x0000000000000000-mapping.dmp
-
memory/1212-61-0x0000000010000000-0x00000000101A0000-memory.dmpFilesize
1.6MB
-
memory/1212-60-0x0000000000400000-0x000000000062C340-memory.dmpFilesize
2.2MB
-
memory/1212-59-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB
-
memory/1212-55-0x0000000000000000-mapping.dmp
-
memory/1212-81-0x0000000000400000-0x000000000062C340-memory.dmpFilesize
2.2MB
-
memory/1312-84-0x0000000000000000-mapping.dmp
-
memory/1680-69-0x0000000000400000-0x000000000062C340-memory.dmpFilesize
2.2MB
-
memory/1680-82-0x0000000000400000-0x000000000062C340-memory.dmpFilesize
2.2MB
-
memory/1704-58-0x0000000011120000-0x000000001134D000-memory.dmpFilesize
2.2MB