Analysis
-
max time kernel
65s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-02-2023 19:45
Static task
static1
Behavioral task
behavioral1
Sample
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe
Resource
win7-20221111-en
General
-
Target
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe
-
Size
3.4MB
-
MD5
af9dca636b9df90a6aa8a61fb8c8d6f5
-
SHA1
e67601914fdda13d89e78958e64e3227c60bdfe8
-
SHA256
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893
-
SHA512
7628465ebd4a9c7d401cec334b40271545b063759321e1b89ca6e706ec6477031fc8f086411d82780a38b103d291f3c5f47d3c219468840f43c5c4e61697dac9
-
SSDEEP
98304:+HMhhgXx9n4IKBq22aYo+lsALZgpypO5fdmsPFT2:wM3gD3sq22aYo4sALepyo5ff
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3440-135-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral2/memory/3440-144-0x0000000000400000-0x000000000062C340-memory.dmp purplefox_rootkit behavioral2/memory/1664-146-0x0000000000400000-0x000000000062C340-memory.dmp purplefox_rootkit behavioral2/memory/1664-155-0x0000000000400000-0x000000000062C340-memory.dmp purplefox_rootkit behavioral2/memory/3440-153-0x0000000000400000-0x000000000062C340-memory.dmp purplefox_rootkit behavioral2/memory/2132-157-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral2/memory/2132-163-0x0000000000400000-0x000000000062C340-memory.dmp purplefox_rootkit -
Gh0st RAT payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3440-135-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral2/memory/3440-144-0x0000000000400000-0x000000000062C340-memory.dmp family_gh0strat behavioral2/memory/1664-146-0x0000000000400000-0x000000000062C340-memory.dmp family_gh0strat behavioral2/memory/1664-155-0x0000000000400000-0x000000000062C340-memory.dmp family_gh0strat behavioral2/memory/3440-153-0x0000000000400000-0x000000000062C340-memory.dmp family_gh0strat behavioral2/memory/2132-157-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral2/memory/2132-163-0x0000000000400000-0x000000000062C340-memory.dmp family_gh0strat -
Executes dropped EXE 3 IoCs
Processes:
8574984654.exePhxph.exePhxph.exepid process 3440 8574984654.exe 1664 Phxph.exe 2132 Phxph.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Phxph.exedescription ioc process File opened (read-only) \??\J: Phxph.exe File opened (read-only) \??\K: Phxph.exe File opened (read-only) \??\M: Phxph.exe File opened (read-only) \??\O: Phxph.exe File opened (read-only) \??\Q: Phxph.exe File opened (read-only) \??\S: Phxph.exe File opened (read-only) \??\U: Phxph.exe File opened (read-only) \??\E: Phxph.exe File opened (read-only) \??\W: Phxph.exe File opened (read-only) \??\P: Phxph.exe File opened (read-only) \??\Y: Phxph.exe File opened (read-only) \??\Z: Phxph.exe File opened (read-only) \??\G: Phxph.exe File opened (read-only) \??\H: Phxph.exe File opened (read-only) \??\I: Phxph.exe File opened (read-only) \??\R: Phxph.exe File opened (read-only) \??\T: Phxph.exe File opened (read-only) \??\X: Phxph.exe File opened (read-only) \??\F: Phxph.exe File opened (read-only) \??\L: Phxph.exe File opened (read-only) \??\N: Phxph.exe File opened (read-only) \??\V: Phxph.exe File opened (read-only) \??\B: Phxph.exe -
Drops file in System32 directory 4 IoCs
Processes:
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe8574984654.exedescription ioc process File created C:\Windows\SysWOW64\8574984654.exe e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe File created C:\Windows\SysWOW64\Phxph.exe 8574984654.exe File opened for modification C:\Windows\SysWOW64\Phxph.exe 8574984654.exe File opened for modification C:\Windows\SysWOW64\857498~1.EXE 8574984654.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Phxph.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Phxph.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Phxph.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
Phxph.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Phxph.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Phxph.exe Key created \REGISTRY\USER\.DEFAULT\Software Phxph.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Phxph.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Phxph.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Phxph.exepid process 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe 2132 Phxph.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exepid process 1268 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8574984654.exedescription pid process Token: SeIncBasePriorityPrivilege 3440 8574984654.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exepid process 1268 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe8574984654.exePhxph.execmd.exedescription pid process target process PID 1268 wrote to memory of 3440 1268 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe 8574984654.exe PID 1268 wrote to memory of 3440 1268 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe 8574984654.exe PID 1268 wrote to memory of 3440 1268 e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe 8574984654.exe PID 3440 wrote to memory of 1480 3440 8574984654.exe cmd.exe PID 3440 wrote to memory of 1480 3440 8574984654.exe cmd.exe PID 3440 wrote to memory of 1480 3440 8574984654.exe cmd.exe PID 1664 wrote to memory of 2132 1664 Phxph.exe Phxph.exe PID 1664 wrote to memory of 2132 1664 Phxph.exe Phxph.exe PID 1664 wrote to memory of 2132 1664 Phxph.exe Phxph.exe PID 1480 wrote to memory of 4848 1480 cmd.exe PING.EXE PID 1480 wrote to memory of 4848 1480 cmd.exe PING.EXE PID 1480 wrote to memory of 4848 1480 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe"C:\Users\Admin\AppData\Local\Temp\e04a256c68ff6adaa41f2737938a3138ef1140feacc9ea8376d7d1af6720a893.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\8574984654.exeC:\Windows\System32\8574984654.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Windows\SysWOW64\857498~1.EXE > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\Phxph.exeC:\Windows\SysWOW64\Phxph.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Phxph.exeC:\Windows\SysWOW64\Phxph.exe -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\8574984654.exeFilesize
1024KB
MD541863c7667ff5112217248be09050640
SHA1b605797daafafe0236d4e4ed6f7c9bd7a0a40ce6
SHA256198c29ff12d08fbdca29794b413b85db79f04b01d3a3ffc78c402cf11328d85f
SHA5127a8eceb2c7ae66faa243b5b2d109b3d3fb56fa1d051628b856d9075c3278355ef72232d1f79cb3c68db8d0f92421fa9d107328721c7c5bb1f52bd646c25eac5e
-
C:\Windows\SysWOW64\8574984654.exeFilesize
1024KB
MD541863c7667ff5112217248be09050640
SHA1b605797daafafe0236d4e4ed6f7c9bd7a0a40ce6
SHA256198c29ff12d08fbdca29794b413b85db79f04b01d3a3ffc78c402cf11328d85f
SHA5127a8eceb2c7ae66faa243b5b2d109b3d3fb56fa1d051628b856d9075c3278355ef72232d1f79cb3c68db8d0f92421fa9d107328721c7c5bb1f52bd646c25eac5e
-
C:\Windows\SysWOW64\Phxph.exeFilesize
1024KB
MD541863c7667ff5112217248be09050640
SHA1b605797daafafe0236d4e4ed6f7c9bd7a0a40ce6
SHA256198c29ff12d08fbdca29794b413b85db79f04b01d3a3ffc78c402cf11328d85f
SHA5127a8eceb2c7ae66faa243b5b2d109b3d3fb56fa1d051628b856d9075c3278355ef72232d1f79cb3c68db8d0f92421fa9d107328721c7c5bb1f52bd646c25eac5e
-
C:\Windows\SysWOW64\Phxph.exeFilesize
1024KB
MD541863c7667ff5112217248be09050640
SHA1b605797daafafe0236d4e4ed6f7c9bd7a0a40ce6
SHA256198c29ff12d08fbdca29794b413b85db79f04b01d3a3ffc78c402cf11328d85f
SHA5127a8eceb2c7ae66faa243b5b2d109b3d3fb56fa1d051628b856d9075c3278355ef72232d1f79cb3c68db8d0f92421fa9d107328721c7c5bb1f52bd646c25eac5e
-
C:\Windows\SysWOW64\Phxph.exeFilesize
1024KB
MD541863c7667ff5112217248be09050640
SHA1b605797daafafe0236d4e4ed6f7c9bd7a0a40ce6
SHA256198c29ff12d08fbdca29794b413b85db79f04b01d3a3ffc78c402cf11328d85f
SHA5127a8eceb2c7ae66faa243b5b2d109b3d3fb56fa1d051628b856d9075c3278355ef72232d1f79cb3c68db8d0f92421fa9d107328721c7c5bb1f52bd646c25eac5e
-
memory/1480-151-0x0000000000000000-mapping.dmp
-
memory/1664-146-0x0000000000400000-0x000000000062C340-memory.dmpFilesize
2.2MB
-
memory/1664-155-0x0000000000400000-0x000000000062C340-memory.dmpFilesize
2.2MB
-
memory/2132-152-0x0000000000000000-mapping.dmp
-
memory/2132-157-0x0000000010000000-0x00000000101A0000-memory.dmpFilesize
1.6MB
-
memory/2132-163-0x0000000000400000-0x000000000062C340-memory.dmpFilesize
2.2MB
-
memory/3440-144-0x0000000000400000-0x000000000062C340-memory.dmpFilesize
2.2MB
-
memory/3440-135-0x0000000010000000-0x00000000101A0000-memory.dmpFilesize
1.6MB
-
memory/3440-132-0x0000000000000000-mapping.dmp
-
memory/3440-153-0x0000000000400000-0x000000000062C340-memory.dmpFilesize
2.2MB
-
memory/4848-156-0x0000000000000000-mapping.dmp