Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 03:09
Behavioral task
behavioral1
Sample
e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe
Resource
win7-20230220-en
General
-
Target
e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe
-
Size
20KB
-
MD5
9a2d73c4e432f7e5b79ca679dfaea411
-
SHA1
00531b635ccb5f450aa9e2abaae904094b2576e5
-
SHA256
e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d
-
SHA512
d02dc5bf1cc399a3f944cd5cbed47984effc696cf31cf67c5bcae58ff3c7b937e61218cd03727d800776c98509123fead7f875b842d3d8e67758eba682b6f89e
-
SSDEEP
384:6353Z9WzLE7FCFSHR2yU03QGHc4Je1dJqsNbeVvQkkrIaNJawcudoD7Ukalk:6phCSwmxc4Je1dT0IkQhnbcuyD7Ukal
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4020-174-0x0000000010000000-0x0000000010191000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4020-174-0x0000000010000000-0x0000000010191000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe -
Executes dropped EXE 2 IoCs
Processes:
2.exetest.exepid process 4020 2.exe 3092 test.exe -
Processes:
resource yara_rule behavioral2/memory/2144-133-0x0000000000400000-0x0000000000415000-memory.dmp upx behavioral2/memory/2144-163-0x0000000000400000-0x0000000000415000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2.exedescription ioc process File opened (read-only) \??\R: 2.exe File opened (read-only) \??\U: 2.exe File opened (read-only) \??\F: 2.exe File opened (read-only) \??\G: 2.exe File opened (read-only) \??\L: 2.exe File opened (read-only) \??\Y: 2.exe File opened (read-only) \??\Z: 2.exe File opened (read-only) \??\I: 2.exe File opened (read-only) \??\J: 2.exe File opened (read-only) \??\K: 2.exe File opened (read-only) \??\M: 2.exe File opened (read-only) \??\N: 2.exe File opened (read-only) \??\Q: 2.exe File opened (read-only) \??\T: 2.exe File opened (read-only) \??\V: 2.exe File opened (read-only) \??\W: 2.exe File opened (read-only) \??\X: 2.exe File opened (read-only) \??\B: 2.exe File opened (read-only) \??\E: 2.exe File opened (read-only) \??\H: 2.exe File opened (read-only) \??\O: 2.exe File opened (read-only) \??\P: 2.exe File opened (read-only) \??\S: 2.exe -
Drops file in System32 directory 3 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy mmc.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini mmc.exe File opened for modification C:\Windows\System32\gpedit.msc mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 2.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.exepid process 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe 3092 test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid process 3896 mmc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mmc.exedescription pid process Token: 33 3896 mmc.exe Token: SeIncBasePriorityPrivilege 3896 mmc.exe Token: 33 3896 mmc.exe Token: SeIncBasePriorityPrivilege 3896 mmc.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe2.exemmc.exepid process 2144 e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe 4020 2.exe 3896 mmc.exe 3896 mmc.exe 3896 mmc.exe 3896 mmc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exetest.exedescription pid process target process PID 2144 wrote to memory of 4020 2144 e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe 2.exe PID 2144 wrote to memory of 4020 2144 e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe 2.exe PID 2144 wrote to memory of 4020 2144 e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe 2.exe PID 2144 wrote to memory of 3092 2144 e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe test.exe PID 2144 wrote to memory of 3092 2144 e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe test.exe PID 2144 wrote to memory of 3092 2144 e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe test.exe PID 3092 wrote to memory of 4184 3092 test.exe cmd.exe PID 3092 wrote to memory of 4184 3092 test.exe cmd.exe PID 3092 wrote to memory of 4184 3092 test.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe"C:\Users\Admin\AppData\Local\Temp\e2fd0fe39769e6e4cacae7a8c3366e02fe3016cf8d156bda7db2affd8673d38d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\homo\2.exe"C:\ProgramData\homo\2.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\homo\test.exe"C:\ProgramData\homo\test.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\ProgramData\1145143⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD5ddc1266b1d6ae3b9cceec4078b91936e
SHA13fb80c7dac6e48f45306ba11fc95c3ad8e6bcd41
SHA2568cef452d1f95a672b130e64fdb5b71cc1b1cdf4c0533791aa4ce65dffb256a41
SHA512a0d5e3ceec16f9a75adf453ea4999a79615d4566fb6cb9dd80f94a286d00378407b429d515fa2499756e5b3a24af6f735e4063f5265768215f9b6158f88ed1d4
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD5ddc1266b1d6ae3b9cceec4078b91936e
SHA13fb80c7dac6e48f45306ba11fc95c3ad8e6bcd41
SHA2568cef452d1f95a672b130e64fdb5b71cc1b1cdf4c0533791aa4ce65dffb256a41
SHA512a0d5e3ceec16f9a75adf453ea4999a79615d4566fb6cb9dd80f94a286d00378407b429d515fa2499756e5b3a24af6f735e4063f5265768215f9b6158f88ed1d4
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD5ddc1266b1d6ae3b9cceec4078b91936e
SHA13fb80c7dac6e48f45306ba11fc95c3ad8e6bcd41
SHA2568cef452d1f95a672b130e64fdb5b71cc1b1cdf4c0533791aa4ce65dffb256a41
SHA512a0d5e3ceec16f9a75adf453ea4999a79615d4566fb6cb9dd80f94a286d00378407b429d515fa2499756e5b3a24af6f735e4063f5265768215f9b6158f88ed1d4
-
C:\ProgramData\homo\test.exeFilesize
208KB
MD5918d059d9c6573de0fb710d7c62b39f8
SHA156d5754101a542d27bca93c1b008293ddb5b8048
SHA25673273191ff57825b6a32c776e2ac29800aec5febc70ea64c3d5128abcf7b49df
SHA5122b9436b060254485b71e7570705009269e03aa8e78b7cb6020986d781cf718fba89457944fce7d32a71df8b24a795e3bcfb4ed097078b732a5748c1f8238ba57
-
C:\ProgramData\homo\test.exeFilesize
208KB
MD5918d059d9c6573de0fb710d7c62b39f8
SHA156d5754101a542d27bca93c1b008293ddb5b8048
SHA25673273191ff57825b6a32c776e2ac29800aec5febc70ea64c3d5128abcf7b49df
SHA5122b9436b060254485b71e7570705009269e03aa8e78b7cb6020986d781cf718fba89457944fce7d32a71df8b24a795e3bcfb4ed097078b732a5748c1f8238ba57
-
C:\ProgramData\homo\test.exeFilesize
208KB
MD5918d059d9c6573de0fb710d7c62b39f8
SHA156d5754101a542d27bca93c1b008293ddb5b8048
SHA25673273191ff57825b6a32c776e2ac29800aec5febc70ea64c3d5128abcf7b49df
SHA5122b9436b060254485b71e7570705009269e03aa8e78b7cb6020986d781cf718fba89457944fce7d32a71df8b24a795e3bcfb4ed097078b732a5748c1f8238ba57
-
memory/2144-133-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/2144-163-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/3896-172-0x0000000005970000-0x0000000006431000-memory.dmpFilesize
10.8MB
-
memory/4020-174-0x0000000010000000-0x0000000010191000-memory.dmpFilesize
1.6MB