Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2023 06:05
Static task
static1
Behavioral task
behavioral1
Sample
image_2023-03-25_15-34-35.png.virus.exe
Resource
win7-20230220-en
General
-
Target
image_2023-03-25_15-34-35.png.virus.exe
-
Size
1.5MB
-
MD5
304f1fe84d21240f53265556f3e7aec1
-
SHA1
ba0b6b5b2b95316e64e9ff0707d05aba07f614c5
-
SHA256
445823ec2a16daeee6bab7018eb8e940d196d32e1e658745dabe925ccb9e2529
-
SHA512
d63606f4c2c0aac50ad8bd9bc096262f425bfb929dd4358156ec1bc497c80d0251c9595f77781b1dfd4b3c0c971bdbea0a190512db896e499a1a04974682a620
-
SSDEEP
24576:fLM4cWyTOI+rDsjmWs4V6NB+HMSu+O8MYehJsjLvYikHHJkSj+Z9X6DciYamKgFY:fLM4c3TOtrDsKivuwMhJKvrmHJcpSPYU
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3600-6674-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/3600-6691-0x0000000000400000-0x0000000000625000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3600-6674-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/3600-6691-0x0000000000400000-0x0000000000625000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
image_2023-03-25_15-34-35.png.virus.exedescription ioc process File opened (read-only) \??\K: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\L: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\M: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\N: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\P: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\R: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\U: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\E: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\X: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\W: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\O: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\F: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\G: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\H: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\I: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\Q: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\T: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\Z: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\B: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\S: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\V: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\Y: image_2023-03-25_15-34-35.png.virus.exe File opened (read-only) \??\J: image_2023-03-25_15-34-35.png.virus.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs
Processes:
image_2023-03-25_15-34-35.png.virus.exepid process 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
image_2023-03-25_15-34-35.png.virus.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 image_2023-03-25_15-34-35.png.virus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz image_2023-03-25_15-34-35.png.virus.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
image_2023-03-25_15-34-35.png.virus.exepid process 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe 3600 image_2023-03-25_15-34-35.png.virus.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
image_2023-03-25_15-34-35.png.virus.exedescription pid process Token: 33 3600 image_2023-03-25_15-34-35.png.virus.exe Token: SeIncBasePriorityPrivilege 3600 image_2023-03-25_15-34-35.png.virus.exe Token: 33 3600 image_2023-03-25_15-34-35.png.virus.exe Token: SeIncBasePriorityPrivilege 3600 image_2023-03-25_15-34-35.png.virus.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\image_2023-03-25_15-34-35.png.virus.exe"C:\Users\Admin\AppData\Local\Temp\image_2023-03-25_15-34-35.png.virus.exe"1⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3600-133-0x0000000000400000-0x0000000000625000-memory.dmpFilesize
2.1MB
-
memory/3600-134-0x0000000075700000-0x0000000075915000-memory.dmpFilesize
2.1MB
-
memory/3600-2072-0x0000000076390000-0x0000000076530000-memory.dmpFilesize
1.6MB
-
memory/3600-3077-0x00000000753E0000-0x000000007545A000-memory.dmpFilesize
488KB
-
memory/3600-6670-0x0000000000400000-0x0000000000625000-memory.dmpFilesize
2.1MB
-
memory/3600-6671-0x0000000000400000-0x0000000000625000-memory.dmpFilesize
2.1MB
-
memory/3600-6673-0x0000000000400000-0x0000000000625000-memory.dmpFilesize
2.1MB
-
memory/3600-6674-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/3600-6691-0x0000000000400000-0x0000000000625000-memory.dmpFilesize
2.1MB