Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2023 01:28
Static task
static1
Behavioral task
behavioral1
Sample
a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf.exe
Resource
win7-20230220-en
General
-
Target
a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf.exe
-
Size
802KB
-
MD5
43dc1d7eeef9b4ca0d455404b12c34c8
-
SHA1
2e618174d09b00abc16d34bff7b646e036adf253
-
SHA256
a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf
-
SHA512
b65a6542520ae094d8f9101d062339a997aa2eaed426e3aaa4c79145d97debf75062df334df4c02d874ebe15731e035bbf7b7cd0f55c248d4b6a45294c5c70c7
-
SSDEEP
24576:Sny/f9uCOXP25JiBvuXwKhbBh4iv/IVVWX77Sj+ithPW1:XF0IJSmgaVhvv/IVKyj+d
Malware Config
Extracted
gh0strat
190.92.242.47
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2960-179-0x0000000010000000-0x0000000010192000-memory.dmp purplefox_rootkit behavioral2/memory/2960-194-0x0000000000400000-0x000000000060E000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2960-179-0x0000000010000000-0x0000000010192000-memory.dmp family_gh0strat behavioral2/memory/2960-194-0x0000000000400000-0x000000000060E000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf.exeProject.exe_config.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation Project.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation _config.exe -
Executes dropped EXE 4 IoCs
Processes:
Project.exemusic.exe_config.exe_config.exepid process 1424 Project.exe 2960 music.exe 2984 _config.exe 448 _config.exe -
Loads dropped DLL 1 IoCs
Processes:
Project.exepid process 1424 Project.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
music.exedescription ioc process File opened (read-only) \??\W: music.exe File opened (read-only) \??\X: music.exe File opened (read-only) \??\E: music.exe File opened (read-only) \??\I: music.exe File opened (read-only) \??\J: music.exe File opened (read-only) \??\K: music.exe File opened (read-only) \??\L: music.exe File opened (read-only) \??\R: music.exe File opened (read-only) \??\Y: music.exe File opened (read-only) \??\F: music.exe File opened (read-only) \??\O: music.exe File opened (read-only) \??\P: music.exe File opened (read-only) \??\Q: music.exe File opened (read-only) \??\T: music.exe File opened (read-only) \??\U: music.exe File opened (read-only) \??\G: music.exe File opened (read-only) \??\H: music.exe File opened (read-only) \??\N: music.exe File opened (read-only) \??\V: music.exe File opened (read-only) \??\B: music.exe File opened (read-only) \??\M: music.exe File opened (read-only) \??\S: music.exe File opened (read-only) \??\Z: music.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
music.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 music.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz music.exe -
Modifies registry class 1 IoCs
Processes:
helppane.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ helppane.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
music.exepid process 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe 2960 music.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
helppane.exepid process 4136 helppane.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
helppane.exepid process 4136 helppane.exe 4136 helppane.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf.exeProject.exehelppane.exe_config.exedescription pid process target process PID 4504 wrote to memory of 1424 4504 a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf.exe Project.exe PID 4504 wrote to memory of 1424 4504 a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf.exe Project.exe PID 4504 wrote to memory of 1424 4504 a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf.exe Project.exe PID 1424 wrote to memory of 2960 1424 Project.exe music.exe PID 1424 wrote to memory of 2960 1424 Project.exe music.exe PID 1424 wrote to memory of 2960 1424 Project.exe music.exe PID 1424 wrote to memory of 2984 1424 Project.exe _config.exe PID 1424 wrote to memory of 2984 1424 Project.exe _config.exe PID 1424 wrote to memory of 2984 1424 Project.exe _config.exe PID 4136 wrote to memory of 448 4136 helppane.exe _config.exe PID 4136 wrote to memory of 448 4136 helppane.exe _config.exe PID 4136 wrote to memory of 448 4136 helppane.exe _config.exe PID 448 wrote to memory of 4880 448 _config.exe reg.exe PID 448 wrote to memory of 4880 448 _config.exe reg.exe PID 448 wrote to memory of 4880 448 _config.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf.exe"C:\Users\Admin\AppData\Local\Temp\a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Vdkqswy25A\music.exe"C:\Users\Admin\AppData\Roaming\Vdkqswy25A\music.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\_config.exe"C:\Users\Admin\AppData\Local\Temp\_config.exe"3⤵
- Executes dropped EXE
-
C:\Windows\helppane.exeC:\Windows\helppane.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_config.exe"C:\Users\Admin\AppData\Local\Temp\_config.exe" shell32.dll,ShellExec_RunDLL reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Vdkqswy25A" /f2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Vdkqswy25A" /f3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exeFilesize
1.1MB
MD54d4f8aea7be8e5f2372f6dbca75aa8ba
SHA15ca38dbc0188d1a93a043562f67cf4319ffdd24d
SHA25675451351d739d060273d8f6985b42596e37fc7acc27130e44dee16c589c012e2
SHA51278f35eeeac14b8a4aabff7909f8770f13397e7f892cc46f48575818ede272c2d2d40a9bd20466144cd0d9044713002205be72212187e231a966a109b8f761097
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exeFilesize
1.1MB
MD54d4f8aea7be8e5f2372f6dbca75aa8ba
SHA15ca38dbc0188d1a93a043562f67cf4319ffdd24d
SHA25675451351d739d060273d8f6985b42596e37fc7acc27130e44dee16c589c012e2
SHA51278f35eeeac14b8a4aabff7909f8770f13397e7f892cc46f48575818ede272c2d2d40a9bd20466144cd0d9044713002205be72212187e231a966a109b8f761097
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Project.exeFilesize
1.1MB
MD54d4f8aea7be8e5f2372f6dbca75aa8ba
SHA15ca38dbc0188d1a93a043562f67cf4319ffdd24d
SHA25675451351d739d060273d8f6985b42596e37fc7acc27130e44dee16c589c012e2
SHA51278f35eeeac14b8a4aabff7909f8770f13397e7f892cc46f48575818ede272c2d2d40a9bd20466144cd0d9044713002205be72212187e231a966a109b8f761097
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VMProtectSDK32.dllFilesize
98KB
MD529e0b67635a30d87d929bc1614eff68f
SHA1180a56d7fb6473ae8449fea7f2e6f105e9e5bb0b
SHA256b2dd017dd8bf60e5a439a202af9e4dbd8a4bf57d72e6dc7528484c6f34eadc8e
SHA51268a8266a1a6f2b270e9dff6b553fff4f7557ed05496aa8007b29a3bacfcf9d4228175a34460ceb43a797e8e7f44d7b33088c67fd835e3e56c64e92868ef27c49
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vmprotectsdk32.dllFilesize
98KB
MD529e0b67635a30d87d929bc1614eff68f
SHA1180a56d7fb6473ae8449fea7f2e6f105e9e5bb0b
SHA256b2dd017dd8bf60e5a439a202af9e4dbd8a4bf57d72e6dc7528484c6f34eadc8e
SHA51268a8266a1a6f2b270e9dff6b553fff4f7557ed05496aa8007b29a3bacfcf9d4228175a34460ceb43a797e8e7f44d7b33088c67fd835e3e56c64e92868ef27c49
-
C:\Users\Admin\AppData\Local\Temp\_config.exeFilesize
82KB
MD5cbbdef6c4d82eb4ff01ed43f1e641907
SHA1722ba8786507f2cad599b11cdc4a139909f4f9f1
SHA25637a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4
SHA5126f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd
-
C:\Users\Admin\AppData\Local\Temp\_config.exeFilesize
82KB
MD5cbbdef6c4d82eb4ff01ed43f1e641907
SHA1722ba8786507f2cad599b11cdc4a139909f4f9f1
SHA25637a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4
SHA5126f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd
-
C:\Users\Admin\AppData\Local\Temp\_config.exeFilesize
82KB
MD5cbbdef6c4d82eb4ff01ed43f1e641907
SHA1722ba8786507f2cad599b11cdc4a139909f4f9f1
SHA25637a5d7960b09d3f0ec4c8d39203ce285a9ced3c70c3e3fbd5c6f3f21678bdec4
SHA5126f8cbe5555d7354920bb03177b69947cec6825bb71a4a77e154b185061214f57f7fcc75f5e477fc432a66094ff1ba4edc823abaf2cf7cd03191b4b566a85d1fd
-
C:\Users\Admin\AppData\Local\Temp\_config.lnkFilesize
2KB
MD51748623398aa1b75cf7243b95d5c6186
SHA132f1c83e77a8fede7a6eddd719aacdd05cf6a1ee
SHA256650854637c0d79f65bebedc577d3c0971584f75bed3ff67a362b48d481c88de7
SHA512623a1c19f56f9d7fe9707da617537855a906df26222514ce8b88e5765da0cf0c74c69f54d08ef806fcab4c3fdf6e12a36d81cedbacb57f78c9f4d4f19d00f280
-
C:\Users\Admin\AppData\Roaming\Vdkqswy25A\music.exeFilesize
4.6MB
MD59665de160f7695ba54117e9e3619564c
SHA17b49f7051f16188b14bf073c8e770ebbd005bdea
SHA256cc68b5edae8acaaf394ae0b92b6199f83630b9d66ba60152f0db0aa849cb0ece
SHA5125e035593ca524999b4b8dd275d754ef52f38de24c251699ed5179f2fcf5c12e7a92e1aea67bc52d22954c324afec786c894643b5a1dd7f0f2bc331c3fe32968b
-
C:\Users\Admin\AppData\Roaming\Vdkqswy25A\music.exeFilesize
4.6MB
MD59665de160f7695ba54117e9e3619564c
SHA17b49f7051f16188b14bf073c8e770ebbd005bdea
SHA256cc68b5edae8acaaf394ae0b92b6199f83630b9d66ba60152f0db0aa849cb0ece
SHA5125e035593ca524999b4b8dd275d754ef52f38de24c251699ed5179f2fcf5c12e7a92e1aea67bc52d22954c324afec786c894643b5a1dd7f0f2bc331c3fe32968b
-
C:\Users\Admin\AppData\Roaming\Vdkqswy25A\music.exeFilesize
4.6MB
MD59665de160f7695ba54117e9e3619564c
SHA17b49f7051f16188b14bf073c8e770ebbd005bdea
SHA256cc68b5edae8acaaf394ae0b92b6199f83630b9d66ba60152f0db0aa849cb0ece
SHA5125e035593ca524999b4b8dd275d754ef52f38de24c251699ed5179f2fcf5c12e7a92e1aea67bc52d22954c324afec786c894643b5a1dd7f0f2bc331c3fe32968b
-
memory/1424-151-0x0000000000400000-0x0000000000719000-memory.dmpFilesize
3.1MB
-
memory/1424-153-0x0000000000400000-0x0000000000719000-memory.dmpFilesize
3.1MB
-
memory/1424-193-0x0000000000400000-0x0000000000719000-memory.dmpFilesize
3.1MB
-
memory/1424-154-0x0000000000AE0000-0x0000000000AE1000-memory.dmpFilesize
4KB
-
memory/1424-149-0x0000000000400000-0x0000000000719000-memory.dmpFilesize
3.1MB
-
memory/1424-150-0x0000000000400000-0x0000000000719000-memory.dmpFilesize
3.1MB
-
memory/1424-152-0x0000000000400000-0x0000000000719000-memory.dmpFilesize
3.1MB
-
memory/1424-190-0x0000000000400000-0x0000000000719000-memory.dmpFilesize
3.1MB
-
memory/2960-173-0x0000000000400000-0x000000000060E000-memory.dmpFilesize
2.1MB
-
memory/2960-187-0x0000000000920000-0x000000000092E000-memory.dmpFilesize
56KB
-
memory/2960-179-0x0000000010000000-0x0000000010192000-memory.dmpFilesize
1.6MB
-
memory/2960-175-0x0000000000400000-0x000000000060E000-memory.dmpFilesize
2.1MB
-
memory/2960-172-0x0000000000400000-0x000000000060E000-memory.dmpFilesize
2.1MB
-
memory/2960-194-0x0000000000400000-0x000000000060E000-memory.dmpFilesize
2.1MB
-
memory/2960-195-0x0000000000920000-0x000000000092E000-memory.dmpFilesize
56KB