Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2023 14:50
Static task
static1
General
-
Target
5284b41a942a7ce0db09733b3fae7fce6c786655925f1f3b00af0ea6dc962994.dll
-
Size
16KB
-
MD5
4b93403aa76bc215e41544050406b18f
-
SHA1
8667a7098d119e9da706a135836c4f3e55872f17
-
SHA256
5284b41a942a7ce0db09733b3fae7fce6c786655925f1f3b00af0ea6dc962994
-
SHA512
883a40659012ec0b4678edf576b30e4936725bf1d9d802a30aa8d91fd7e61b5d8987003fc10c20629a8c0894ae2815077f96b1a798523a193bc5e22c3178d3dd
-
SSDEEP
192:1OIt31YVamI3X3PGR6yIM402ZJZ8d9iiiiiiiTSNNVJ8im6XS+XSyyd:1V91fm4nPG57qjCdiwNVvSmSy
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2800-163-0x0000000010000000-0x0000000010040000-memory.dmp purplefox_rootkit behavioral1/memory/2800-165-0x0000000010000000-0x0000000010040000-memory.dmp purplefox_rootkit behavioral1/memory/2800-164-0x0000000010000000-0x0000000010040000-memory.dmp purplefox_rootkit behavioral1/memory/2800-167-0x0000000010000000-0x0000000010040000-memory.dmp purplefox_rootkit behavioral1/memory/2800-240-0x0000000010000000-0x0000000010040000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2800-229-0x0000000003570000-0x00000000035E4000-memory.dmp family_gh0strat -
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 9 2800 rundll32.exe 19 2800 rundll32.exe 27 2800 rundll32.exe 28 2800 rundll32.exe 31 2800 rundll32.exe 44 2800 rundll32.exe 45 2800 rundll32.exe 49 2800 rundll32.exe -
Processes:
resource yara_rule behavioral1/memory/2800-160-0x0000000010000000-0x0000000010040000-memory.dmp upx behavioral1/memory/2800-163-0x0000000010000000-0x0000000010040000-memory.dmp upx behavioral1/memory/2800-165-0x0000000010000000-0x0000000010040000-memory.dmp upx behavioral1/memory/2800-164-0x0000000010000000-0x0000000010040000-memory.dmp upx behavioral1/memory/2800-167-0x0000000010000000-0x0000000010040000-memory.dmp upx behavioral1/memory/2800-240-0x0000000010000000-0x0000000010040000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ϵͳÀ¶ÆÁÐÞ¸´ = "C:\\Windows\\SysWOW64\\rundll32.exe" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\I: rundll32.exe File opened (read-only) \??\K: rundll32.exe File opened (read-only) \??\M: rundll32.exe File opened (read-only) \??\V: rundll32.exe File opened (read-only) \??\X: rundll32.exe File opened (read-only) \??\B: rundll32.exe File opened (read-only) \??\E: rundll32.exe File opened (read-only) \??\F: rundll32.exe File opened (read-only) \??\O: rundll32.exe File opened (read-only) \??\P: rundll32.exe File opened (read-only) \??\R: rundll32.exe File opened (read-only) \??\T: rundll32.exe File opened (read-only) \??\U: rundll32.exe File opened (read-only) \??\H: rundll32.exe File opened (read-only) \??\J: rundll32.exe File opened (read-only) \??\N: rundll32.exe File opened (read-only) \??\Z: rundll32.exe File opened (read-only) \??\G: rundll32.exe File opened (read-only) \??\S: rundll32.exe File opened (read-only) \??\W: rundll32.exe File opened (read-only) \??\L: rundll32.exe File opened (read-only) \??\Q: rundll32.exe File opened (read-only) \??\Y: rundll32.exe -
Drops file in System32 directory 11 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4112 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
explorer.exemspaint.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings mspaint.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
mspaint.exerundll32.exepid process 4300 mspaint.exe 4300 mspaint.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe 2800 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 4112 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mspaint.exeOpenWith.exepid process 4300 mspaint.exe 2932 OpenWith.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.execmd.exeexplorer.exedescription pid process target process PID 1456 wrote to memory of 2800 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 2800 1456 rundll32.exe rundll32.exe PID 1456 wrote to memory of 2800 1456 rundll32.exe rundll32.exe PID 2800 wrote to memory of 904 2800 rundll32.exe explorer.exe PID 2800 wrote to memory of 904 2800 rundll32.exe explorer.exe PID 2800 wrote to memory of 904 2800 rundll32.exe explorer.exe PID 2800 wrote to memory of 4616 2800 rundll32.exe cmd.exe PID 2800 wrote to memory of 4616 2800 rundll32.exe cmd.exe PID 2800 wrote to memory of 4616 2800 rundll32.exe cmd.exe PID 4616 wrote to memory of 4112 4616 cmd.exe taskkill.exe PID 4616 wrote to memory of 4112 4616 cmd.exe taskkill.exe PID 4616 wrote to memory of 4112 4616 cmd.exe taskkill.exe PID 1256 wrote to memory of 4300 1256 explorer.exe mspaint.exe PID 1256 wrote to memory of 4300 1256 explorer.exe mspaint.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5284b41a942a7ce0db09733b3fae7fce6c786655925f1f3b00af0ea6dc962994.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5284b41a942a7ce0db09733b3fae7fce6c786655925f1f3b00af0ea6dc962994.dll,#12⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe C:\Users\Public\Downloads\1.JPG3⤵PID:904
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im hh.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im hh.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Public\Downloads\1.JPG" /ForceBootstrapPaint3D2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4300
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:3780
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:2932
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\bScreen.dllFilesize
399KB
MD507de1a5064bcc7a55fd5c6c59492b9a8
SHA1f38a752ed7303798d55d41b9cd938b6789261be5
SHA256011cc062733e526c3ac051e9bc02535499023e4d22d313477e50bd9ecc42a10d
SHA5129e595be498a8ef04f8700219cc5757b39a47d8e89da0c4c34f0addbcaa3386d6dd9fdb47a07dda5d0e7ee746e25317912d0daf23db85127ec5be1f93b6452b20
-
C:\Users\Public\Downloads\1.JPGFilesize
102KB
MD5e0e247b326e27324551e1514e6815f7d
SHA16bc8e157ab59c032fc5b28f5c573d462dcef54c2
SHA2560eee81df330948e743bba1bd68ef0b00febfd44cdd6d0ace41ca74cdafc5c39d
SHA512579efdd583953e398eab9160a7d2584a4db88c00213f3d7ce4b4cb3019fd603dca466704a20305e4fa8320bac2f3b99429295dab2ef843a1b308f3be7f998c4a
-
memory/2800-159-0x0000000002FF0000-0x000000000303F000-memory.dmpFilesize
316KB
-
memory/2800-240-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/2800-229-0x0000000003570000-0x00000000035E4000-memory.dmpFilesize
464KB
-
memory/2800-167-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/2800-164-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/2800-165-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/2800-163-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/2800-160-0x0000000010000000-0x0000000010040000-memory.dmpFilesize
256KB
-
memory/3780-151-0x000001FFA15A0000-0x000001FFA15A1000-memory.dmpFilesize
4KB
-
memory/3780-157-0x000001FFA1630000-0x000001FFA1631000-memory.dmpFilesize
4KB
-
memory/3780-156-0x000001FFA1630000-0x000001FFA1631000-memory.dmpFilesize
4KB
-
memory/3780-155-0x000001FFA1630000-0x000001FFA1631000-memory.dmpFilesize
4KB
-
memory/3780-154-0x000001FFA1630000-0x000001FFA1631000-memory.dmpFilesize
4KB
-
memory/3780-153-0x000001FFA15A0000-0x000001FFA15A1000-memory.dmpFilesize
4KB
-
memory/3780-149-0x000001FFA1520000-0x000001FFA1521000-memory.dmpFilesize
4KB
-
memory/3780-142-0x000001FF99260000-0x000001FF99270000-memory.dmpFilesize
64KB
-
memory/3780-138-0x000001FF98990000-0x000001FF989A0000-memory.dmpFilesize
64KB