Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-04-2023 20:51
Static task
static1
Behavioral task
behavioral1
Sample
7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe
Resource
win7-20230220-en
General
-
Target
7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe
-
Size
128KB
-
MD5
365a35529ee435cddd9de32431afd12c
-
SHA1
178ce858f68bb08e8bca4f9e2e8d2fe82ef3bf75
-
SHA256
7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89
-
SHA512
ffa8acf8161eac1861b963a160c58e7a92fde87485ab33812d3de8c8fcafdfefd0af5dab662191801c5b610b0c5b07fa17c4658df33575ca7a9a7e2c1fb74a2a
-
SSDEEP
768:fbMwpn7mbSZseodBoPIvWChOdgOOfukK62dwLClrBjLJJt7qP+h4xATPqdfs2+ht:7p7mbS7tPfBjlXhkep45JPkqi0BURZ
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/5012-181-0x0000000010000000-0x0000000010191000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5012-181-0x0000000010000000-0x0000000010191000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation 7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe -
Executes dropped EXE 3 IoCs
Processes:
2.exetest.exeǧţ¹¤×÷̨_9.17.7.0.exepid process 5012 2.exe 2752 test.exe 2768 ǧţ¹¤×÷̨_9.17.7.0.exe -
Drops file in System32 directory 3 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\System32\gpedit.msc mmc.exe File opened for modification C:\Windows\System32\GroupPolicy mmc.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
test.exepid process 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe 2752 test.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
ǧţ¹¤×÷̨_9.17.7.0.exemmc.exedescription pid process Token: SeDebugPrivilege 2768 ǧţ¹¤×÷̨_9.17.7.0.exe Token: 33 4212 mmc.exe Token: SeIncBasePriorityPrivilege 4212 mmc.exe Token: 33 4212 mmc.exe Token: SeIncBasePriorityPrivilege 4212 mmc.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe2.exemmc.exepid process 1156 7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe 5012 2.exe 4212 mmc.exe 4212 mmc.exe 4212 mmc.exe 4212 mmc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exetest.exedescription pid process target process PID 1156 wrote to memory of 5012 1156 7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe 2.exe PID 1156 wrote to memory of 5012 1156 7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe 2.exe PID 1156 wrote to memory of 5012 1156 7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe 2.exe PID 1156 wrote to memory of 2752 1156 7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe test.exe PID 1156 wrote to memory of 2752 1156 7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe test.exe PID 1156 wrote to memory of 2752 1156 7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe test.exe PID 2752 wrote to memory of 1892 2752 test.exe cmd.exe PID 2752 wrote to memory of 1892 2752 test.exe cmd.exe PID 2752 wrote to memory of 1892 2752 test.exe cmd.exe PID 1156 wrote to memory of 2768 1156 7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe ǧţ¹¤×÷̨_9.17.7.0.exe PID 1156 wrote to memory of 2768 1156 7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe ǧţ¹¤×÷̨_9.17.7.0.exe PID 1156 wrote to memory of 2768 1156 7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe ǧţ¹¤×÷̨_9.17.7.0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe"C:\Users\Admin\AppData\Local\Temp\7346923522f973adfd719e3d2a4a3a0247412f06ca2e3c21743c67e6e0cb3f89.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\homo\2.exe"C:\ProgramData\homo\2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\homo\test.exe"C:\ProgramData\homo\test.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\ProgramData\1145143⤵
- Modifies registry class
-
C:\ProgramData\homo\ǧţ¹¤×÷̨_9.17.7.0.exe"C:\ProgramData\homo\ǧţ¹¤×÷̨_9.17.7.0.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD5918c33c51930cc45c29cdea2a6e5598d
SHA13fb833638ed284de05f33ef4be292e51488da4e1
SHA256fe0ff8ecdbfb96f47efa095af06ce0efce05a809e8b913a333986147b0cfb3fc
SHA5127440b207f09d39c7b2fa2bb118a599fd2a45bb83ea646ad6ef54b2b2ad45ba663179b5a77a42b838f990ce333bf6841f1bab9056b35106261885a25ba911449c
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD5918c33c51930cc45c29cdea2a6e5598d
SHA13fb833638ed284de05f33ef4be292e51488da4e1
SHA256fe0ff8ecdbfb96f47efa095af06ce0efce05a809e8b913a333986147b0cfb3fc
SHA5127440b207f09d39c7b2fa2bb118a599fd2a45bb83ea646ad6ef54b2b2ad45ba663179b5a77a42b838f990ce333bf6841f1bab9056b35106261885a25ba911449c
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD5918c33c51930cc45c29cdea2a6e5598d
SHA13fb833638ed284de05f33ef4be292e51488da4e1
SHA256fe0ff8ecdbfb96f47efa095af06ce0efce05a809e8b913a333986147b0cfb3fc
SHA5127440b207f09d39c7b2fa2bb118a599fd2a45bb83ea646ad6ef54b2b2ad45ba663179b5a77a42b838f990ce333bf6841f1bab9056b35106261885a25ba911449c
-
C:\ProgramData\homo\test.exeFilesize
339KB
MD56818b874ffa381f146aa488c187d5da9
SHA181cef46615817f40621cf902fcc545219a654bb5
SHA2562a0e91e311ac78cd5b780db471c2c189a35f73ec4bfd800d807962a6b4ef97b5
SHA51234f4e409a7d3047416867f8321db158e7b93faf152ff79f80de5fd275ce5267941c001a84d2f86362135b3fef10600b5e4e1fcf74aa7df4892f634d50e19380a
-
C:\ProgramData\homo\test.exeFilesize
339KB
MD56818b874ffa381f146aa488c187d5da9
SHA181cef46615817f40621cf902fcc545219a654bb5
SHA2562a0e91e311ac78cd5b780db471c2c189a35f73ec4bfd800d807962a6b4ef97b5
SHA51234f4e409a7d3047416867f8321db158e7b93faf152ff79f80de5fd275ce5267941c001a84d2f86362135b3fef10600b5e4e1fcf74aa7df4892f634d50e19380a
-
C:\ProgramData\homo\test.exeFilesize
339KB
MD56818b874ffa381f146aa488c187d5da9
SHA181cef46615817f40621cf902fcc545219a654bb5
SHA2562a0e91e311ac78cd5b780db471c2c189a35f73ec4bfd800d807962a6b4ef97b5
SHA51234f4e409a7d3047416867f8321db158e7b93faf152ff79f80de5fd275ce5267941c001a84d2f86362135b3fef10600b5e4e1fcf74aa7df4892f634d50e19380a
-
C:\ProgramData\homo\ǧţ¹¤×÷̨_9.17.7.0.exeFilesize
63.4MB
MD5582af090673ae579d335bca6f06f4ff4
SHA1c143b0e57bcff41415f130fc11d234321c08fdf0
SHA2567613a27c9a4186345412410868b441730e0e25ec70f0401c79ae9d0f3f03b74f
SHA512fc7d309b37ea6fa573b130f6fcd25fab05a40b9787dad21ffaf67dbf0b3e5ed29f25e81996b06f51e73975022872e60c5055eee55b974a1c74d92b3617df4a8e
-
C:\ProgramData\homo\ǧţ¹¤×÷̨_9.17.7.0.exeFilesize
63.4MB
MD5582af090673ae579d335bca6f06f4ff4
SHA1c143b0e57bcff41415f130fc11d234321c08fdf0
SHA2567613a27c9a4186345412410868b441730e0e25ec70f0401c79ae9d0f3f03b74f
SHA512fc7d309b37ea6fa573b130f6fcd25fab05a40b9787dad21ffaf67dbf0b3e5ed29f25e81996b06f51e73975022872e60c5055eee55b974a1c74d92b3617df4a8e
-
C:\ProgramData\homo\ǧţ¹¤×÷̨_9.17.7.0.exeFilesize
63.4MB
MD5582af090673ae579d335bca6f06f4ff4
SHA1c143b0e57bcff41415f130fc11d234321c08fdf0
SHA2567613a27c9a4186345412410868b441730e0e25ec70f0401c79ae9d0f3f03b74f
SHA512fc7d309b37ea6fa573b130f6fcd25fab05a40b9787dad21ffaf67dbf0b3e5ed29f25e81996b06f51e73975022872e60c5055eee55b974a1c74d92b3617df4a8e
-
memory/4212-180-0x0000000004BB0000-0x0000000005307000-memory.dmpFilesize
7.3MB
-
memory/5012-181-0x0000000010000000-0x0000000010191000-memory.dmpFilesize
1.6MB