Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
18-04-2023 01:21
Static task
static1
Behavioral task
behavioral1
Sample
07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe
Resource
win10v2004-20230221-en
General
-
Target
07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe
-
Size
132KB
-
MD5
1148d4f4f27067471f705cf7225a53ba
-
SHA1
fe93f393ab9bbb2ea02dd9145fffebfc6b02d4fb
-
SHA256
07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916
-
SHA512
78bc4d21ee5ce684108fee9bb0230af5c899e5fee38a1e4740249dc8a7350c6b5cf7b9c953953cf080b0bef5ecec77089cc5b4503dde42504ba04aa800728610
-
SSDEEP
1536:kgT/0TkbIjdWdPfBjlXhkep45JPkqi0BmVL:ku8TkbkdW7jlXhk1kqOV
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/560-145-0x0000000010000000-0x0000000010191000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/560-145-0x0000000010000000-0x0000000010191000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
2.exetest.exepid process 560 2.exe 1336 test.exe -
Loads dropped DLL 3 IoCs
Processes:
07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exepid process 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2.exedescription ioc process File opened (read-only) \??\J: 2.exe File opened (read-only) \??\N: 2.exe File opened (read-only) \??\W: 2.exe File opened (read-only) \??\G: 2.exe File opened (read-only) \??\I: 2.exe File opened (read-only) \??\K: 2.exe File opened (read-only) \??\P: 2.exe File opened (read-only) \??\X: 2.exe File opened (read-only) \??\Z: 2.exe File opened (read-only) \??\B: 2.exe File opened (read-only) \??\F: 2.exe File opened (read-only) \??\M: 2.exe File opened (read-only) \??\R: 2.exe File opened (read-only) \??\V: 2.exe File opened (read-only) \??\Y: 2.exe File opened (read-only) \??\E: 2.exe File opened (read-only) \??\L: 2.exe File opened (read-only) \??\Q: 2.exe File opened (read-only) \??\S: 2.exe File opened (read-only) \??\T: 2.exe File opened (read-only) \??\U: 2.exe File opened (read-only) \??\H: 2.exe File opened (read-only) \??\O: 2.exe -
Drops file in System32 directory 3 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\System32\gpedit.msc mmc.exe File opened for modification C:\Windows\System32\GroupPolicy mmc.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 2.exe -
Processes:
mmc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main mmc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.exepid process 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe 1336 test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid process 1744 mmc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mmc.exedescription pid process Token: 33 1744 mmc.exe Token: SeIncBasePriorityPrivilege 1744 mmc.exe Token: 33 1744 mmc.exe Token: SeIncBasePriorityPrivilege 1744 mmc.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe2.exemmc.exepid process 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe 560 2.exe 1744 mmc.exe 1744 mmc.exe 1744 mmc.exe 1744 mmc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exetest.exedescription pid process target process PID 2040 wrote to memory of 560 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe 2.exe PID 2040 wrote to memory of 560 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe 2.exe PID 2040 wrote to memory of 560 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe 2.exe PID 2040 wrote to memory of 560 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe 2.exe PID 2040 wrote to memory of 1336 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe test.exe PID 2040 wrote to memory of 1336 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe test.exe PID 2040 wrote to memory of 1336 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe test.exe PID 2040 wrote to memory of 1336 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe test.exe PID 2040 wrote to memory of 1336 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe test.exe PID 2040 wrote to memory of 1336 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe test.exe PID 2040 wrote to memory of 1336 2040 07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe test.exe PID 1336 wrote to memory of 876 1336 test.exe cmd.exe PID 1336 wrote to memory of 876 1336 test.exe cmd.exe PID 1336 wrote to memory of 876 1336 test.exe cmd.exe PID 1336 wrote to memory of 876 1336 test.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe"C:\Users\Admin\AppData\Local\Temp\07ba5b5faac498b1c69a157cdc8a307fb6793104bc0d22b0c6683092315df916.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\ProgramData\homo\2.exe"C:\ProgramData\homo\2.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:560 -
C:\ProgramData\homo\test.exe"C:\ProgramData\homo\test.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\cmd.execmd /c start C:\ProgramData\1145143⤵PID:876
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"1⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1744
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD549e4f42ff5b6ddc6e59342894b4063be
SHA13adbe0b8cd2898800ebce17b62f7340e0de01f72
SHA2561dbfdfd1bf7f80d9c4530d602a7653c146804351c4bdd3dedfcc7d7d018184b9
SHA512e7921f62cb18a694569c4c4a49c547045f825e362f0351c796c789c412379c2d5357c2d4ad935f7075d6370eb6acda4ff4f78c815a60ceef03897b1aaef58c16
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD549e4f42ff5b6ddc6e59342894b4063be
SHA13adbe0b8cd2898800ebce17b62f7340e0de01f72
SHA2561dbfdfd1bf7f80d9c4530d602a7653c146804351c4bdd3dedfcc7d7d018184b9
SHA512e7921f62cb18a694569c4c4a49c547045f825e362f0351c796c789c412379c2d5357c2d4ad935f7075d6370eb6acda4ff4f78c815a60ceef03897b1aaef58c16
-
C:\ProgramData\homo\test.exeFilesize
306KB
MD5f8433adc6f530d8f757d621e4b2447e9
SHA1d853543836b4cd58c6da4cc8cde576f0a04ac613
SHA25685594116b61a6eaadb6331a8c7cb1d4d09f279dc62d94a1697b567a1377d24a5
SHA5127c1fb8b3ff88145d0d0abe17e53f1135b7cc655426b7a118ec836d91787529c7a4c3ad9bd89bb602d5168486504a61283abe4d614f134e9ab4f95d246c86f3f4
-
C:\ProgramData\homo\test.exeFilesize
306KB
MD5f8433adc6f530d8f757d621e4b2447e9
SHA1d853543836b4cd58c6da4cc8cde576f0a04ac613
SHA25685594116b61a6eaadb6331a8c7cb1d4d09f279dc62d94a1697b567a1377d24a5
SHA5127c1fb8b3ff88145d0d0abe17e53f1135b7cc655426b7a118ec836d91787529c7a4c3ad9bd89bb602d5168486504a61283abe4d614f134e9ab4f95d246c86f3f4
-
\ProgramData\homo\2.exeFilesize
1.2MB
MD549e4f42ff5b6ddc6e59342894b4063be
SHA13adbe0b8cd2898800ebce17b62f7340e0de01f72
SHA2561dbfdfd1bf7f80d9c4530d602a7653c146804351c4bdd3dedfcc7d7d018184b9
SHA512e7921f62cb18a694569c4c4a49c547045f825e362f0351c796c789c412379c2d5357c2d4ad935f7075d6370eb6acda4ff4f78c815a60ceef03897b1aaef58c16
-
\ProgramData\homo\2.exeFilesize
1.2MB
MD549e4f42ff5b6ddc6e59342894b4063be
SHA13adbe0b8cd2898800ebce17b62f7340e0de01f72
SHA2561dbfdfd1bf7f80d9c4530d602a7653c146804351c4bdd3dedfcc7d7d018184b9
SHA512e7921f62cb18a694569c4c4a49c547045f825e362f0351c796c789c412379c2d5357c2d4ad935f7075d6370eb6acda4ff4f78c815a60ceef03897b1aaef58c16
-
\ProgramData\homo\test.exeFilesize
306KB
MD5f8433adc6f530d8f757d621e4b2447e9
SHA1d853543836b4cd58c6da4cc8cde576f0a04ac613
SHA25685594116b61a6eaadb6331a8c7cb1d4d09f279dc62d94a1697b567a1377d24a5
SHA5127c1fb8b3ff88145d0d0abe17e53f1135b7cc655426b7a118ec836d91787529c7a4c3ad9bd89bb602d5168486504a61283abe4d614f134e9ab4f95d246c86f3f4
-
memory/560-145-0x0000000010000000-0x0000000010191000-memory.dmpFilesize
1.6MB
-
memory/1744-125-0x00000000026A0000-0x00000000026A1000-memory.dmpFilesize
4KB
-
memory/1744-130-0x00000000049A0000-0x0000000004A20000-memory.dmpFilesize
512KB
-
memory/1744-151-0x00000000026A0000-0x00000000026A1000-memory.dmpFilesize
4KB