Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-05-2023 20:32
Static task
static1
Behavioral task
behavioral1
Sample
a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe
Resource
win7-20230220-en
General
-
Target
a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe
-
Size
36KB
-
MD5
37641f75d748d88ab97b797024bed92e
-
SHA1
381f79a5f11f1caaa4faf419394ab4b72d836a35
-
SHA256
a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf
-
SHA512
d0dd3aaa39b67fdadb5af3eadd4f0e88e34a05194af06db16b5b009a6766a318fd351238e1284a0fbbebbbb51f596dcf2a3917e27809d2c7acf8acfb832646eb
-
SSDEEP
768:sLno9rS3XcdDhF40Un2WZKaM4C0I8qyM6k46l94A/1CgInmB7o01:sLngS3XcdDhF4Hn2WcaM4C0I8qyM6k42
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1392-127-0x0000000010000000-0x0000000010191000-memory.dmp purplefox_rootkit behavioral1/memory/1380-152-0x0000000004790000-0x0000000004810000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1392-127-0x0000000010000000-0x0000000010191000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
2.exetest.exepid process 1392 2.exe 952 test.exe -
Loads dropped DLL 3 IoCs
Processes:
a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exepid process 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2.exedescription ioc process File opened (read-only) \??\Y: 2.exe File opened (read-only) \??\M: 2.exe File opened (read-only) \??\Q: 2.exe File opened (read-only) \??\U: 2.exe File opened (read-only) \??\P: 2.exe File opened (read-only) \??\V: 2.exe File opened (read-only) \??\W: 2.exe File opened (read-only) \??\G: 2.exe File opened (read-only) \??\H: 2.exe File opened (read-only) \??\I: 2.exe File opened (read-only) \??\L: 2.exe File opened (read-only) \??\X: 2.exe File opened (read-only) \??\Z: 2.exe File opened (read-only) \??\B: 2.exe File opened (read-only) \??\J: 2.exe File opened (read-only) \??\K: 2.exe File opened (read-only) \??\O: 2.exe File opened (read-only) \??\R: 2.exe File opened (read-only) \??\S: 2.exe File opened (read-only) \??\T: 2.exe File opened (read-only) \??\E: 2.exe File opened (read-only) \??\F: 2.exe File opened (read-only) \??\N: 2.exe -
Drops file in System32 directory 3 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\System32\gpedit.msc mmc.exe File opened for modification C:\Windows\System32\GroupPolicy mmc.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 2.exe -
Processes:
mmc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main mmc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.exepid process 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe 952 test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid process 1380 mmc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mmc.exedescription pid process Token: 33 1380 mmc.exe Token: SeIncBasePriorityPrivilege 1380 mmc.exe Token: 33 1380 mmc.exe Token: SeIncBasePriorityPrivilege 1380 mmc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe2.exemmc.exepid process 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe 1392 2.exe 1392 2.exe 1380 mmc.exe 1380 mmc.exe 1380 mmc.exe 1380 mmc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exetest.exedescription pid process target process PID 2040 wrote to memory of 1392 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe 2.exe PID 2040 wrote to memory of 1392 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe 2.exe PID 2040 wrote to memory of 1392 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe 2.exe PID 2040 wrote to memory of 1392 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe 2.exe PID 2040 wrote to memory of 952 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe test.exe PID 2040 wrote to memory of 952 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe test.exe PID 2040 wrote to memory of 952 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe test.exe PID 2040 wrote to memory of 952 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe test.exe PID 2040 wrote to memory of 952 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe test.exe PID 2040 wrote to memory of 952 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe test.exe PID 2040 wrote to memory of 952 2040 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe test.exe PID 952 wrote to memory of 1260 952 test.exe cmd.exe PID 952 wrote to memory of 1260 952 test.exe cmd.exe PID 952 wrote to memory of 1260 952 test.exe cmd.exe PID 952 wrote to memory of 1260 952 test.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe"C:\Users\Admin\AppData\Local\Temp\a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\homo\2.exe"C:\ProgramData\homo\2.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\homo\test.exe"C:\ProgramData\homo\test.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\ProgramData\1145143⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"1⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD504cec9f2f932c78b519974ab006e57a6
SHA150cf7ee6f89c83717b72de9812cddcdc46ceafba
SHA2560d087098875950c4783aeb9cb557ad517fc52649560dbbd7b6d83974ae560b07
SHA5126088abaa8632bfba76efbadf1043e2262933aa95181b1fa630a43aac619861e0d32424ad89423a8b6899567d44332b43788b81db8f015d572fda9e425db9dcd7
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD504cec9f2f932c78b519974ab006e57a6
SHA150cf7ee6f89c83717b72de9812cddcdc46ceafba
SHA2560d087098875950c4783aeb9cb557ad517fc52649560dbbd7b6d83974ae560b07
SHA5126088abaa8632bfba76efbadf1043e2262933aa95181b1fa630a43aac619861e0d32424ad89423a8b6899567d44332b43788b81db8f015d572fda9e425db9dcd7
-
C:\ProgramData\homo\test.exeFilesize
714KB
MD56a21305b111e4a7824c2fa967e65f275
SHA1f021e6229e3abbb7eb1fbc1bac1567da14905743
SHA2561ce6cee595032e9771ec63c986bb96d2d7065dc50f77d27022e6815f9058dedb
SHA51290f9edcfdfde467d3eea8f0aa112f872a7e92fa6bceabba7eba2f66a82a292c2bdb13026ec1e13cadb963a4661be09184a4bac78410506b30ff83e1e102e18f0
-
C:\ProgramData\homo\test.exeFilesize
714KB
MD56a21305b111e4a7824c2fa967e65f275
SHA1f021e6229e3abbb7eb1fbc1bac1567da14905743
SHA2561ce6cee595032e9771ec63c986bb96d2d7065dc50f77d27022e6815f9058dedb
SHA51290f9edcfdfde467d3eea8f0aa112f872a7e92fa6bceabba7eba2f66a82a292c2bdb13026ec1e13cadb963a4661be09184a4bac78410506b30ff83e1e102e18f0
-
\ProgramData\homo\2.exeFilesize
1.2MB
MD504cec9f2f932c78b519974ab006e57a6
SHA150cf7ee6f89c83717b72de9812cddcdc46ceafba
SHA2560d087098875950c4783aeb9cb557ad517fc52649560dbbd7b6d83974ae560b07
SHA5126088abaa8632bfba76efbadf1043e2262933aa95181b1fa630a43aac619861e0d32424ad89423a8b6899567d44332b43788b81db8f015d572fda9e425db9dcd7
-
\ProgramData\homo\2.exeFilesize
1.2MB
MD504cec9f2f932c78b519974ab006e57a6
SHA150cf7ee6f89c83717b72de9812cddcdc46ceafba
SHA2560d087098875950c4783aeb9cb557ad517fc52649560dbbd7b6d83974ae560b07
SHA5126088abaa8632bfba76efbadf1043e2262933aa95181b1fa630a43aac619861e0d32424ad89423a8b6899567d44332b43788b81db8f015d572fda9e425db9dcd7
-
\ProgramData\homo\test.exeFilesize
714KB
MD56a21305b111e4a7824c2fa967e65f275
SHA1f021e6229e3abbb7eb1fbc1bac1567da14905743
SHA2561ce6cee595032e9771ec63c986bb96d2d7065dc50f77d27022e6815f9058dedb
SHA51290f9edcfdfde467d3eea8f0aa112f872a7e92fa6bceabba7eba2f66a82a292c2bdb13026ec1e13cadb963a4661be09184a4bac78410506b30ff83e1e102e18f0
-
memory/1380-125-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/1380-132-0x0000000004790000-0x0000000004810000-memory.dmpFilesize
512KB
-
memory/1380-150-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/1380-152-0x0000000004790000-0x0000000004810000-memory.dmpFilesize
512KB
-
memory/1392-127-0x0000000010000000-0x0000000010191000-memory.dmpFilesize
1.6MB