Analysis
-
max time kernel
104s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2023 20:32
Static task
static1
Behavioral task
behavioral1
Sample
a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe
Resource
win7-20230220-en
General
-
Target
a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe
-
Size
36KB
-
MD5
37641f75d748d88ab97b797024bed92e
-
SHA1
381f79a5f11f1caaa4faf419394ab4b72d836a35
-
SHA256
a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf
-
SHA512
d0dd3aaa39b67fdadb5af3eadd4f0e88e34a05194af06db16b5b009a6766a318fd351238e1284a0fbbebbbb51f596dcf2a3917e27809d2c7acf8acfb832646eb
-
SSDEEP
768:sLno9rS3XcdDhF40Un2WZKaM4C0I8qyM6k46l94A/1CgInmB7o01:sLngS3XcdDhF4Hn2WcaM4C0I8qyM6k42
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1868-169-0x0000000010000000-0x0000000010191000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1868-169-0x0000000010000000-0x0000000010191000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe -
Executes dropped EXE 2 IoCs
Processes:
2.exetest.exepid process 1868 2.exe 2060 test.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
2.exedescription ioc process File opened (read-only) \??\I: 2.exe File opened (read-only) \??\K: 2.exe File opened (read-only) \??\M: 2.exe File opened (read-only) \??\R: 2.exe File opened (read-only) \??\S: 2.exe File opened (read-only) \??\Y: 2.exe File opened (read-only) \??\F: 2.exe File opened (read-only) \??\E: 2.exe File opened (read-only) \??\G: 2.exe File opened (read-only) \??\J: 2.exe File opened (read-only) \??\L: 2.exe File opened (read-only) \??\N: 2.exe File opened (read-only) \??\P: 2.exe File opened (read-only) \??\U: 2.exe File opened (read-only) \??\B: 2.exe File opened (read-only) \??\X: 2.exe File opened (read-only) \??\T: 2.exe File opened (read-only) \??\V: 2.exe File opened (read-only) \??\O: 2.exe File opened (read-only) \??\Q: 2.exe File opened (read-only) \??\W: 2.exe File opened (read-only) \??\Z: 2.exe File opened (read-only) \??\H: 2.exe -
Drops file in System32 directory 3 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\System32\gpedit.msc mmc.exe File opened for modification C:\Windows\System32\GroupPolicy mmc.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 2.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.exepid process 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe 2060 test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid process 2700 mmc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mmc.exedescription pid process Token: 33 2700 mmc.exe Token: SeIncBasePriorityPrivilege 2700 mmc.exe Token: 33 2700 mmc.exe Token: SeIncBasePriorityPrivilege 2700 mmc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe2.exemmc.exepid process 1908 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe 1868 2.exe 1868 2.exe 2700 mmc.exe 2700 mmc.exe 2700 mmc.exe 2700 mmc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exetest.exedescription pid process target process PID 1908 wrote to memory of 1868 1908 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe 2.exe PID 1908 wrote to memory of 1868 1908 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe 2.exe PID 1908 wrote to memory of 1868 1908 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe 2.exe PID 1908 wrote to memory of 2060 1908 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe test.exe PID 1908 wrote to memory of 2060 1908 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe test.exe PID 1908 wrote to memory of 2060 1908 a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe test.exe PID 2060 wrote to memory of 3632 2060 test.exe cmd.exe PID 2060 wrote to memory of 3632 2060 test.exe cmd.exe PID 2060 wrote to memory of 3632 2060 test.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe"C:\Users\Admin\AppData\Local\Temp\a7bba18c14cabef751e162e9cc0d98aa0bf37c6c0f5672433da12ca71ba579bf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\homo\2.exe"C:\ProgramData\homo\2.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\homo\test.exe"C:\ProgramData\homo\test.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\ProgramData\1145143⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD504cec9f2f932c78b519974ab006e57a6
SHA150cf7ee6f89c83717b72de9812cddcdc46ceafba
SHA2560d087098875950c4783aeb9cb557ad517fc52649560dbbd7b6d83974ae560b07
SHA5126088abaa8632bfba76efbadf1043e2262933aa95181b1fa630a43aac619861e0d32424ad89423a8b6899567d44332b43788b81db8f015d572fda9e425db9dcd7
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD504cec9f2f932c78b519974ab006e57a6
SHA150cf7ee6f89c83717b72de9812cddcdc46ceafba
SHA2560d087098875950c4783aeb9cb557ad517fc52649560dbbd7b6d83974ae560b07
SHA5126088abaa8632bfba76efbadf1043e2262933aa95181b1fa630a43aac619861e0d32424ad89423a8b6899567d44332b43788b81db8f015d572fda9e425db9dcd7
-
C:\ProgramData\homo\2.exeFilesize
1.2MB
MD504cec9f2f932c78b519974ab006e57a6
SHA150cf7ee6f89c83717b72de9812cddcdc46ceafba
SHA2560d087098875950c4783aeb9cb557ad517fc52649560dbbd7b6d83974ae560b07
SHA5126088abaa8632bfba76efbadf1043e2262933aa95181b1fa630a43aac619861e0d32424ad89423a8b6899567d44332b43788b81db8f015d572fda9e425db9dcd7
-
C:\ProgramData\homo\test.exeFilesize
714KB
MD56a21305b111e4a7824c2fa967e65f275
SHA1f021e6229e3abbb7eb1fbc1bac1567da14905743
SHA2561ce6cee595032e9771ec63c986bb96d2d7065dc50f77d27022e6815f9058dedb
SHA51290f9edcfdfde467d3eea8f0aa112f872a7e92fa6bceabba7eba2f66a82a292c2bdb13026ec1e13cadb963a4661be09184a4bac78410506b30ff83e1e102e18f0
-
C:\ProgramData\homo\test.exeFilesize
714KB
MD56a21305b111e4a7824c2fa967e65f275
SHA1f021e6229e3abbb7eb1fbc1bac1567da14905743
SHA2561ce6cee595032e9771ec63c986bb96d2d7065dc50f77d27022e6815f9058dedb
SHA51290f9edcfdfde467d3eea8f0aa112f872a7e92fa6bceabba7eba2f66a82a292c2bdb13026ec1e13cadb963a4661be09184a4bac78410506b30ff83e1e102e18f0
-
C:\ProgramData\homo\test.exeFilesize
714KB
MD56a21305b111e4a7824c2fa967e65f275
SHA1f021e6229e3abbb7eb1fbc1bac1567da14905743
SHA2561ce6cee595032e9771ec63c986bb96d2d7065dc50f77d27022e6815f9058dedb
SHA51290f9edcfdfde467d3eea8f0aa112f872a7e92fa6bceabba7eba2f66a82a292c2bdb13026ec1e13cadb963a4661be09184a4bac78410506b30ff83e1e102e18f0
-
memory/1868-169-0x0000000010000000-0x0000000010191000-memory.dmpFilesize
1.6MB