Analysis
-
max time kernel
84s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2023 11:07
Static task
static1
Behavioral task
behavioral1
Sample
2a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1.exe
Resource
win7-20230220-en
General
-
Target
2a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1.exe
-
Size
3.9MB
-
MD5
ae7001470fbdf06d68150edcb4482e45
-
SHA1
c5ef18f9c78541b44c82ee444a76192120e181d5
-
SHA256
2a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1
-
SHA512
26f8b81b6cd45e23fb38de0ab2ba68eb4b034ef0758fefcc2c7b14a87839bf8f5f231f028d49c4b49c238a0a7a16054418120fd173a3caee238be2e31dfa56ec
-
SSDEEP
98304:04o3WXmh+fxLkog2GyCN5t9TbwoalozL3uRS5VWngBS5mH:nUgkog2GyCNBTEnlO3u
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/848-133-0x0000000010000000-0x00000000101B0000-memory.dmp purplefox_rootkit behavioral2/memory/2720-143-0x0000000010000000-0x00000000101B0000-memory.dmp purplefox_rootkit behavioral2/memory/2160-150-0x0000000010000000-0x00000000101B0000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/848-133-0x0000000010000000-0x00000000101B0000-memory.dmp family_gh0strat behavioral2/memory/2720-143-0x0000000010000000-0x00000000101B0000-memory.dmp family_gh0strat behavioral2/memory/2160-150-0x0000000010000000-0x00000000101B0000-memory.dmp family_gh0strat -
Executes dropped EXE 2 IoCs
Processes:
Kcdef.exeKcdef.exepid process 2720 Kcdef.exe 2160 Kcdef.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Kcdef.exedescription ioc process File opened (read-only) \??\M: Kcdef.exe File opened (read-only) \??\O: Kcdef.exe File opened (read-only) \??\T: Kcdef.exe File opened (read-only) \??\Z: Kcdef.exe File opened (read-only) \??\B: Kcdef.exe File opened (read-only) \??\I: Kcdef.exe File opened (read-only) \??\K: Kcdef.exe File opened (read-only) \??\X: Kcdef.exe File opened (read-only) \??\Y: Kcdef.exe File opened (read-only) \??\W: Kcdef.exe File opened (read-only) \??\E: Kcdef.exe File opened (read-only) \??\G: Kcdef.exe File opened (read-only) \??\H: Kcdef.exe File opened (read-only) \??\Q: Kcdef.exe File opened (read-only) \??\U: Kcdef.exe File opened (read-only) \??\V: Kcdef.exe File opened (read-only) \??\S: Kcdef.exe File opened (read-only) \??\F: Kcdef.exe File opened (read-only) \??\J: Kcdef.exe File opened (read-only) \??\L: Kcdef.exe File opened (read-only) \??\N: Kcdef.exe File opened (read-only) \??\P: Kcdef.exe File opened (read-only) \??\R: Kcdef.exe -
Drops file in System32 directory 2 IoCs
Processes:
2a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1.exedescription ioc process File created C:\Windows\SysWOW64\Kcdef.exe 2a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1.exe File opened for modification C:\Windows\SysWOW64\Kcdef.exe 2a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Kcdef.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Kcdef.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Kcdef.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
Kcdef.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Kcdef.exe Key created \REGISTRY\USER\.DEFAULT\Software Kcdef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Kcdef.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Kcdef.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Kcdef.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Kcdef.exepid process 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe 2160 Kcdef.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1.exedescription pid process Token: SeIncBasePriorityPrivilege 848 2a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1.exeKcdef.execmd.exedescription pid process target process PID 848 wrote to memory of 1636 848 2a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1.exe cmd.exe PID 848 wrote to memory of 1636 848 2a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1.exe cmd.exe PID 848 wrote to memory of 1636 848 2a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1.exe cmd.exe PID 2720 wrote to memory of 2160 2720 Kcdef.exe Kcdef.exe PID 2720 wrote to memory of 2160 2720 Kcdef.exe Kcdef.exe PID 2720 wrote to memory of 2160 2720 Kcdef.exe Kcdef.exe PID 1636 wrote to memory of 2924 1636 cmd.exe PING.EXE PID 1636 wrote to memory of 2924 1636 cmd.exe PING.EXE PID 1636 wrote to memory of 2924 1636 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1.exe"C:\Users\Admin\AppData\Local\Temp\2a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\2A75F7~1.EXE > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\Kcdef.exeC:\Windows\SysWOW64\Kcdef.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Kcdef.exeC:\Windows\SysWOW64\Kcdef.exe -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Kcdef.exeFilesize
3.9MB
MD5ae7001470fbdf06d68150edcb4482e45
SHA1c5ef18f9c78541b44c82ee444a76192120e181d5
SHA2562a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1
SHA51226f8b81b6cd45e23fb38de0ab2ba68eb4b034ef0758fefcc2c7b14a87839bf8f5f231f028d49c4b49c238a0a7a16054418120fd173a3caee238be2e31dfa56ec
-
C:\Windows\SysWOW64\Kcdef.exeFilesize
3.9MB
MD5ae7001470fbdf06d68150edcb4482e45
SHA1c5ef18f9c78541b44c82ee444a76192120e181d5
SHA2562a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1
SHA51226f8b81b6cd45e23fb38de0ab2ba68eb4b034ef0758fefcc2c7b14a87839bf8f5f231f028d49c4b49c238a0a7a16054418120fd173a3caee238be2e31dfa56ec
-
C:\Windows\SysWOW64\Kcdef.exeFilesize
3.9MB
MD5ae7001470fbdf06d68150edcb4482e45
SHA1c5ef18f9c78541b44c82ee444a76192120e181d5
SHA2562a75f7cffee7e075a0a45ad044cc4ad39c8b8b656b29975f6679fe8194e19fc1
SHA51226f8b81b6cd45e23fb38de0ab2ba68eb4b034ef0758fefcc2c7b14a87839bf8f5f231f028d49c4b49c238a0a7a16054418120fd173a3caee238be2e31dfa56ec
-
memory/848-133-0x0000000010000000-0x00000000101B0000-memory.dmpFilesize
1.7MB
-
memory/2160-150-0x0000000010000000-0x00000000101B0000-memory.dmpFilesize
1.7MB
-
memory/2720-143-0x0000000010000000-0x00000000101B0000-memory.dmpFilesize
1.7MB