Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
30-05-2023 04:45
Static task
static1
Behavioral task
behavioral1
Sample
d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe
Resource
win7-20230220-en
General
-
Target
d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe
-
Size
264KB
-
MD5
ef5845f28bad21d0d1d388a17a95d777
-
SHA1
64a1e0b9265742b4f5d02bcc91027ba26f5322cc
-
SHA256
d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760
-
SHA512
73240c604643c4dd26035031eaf1c3f5707634b6e3347df19e465c43290a370a6e04e21231cac2217791232fe5ef6c789da6fb2e697afcc2ca9c1b2250bde5c8
-
SSDEEP
6144:rzLsl1tTKx80OPo0N+HvjCrtAuu8EQyL+3Y1tMmbWs:j0TTKx8fKv2quuD+3Y12wW
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1508-120-0x0000000010000000-0x0000000010197000-memory.dmp purplefox_rootkit behavioral1/memory/1572-155-0x0000000004990000-0x0000000004A10000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1508-120-0x0000000010000000-0x0000000010197000-memory.dmp family_gh0strat behavioral1/memory/1508-180-0x0000000002FD0000-0x00000000030B6000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
winqd.exetest.exepid process 1508 winqd.exe 1808 test.exe -
Loads dropped DLL 3 IoCs
Processes:
d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exepid process 1696 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe 1696 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe 1696 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
winqd.exedescription ioc process File opened (read-only) \??\G: winqd.exe File opened (read-only) \??\I: winqd.exe File opened (read-only) \??\N: winqd.exe File opened (read-only) \??\P: winqd.exe File opened (read-only) \??\W: winqd.exe File opened (read-only) \??\X: winqd.exe File opened (read-only) \??\E: winqd.exe File opened (read-only) \??\F: winqd.exe File opened (read-only) \??\J: winqd.exe File opened (read-only) \??\M: winqd.exe File opened (read-only) \??\V: winqd.exe File opened (read-only) \??\Y: winqd.exe File opened (read-only) \??\B: winqd.exe File opened (read-only) \??\H: winqd.exe File opened (read-only) \??\Q: winqd.exe File opened (read-only) \??\R: winqd.exe File opened (read-only) \??\T: winqd.exe File opened (read-only) \??\U: winqd.exe File opened (read-only) \??\K: winqd.exe File opened (read-only) \??\L: winqd.exe File opened (read-only) \??\O: winqd.exe File opened (read-only) \??\S: winqd.exe File opened (read-only) \??\Z: winqd.exe -
Drops file in System32 directory 3 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\System32\gpedit.msc mmc.exe File opened for modification C:\Windows\System32\GroupPolicy mmc.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winqd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winqd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winqd.exe -
Processes:
mmc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main mmc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.exepid process 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe 1808 test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid process 1572 mmc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mmc.exedescription pid process Token: 33 1572 mmc.exe Token: SeIncBasePriorityPrivilege 1572 mmc.exe Token: 33 1572 mmc.exe Token: SeIncBasePriorityPrivilege 1572 mmc.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exewinqd.exemmc.exepid process 1696 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe 1508 winqd.exe 1572 mmc.exe 1572 mmc.exe 1572 mmc.exe 1572 mmc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exetest.exedescription pid process target process PID 1696 wrote to memory of 1508 1696 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe winqd.exe PID 1696 wrote to memory of 1508 1696 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe winqd.exe PID 1696 wrote to memory of 1508 1696 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe winqd.exe PID 1696 wrote to memory of 1508 1696 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe winqd.exe PID 1696 wrote to memory of 1808 1696 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe test.exe PID 1696 wrote to memory of 1808 1696 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe test.exe PID 1696 wrote to memory of 1808 1696 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe test.exe PID 1696 wrote to memory of 1808 1696 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe test.exe PID 1808 wrote to memory of 1688 1808 test.exe cmd.exe PID 1808 wrote to memory of 1688 1808 test.exe cmd.exe PID 1808 wrote to memory of 1688 1808 test.exe cmd.exe PID 1808 wrote to memory of 1688 1808 test.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe"C:\Users\Admin\AppData\Local\Temp\d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\windowsqd\winqd.exe"C:\ProgramData\windowsqd\winqd.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\windowsqd\test.exe"C:\ProgramData\windowsqd\test.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\ProgramData\1145143⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"1⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\windowsqd\test.exeFilesize
332KB
MD5ec62c55fb42e9ca03c68a8630b721378
SHA14af1861c47d55eeae8ef2f770ff0b4ff0c3be53f
SHA256e087e3ac50b0c6ac557554ff398ccbec1f39f7b7096f039f835ed03750d3a274
SHA512242369325e3b5adfe79346bad0edf0879a394ddb64da8c9ce52b4ba25cb4d63a3f02570cbe279e534d67d33af15b6b447bacfe1cc23e1dd3761dfe3770e94af5
-
C:\ProgramData\windowsqd\test.exeFilesize
332KB
MD5ec62c55fb42e9ca03c68a8630b721378
SHA14af1861c47d55eeae8ef2f770ff0b4ff0c3be53f
SHA256e087e3ac50b0c6ac557554ff398ccbec1f39f7b7096f039f835ed03750d3a274
SHA512242369325e3b5adfe79346bad0edf0879a394ddb64da8c9ce52b4ba25cb4d63a3f02570cbe279e534d67d33af15b6b447bacfe1cc23e1dd3761dfe3770e94af5
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.5MB
MD5bfc9e0f01b4edfd5a941fdce3852f092
SHA162612e88acd953d941247e5b0e037d1ced829146
SHA256030c6abaf87bd2b036ba592ad8f1c6761ec9de071d28ba9a944d89a1fb63b865
SHA512495e63ef642cbbffe1a4a653a8cadbce38ed40ceb4323189a4784f14e9b09869f6b60813cf8d95bd1271274f5f17bdcff14138376c586dca2227f3383448c73f
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.5MB
MD5bfc9e0f01b4edfd5a941fdce3852f092
SHA162612e88acd953d941247e5b0e037d1ced829146
SHA256030c6abaf87bd2b036ba592ad8f1c6761ec9de071d28ba9a944d89a1fb63b865
SHA512495e63ef642cbbffe1a4a653a8cadbce38ed40ceb4323189a4784f14e9b09869f6b60813cf8d95bd1271274f5f17bdcff14138376c586dca2227f3383448c73f
-
C:\Users\Admin\AppData\Roaming\bPluginVideo.dllFilesize
492KB
MD55f060471defe1bca22e37f3062c56b87
SHA1e7760c0881589d9a587547fbb5df334849d076e2
SHA25656fa2183c302945e8430aa82b91020ef4eefb1a4ec451622eb9e4fd47c223d32
SHA51231bc73e55db39d21eb18a2d9dfb136470bbc778abfe7501f7f6c661ca068ba75154ea1f8470559f67c4afa9644b71de8930eba070e37666d6ce8190edacb91a1
-
\ProgramData\windowsqd\test.exeFilesize
332KB
MD5ec62c55fb42e9ca03c68a8630b721378
SHA14af1861c47d55eeae8ef2f770ff0b4ff0c3be53f
SHA256e087e3ac50b0c6ac557554ff398ccbec1f39f7b7096f039f835ed03750d3a274
SHA512242369325e3b5adfe79346bad0edf0879a394ddb64da8c9ce52b4ba25cb4d63a3f02570cbe279e534d67d33af15b6b447bacfe1cc23e1dd3761dfe3770e94af5
-
\ProgramData\windowsqd\winqd.exeFilesize
1.5MB
MD5bfc9e0f01b4edfd5a941fdce3852f092
SHA162612e88acd953d941247e5b0e037d1ced829146
SHA256030c6abaf87bd2b036ba592ad8f1c6761ec9de071d28ba9a944d89a1fb63b865
SHA512495e63ef642cbbffe1a4a653a8cadbce38ed40ceb4323189a4784f14e9b09869f6b60813cf8d95bd1271274f5f17bdcff14138376c586dca2227f3383448c73f
-
\ProgramData\windowsqd\winqd.exeFilesize
1.5MB
MD5bfc9e0f01b4edfd5a941fdce3852f092
SHA162612e88acd953d941247e5b0e037d1ced829146
SHA256030c6abaf87bd2b036ba592ad8f1c6761ec9de071d28ba9a944d89a1fb63b865
SHA512495e63ef642cbbffe1a4a653a8cadbce38ed40ceb4323189a4784f14e9b09869f6b60813cf8d95bd1271274f5f17bdcff14138376c586dca2227f3383448c73f
-
memory/1508-120-0x0000000010000000-0x0000000010197000-memory.dmpFilesize
1.6MB
-
memory/1508-180-0x0000000002FD0000-0x00000000030B6000-memory.dmpFilesize
920KB
-
memory/1572-131-0x00000000026A0000-0x00000000026A1000-memory.dmpFilesize
4KB
-
memory/1572-138-0x0000000004990000-0x0000000004A10000-memory.dmpFilesize
512KB
-
memory/1572-153-0x00000000026A0000-0x00000000026A1000-memory.dmpFilesize
4KB
-
memory/1572-155-0x0000000004990000-0x0000000004A10000-memory.dmpFilesize
512KB