Analysis
-
max time kernel
140s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2023 04:45
Static task
static1
Behavioral task
behavioral1
Sample
d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe
Resource
win7-20230220-en
General
-
Target
d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe
-
Size
264KB
-
MD5
ef5845f28bad21d0d1d388a17a95d777
-
SHA1
64a1e0b9265742b4f5d02bcc91027ba26f5322cc
-
SHA256
d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760
-
SHA512
73240c604643c4dd26035031eaf1c3f5707634b6e3347df19e465c43290a370a6e04e21231cac2217791232fe5ef6c789da6fb2e697afcc2ca9c1b2250bde5c8
-
SSDEEP
6144:rzLsl1tTKx80OPo0N+HvjCrtAuu8EQyL+3Y1tMmbWs:j0TTKx8fKv2quuD+3Y12wW
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2020-169-0x0000000010000000-0x0000000010197000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2020-169-0x0000000010000000-0x0000000010197000-memory.dmp family_gh0strat behavioral2/memory/2020-202-0x00000000033D0000-0x00000000034B6000-memory.dmp family_gh0strat behavioral2/memory/2020-223-0x0000000003450000-0x0000000003536000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe -
Executes dropped EXE 2 IoCs
Processes:
winqd.exetest.exepid process 2020 winqd.exe 4076 test.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
winqd.exedescription ioc process File opened (read-only) \??\P: winqd.exe File opened (read-only) \??\B: winqd.exe File opened (read-only) \??\E: winqd.exe File opened (read-only) \??\F: winqd.exe File opened (read-only) \??\K: winqd.exe File opened (read-only) \??\L: winqd.exe File opened (read-only) \??\M: winqd.exe File opened (read-only) \??\O: winqd.exe File opened (read-only) \??\X: winqd.exe File opened (read-only) \??\I: winqd.exe File opened (read-only) \??\U: winqd.exe File opened (read-only) \??\Z: winqd.exe File opened (read-only) \??\D: winqd.exe File opened (read-only) \??\Q: winqd.exe File opened (read-only) \??\R: winqd.exe File opened (read-only) \??\V: winqd.exe File opened (read-only) \??\W: winqd.exe File opened (read-only) \??\Y: winqd.exe File opened (read-only) \??\G: winqd.exe File opened (read-only) \??\H: winqd.exe File opened (read-only) \??\J: winqd.exe File opened (read-only) \??\N: winqd.exe File opened (read-only) \??\S: winqd.exe File opened (read-only) \??\T: winqd.exe -
Drops file in System32 directory 3 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\System32\gpedit.msc mmc.exe File opened for modification C:\Windows\System32\GroupPolicy mmc.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winqd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winqd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winqd.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.exepid process 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe 4076 test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid process 3208 mmc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mmc.exedescription pid process Token: 33 3208 mmc.exe Token: SeIncBasePriorityPrivilege 3208 mmc.exe Token: 33 3208 mmc.exe Token: SeIncBasePriorityPrivilege 3208 mmc.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exewinqd.exemmc.exepid process 4812 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe 2020 winqd.exe 3208 mmc.exe 3208 mmc.exe 3208 mmc.exe 3208 mmc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exetest.exedescription pid process target process PID 4812 wrote to memory of 2020 4812 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe winqd.exe PID 4812 wrote to memory of 2020 4812 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe winqd.exe PID 4812 wrote to memory of 2020 4812 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe winqd.exe PID 4812 wrote to memory of 4076 4812 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe test.exe PID 4812 wrote to memory of 4076 4812 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe test.exe PID 4812 wrote to memory of 4076 4812 d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe test.exe PID 4076 wrote to memory of 4056 4076 test.exe cmd.exe PID 4076 wrote to memory of 4056 4076 test.exe cmd.exe PID 4076 wrote to memory of 4056 4076 test.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe"C:\Users\Admin\AppData\Local\Temp\d09a24d6024bb7ba43e61cf81f0507bc6af82d75437d76813ca4c6d6366db760.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\windowsqd\winqd.exe"C:\ProgramData\windowsqd\winqd.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\windowsqd\test.exe"C:\ProgramData\windowsqd\test.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\ProgramData\1145143⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\windowsqd\test.exeFilesize
332KB
MD5ec62c55fb42e9ca03c68a8630b721378
SHA14af1861c47d55eeae8ef2f770ff0b4ff0c3be53f
SHA256e087e3ac50b0c6ac557554ff398ccbec1f39f7b7096f039f835ed03750d3a274
SHA512242369325e3b5adfe79346bad0edf0879a394ddb64da8c9ce52b4ba25cb4d63a3f02570cbe279e534d67d33af15b6b447bacfe1cc23e1dd3761dfe3770e94af5
-
C:\ProgramData\windowsqd\test.exeFilesize
332KB
MD5ec62c55fb42e9ca03c68a8630b721378
SHA14af1861c47d55eeae8ef2f770ff0b4ff0c3be53f
SHA256e087e3ac50b0c6ac557554ff398ccbec1f39f7b7096f039f835ed03750d3a274
SHA512242369325e3b5adfe79346bad0edf0879a394ddb64da8c9ce52b4ba25cb4d63a3f02570cbe279e534d67d33af15b6b447bacfe1cc23e1dd3761dfe3770e94af5
-
C:\ProgramData\windowsqd\test.exeFilesize
332KB
MD5ec62c55fb42e9ca03c68a8630b721378
SHA14af1861c47d55eeae8ef2f770ff0b4ff0c3be53f
SHA256e087e3ac50b0c6ac557554ff398ccbec1f39f7b7096f039f835ed03750d3a274
SHA512242369325e3b5adfe79346bad0edf0879a394ddb64da8c9ce52b4ba25cb4d63a3f02570cbe279e534d67d33af15b6b447bacfe1cc23e1dd3761dfe3770e94af5
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.5MB
MD5bfc9e0f01b4edfd5a941fdce3852f092
SHA162612e88acd953d941247e5b0e037d1ced829146
SHA256030c6abaf87bd2b036ba592ad8f1c6761ec9de071d28ba9a944d89a1fb63b865
SHA512495e63ef642cbbffe1a4a653a8cadbce38ed40ceb4323189a4784f14e9b09869f6b60813cf8d95bd1271274f5f17bdcff14138376c586dca2227f3383448c73f
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.5MB
MD5bfc9e0f01b4edfd5a941fdce3852f092
SHA162612e88acd953d941247e5b0e037d1ced829146
SHA256030c6abaf87bd2b036ba592ad8f1c6761ec9de071d28ba9a944d89a1fb63b865
SHA512495e63ef642cbbffe1a4a653a8cadbce38ed40ceb4323189a4784f14e9b09869f6b60813cf8d95bd1271274f5f17bdcff14138376c586dca2227f3383448c73f
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.5MB
MD5bfc9e0f01b4edfd5a941fdce3852f092
SHA162612e88acd953d941247e5b0e037d1ced829146
SHA256030c6abaf87bd2b036ba592ad8f1c6761ec9de071d28ba9a944d89a1fb63b865
SHA512495e63ef642cbbffe1a4a653a8cadbce38ed40ceb4323189a4784f14e9b09869f6b60813cf8d95bd1271274f5f17bdcff14138376c586dca2227f3383448c73f
-
C:\Users\Admin\AppData\Roaming\bPluginVideo.dllFilesize
492KB
MD55f060471defe1bca22e37f3062c56b87
SHA1e7760c0881589d9a587547fbb5df334849d076e2
SHA25656fa2183c302945e8430aa82b91020ef4eefb1a4ec451622eb9e4fd47c223d32
SHA51231bc73e55db39d21eb18a2d9dfb136470bbc778abfe7501f7f6c661ca068ba75154ea1f8470559f67c4afa9644b71de8930eba070e37666d6ce8190edacb91a1
-
memory/2020-169-0x0000000010000000-0x0000000010197000-memory.dmpFilesize
1.6MB
-
memory/2020-202-0x00000000033D0000-0x00000000034B6000-memory.dmpFilesize
920KB
-
memory/2020-213-0x0000000073940000-0x0000000073979000-memory.dmpFilesize
228KB
-
memory/2020-223-0x0000000003450000-0x0000000003536000-memory.dmpFilesize
920KB