Analysis
-
max time kernel
149s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-05-2023 05:19
Static task
static1
Behavioral task
behavioral1
Sample
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe
Resource
win7-20230220-en
General
-
Target
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe
-
Size
284KB
-
MD5
6a5b8d421e055ede3b2dcbedb9d834d7
-
SHA1
92fc4058baf9a6d33ca3232402c7bd5511000c11
-
SHA256
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889
-
SHA512
f5966b5d3a6697698e1fe5db9736101168430e6a597d94ea7426d2946fc2b533fd9e657543404cb2de777c1c8268b4d2e78000bd4ab5895715c4c6eccf566b5e
-
SSDEEP
6144:G9hIq9bEO1QIbgTApqQCsGQZt+3Y1tMmbWsccC6g6v66666ES66666E6kD66666m:cIquhLMpqXA+3Y12wWncC6g6v66666E+
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1000-129-0x0000000010000000-0x0000000010191000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1000-129-0x0000000010000000-0x0000000010191000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
winqd.exetest.exepid process 1000 winqd.exe 1324 test.exe -
Loads dropped DLL 5 IoCs
Processes:
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exewinqd.exepid process 1996 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe 1996 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe 1000 winqd.exe 1000 winqd.exe 1000 winqd.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
winqd.exedescription ioc process File opened (read-only) \??\B: winqd.exe File opened (read-only) \??\I: winqd.exe File opened (read-only) \??\P: winqd.exe File opened (read-only) \??\Y: winqd.exe File opened (read-only) \??\S: winqd.exe File opened (read-only) \??\Z: winqd.exe File opened (read-only) \??\F: winqd.exe File opened (read-only) \??\J: winqd.exe File opened (read-only) \??\L: winqd.exe File opened (read-only) \??\Q: winqd.exe File opened (read-only) \??\R: winqd.exe File opened (read-only) \??\O: winqd.exe File opened (read-only) \??\T: winqd.exe File opened (read-only) \??\V: winqd.exe File opened (read-only) \??\E: winqd.exe File opened (read-only) \??\G: winqd.exe File opened (read-only) \??\H: winqd.exe File opened (read-only) \??\K: winqd.exe File opened (read-only) \??\N: winqd.exe File opened (read-only) \??\M: winqd.exe File opened (read-only) \??\U: winqd.exe File opened (read-only) \??\W: winqd.exe File opened (read-only) \??\X: winqd.exe -
Drops file in System32 directory 3 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini mmc.exe File opened for modification C:\Windows\System32\gpedit.msc mmc.exe File opened for modification C:\Windows\System32\GroupPolicy mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winqd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winqd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winqd.exe -
Processes:
mmc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main mmc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.exepid process 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe 1324 test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid process 1616 mmc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mmc.exedescription pid process Token: 33 1616 mmc.exe Token: SeIncBasePriorityPrivilege 1616 mmc.exe Token: 33 1616 mmc.exe Token: SeIncBasePriorityPrivilege 1616 mmc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exewinqd.exemmc.exepid process 1996 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe 1000 winqd.exe 1000 winqd.exe 1616 mmc.exe 1616 mmc.exe 1616 mmc.exe 1616 mmc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exetest.exedescription pid process target process PID 1996 wrote to memory of 1000 1996 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe winqd.exe PID 1996 wrote to memory of 1000 1996 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe winqd.exe PID 1996 wrote to memory of 1000 1996 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe winqd.exe PID 1996 wrote to memory of 1000 1996 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe winqd.exe PID 1996 wrote to memory of 1000 1996 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe winqd.exe PID 1996 wrote to memory of 1000 1996 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe winqd.exe PID 1996 wrote to memory of 1000 1996 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe winqd.exe PID 1996 wrote to memory of 1324 1996 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe test.exe PID 1996 wrote to memory of 1324 1996 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe test.exe PID 1996 wrote to memory of 1324 1996 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe test.exe PID 1996 wrote to memory of 1324 1996 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe test.exe PID 1324 wrote to memory of 1028 1324 test.exe cmd.exe PID 1324 wrote to memory of 1028 1324 test.exe cmd.exe PID 1324 wrote to memory of 1028 1324 test.exe cmd.exe PID 1324 wrote to memory of 1028 1324 test.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe"C:\Users\Admin\AppData\Local\Temp\33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\windowsqd\winqd.exe"C:\ProgramData\windowsqd\winqd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\windowsqd\test.exe"C:\ProgramData\windowsqd\test.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\ProgramData\1145143⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"1⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\windowsqd\test.exeFilesize
236KB
MD584e70a2bba3d81ff6b67bb4166fdf280
SHA10a82211227ffc087b09ebdf33f5435c8293a1c18
SHA256177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf
SHA51268b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7
-
C:\ProgramData\windowsqd\test.exeFilesize
236KB
MD584e70a2bba3d81ff6b67bb4166fdf280
SHA10a82211227ffc087b09ebdf33f5435c8293a1c18
SHA256177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf
SHA51268b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
\ProgramData\windowsqd\test.exeFilesize
236KB
MD584e70a2bba3d81ff6b67bb4166fdf280
SHA10a82211227ffc087b09ebdf33f5435c8293a1c18
SHA256177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf
SHA51268b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7
-
\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
memory/1000-129-0x0000000010000000-0x0000000010191000-memory.dmpFilesize
1.6MB
-
memory/1616-126-0x00000000026E0000-0x00000000026E1000-memory.dmpFilesize
4KB
-
memory/1616-128-0x00000000049C0000-0x0000000004A40000-memory.dmpFilesize
512KB
-
memory/1616-152-0x00000000026E0000-0x00000000026E1000-memory.dmpFilesize
4KB