Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2023 05:19
Static task
static1
Behavioral task
behavioral1
Sample
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe
Resource
win7-20230220-en
General
-
Target
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe
-
Size
284KB
-
MD5
6a5b8d421e055ede3b2dcbedb9d834d7
-
SHA1
92fc4058baf9a6d33ca3232402c7bd5511000c11
-
SHA256
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889
-
SHA512
f5966b5d3a6697698e1fe5db9736101168430e6a597d94ea7426d2946fc2b533fd9e657543404cb2de777c1c8268b4d2e78000bd4ab5895715c4c6eccf566b5e
-
SSDEEP
6144:G9hIq9bEO1QIbgTApqQCsGQZt+3Y1tMmbWsccC6g6v66666ES66666E6kD66666m:cIquhLMpqXA+3Y12wWncC6g6v66666E+
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/5024-169-0x0000000010000000-0x0000000010191000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5024-169-0x0000000010000000-0x0000000010191000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe -
Executes dropped EXE 2 IoCs
Processes:
winqd.exetest.exepid process 5024 winqd.exe 1920 test.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
winqd.exedescription ioc process File opened (read-only) \??\G: winqd.exe File opened (read-only) \??\R: winqd.exe File opened (read-only) \??\W: winqd.exe File opened (read-only) \??\B: winqd.exe File opened (read-only) \??\I: winqd.exe File opened (read-only) \??\J: winqd.exe File opened (read-only) \??\O: winqd.exe File opened (read-only) \??\Q: winqd.exe File opened (read-only) \??\U: winqd.exe File opened (read-only) \??\Z: winqd.exe File opened (read-only) \??\H: winqd.exe File opened (read-only) \??\K: winqd.exe File opened (read-only) \??\S: winqd.exe File opened (read-only) \??\V: winqd.exe File opened (read-only) \??\X: winqd.exe File opened (read-only) \??\E: winqd.exe File opened (read-only) \??\F: winqd.exe File opened (read-only) \??\L: winqd.exe File opened (read-only) \??\M: winqd.exe File opened (read-only) \??\N: winqd.exe File opened (read-only) \??\P: winqd.exe File opened (read-only) \??\T: winqd.exe File opened (read-only) \??\Y: winqd.exe -
Drops file in System32 directory 3 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\System32\gpedit.msc mmc.exe File opened for modification C:\Windows\System32\GroupPolicy mmc.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winqd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winqd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winqd.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.exepid process 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe 1920 test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid process 4124 mmc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mmc.exedescription pid process Token: 33 4124 mmc.exe Token: SeIncBasePriorityPrivilege 4124 mmc.exe Token: 33 4124 mmc.exe Token: SeIncBasePriorityPrivilege 4124 mmc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exewinqd.exemmc.exepid process 3432 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe 5024 winqd.exe 5024 winqd.exe 4124 mmc.exe 4124 mmc.exe 4124 mmc.exe 4124 mmc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exetest.exedescription pid process target process PID 3432 wrote to memory of 5024 3432 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe winqd.exe PID 3432 wrote to memory of 5024 3432 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe winqd.exe PID 3432 wrote to memory of 5024 3432 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe winqd.exe PID 3432 wrote to memory of 1920 3432 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe test.exe PID 3432 wrote to memory of 1920 3432 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe test.exe PID 3432 wrote to memory of 1920 3432 33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe test.exe PID 1920 wrote to memory of 3056 1920 test.exe cmd.exe PID 1920 wrote to memory of 3056 1920 test.exe cmd.exe PID 1920 wrote to memory of 3056 1920 test.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe"C:\Users\Admin\AppData\Local\Temp\33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\windowsqd\winqd.exe"C:\ProgramData\windowsqd\winqd.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\windowsqd\test.exe"C:\ProgramData\windowsqd\test.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\ProgramData\1145143⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\windowsqd\test.exeFilesize
236KB
MD584e70a2bba3d81ff6b67bb4166fdf280
SHA10a82211227ffc087b09ebdf33f5435c8293a1c18
SHA256177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf
SHA51268b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7
-
C:\ProgramData\windowsqd\test.exeFilesize
236KB
MD584e70a2bba3d81ff6b67bb4166fdf280
SHA10a82211227ffc087b09ebdf33f5435c8293a1c18
SHA256177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf
SHA51268b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7
-
C:\ProgramData\windowsqd\test.exeFilesize
236KB
MD584e70a2bba3d81ff6b67bb4166fdf280
SHA10a82211227ffc087b09ebdf33f5435c8293a1c18
SHA256177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf
SHA51268b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
memory/5024-169-0x0000000010000000-0x0000000010191000-memory.dmpFilesize
1.6MB