Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-05-2023 06:37
Static task
static1
Behavioral task
behavioral1
Sample
08328899.exe
Resource
win7-20230220-en
General
-
Target
08328899.exe
-
Size
284KB
-
MD5
6a5b8d421e055ede3b2dcbedb9d834d7
-
SHA1
92fc4058baf9a6d33ca3232402c7bd5511000c11
-
SHA256
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889
-
SHA512
f5966b5d3a6697698e1fe5db9736101168430e6a597d94ea7426d2946fc2b533fd9e657543404cb2de777c1c8268b4d2e78000bd4ab5895715c4c6eccf566b5e
-
SSDEEP
6144:G9hIq9bEO1QIbgTApqQCsGQZt+3Y1tMmbWsccC6g6v66666ES66666E6kD66666m:cIquhLMpqXA+3Y12wWncC6g6v66666E+
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1568-145-0x0000000010000000-0x0000000010191000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1568-145-0x0000000010000000-0x0000000010191000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
winqd.exetest.exepid process 1568 winqd.exe 1780 test.exe -
Loads dropped DLL 5 IoCs
Processes:
08328899.exewinqd.exepid process 1720 08328899.exe 1720 08328899.exe 1568 winqd.exe 1568 winqd.exe 1568 winqd.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
winqd.exedescription ioc process File opened (read-only) \??\O: winqd.exe File opened (read-only) \??\R: winqd.exe File opened (read-only) \??\T: winqd.exe File opened (read-only) \??\V: winqd.exe File opened (read-only) \??\Y: winqd.exe File opened (read-only) \??\I: winqd.exe File opened (read-only) \??\L: winqd.exe File opened (read-only) \??\B: winqd.exe File opened (read-only) \??\N: winqd.exe File opened (read-only) \??\K: winqd.exe File opened (read-only) \??\M: winqd.exe File opened (read-only) \??\S: winqd.exe File opened (read-only) \??\U: winqd.exe File opened (read-only) \??\W: winqd.exe File opened (read-only) \??\G: winqd.exe File opened (read-only) \??\H: winqd.exe File opened (read-only) \??\J: winqd.exe File opened (read-only) \??\P: winqd.exe File opened (read-only) \??\Q: winqd.exe File opened (read-only) \??\X: winqd.exe File opened (read-only) \??\Z: winqd.exe File opened (read-only) \??\E: winqd.exe File opened (read-only) \??\F: winqd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winqd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winqd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winqd.exe -
Processes:
mmc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main mmc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.exepid process 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe 1780 test.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
08328899.exewinqd.exepid process 1720 08328899.exe 1568 winqd.exe 1568 winqd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
08328899.exetest.exedescription pid process target process PID 1720 wrote to memory of 1568 1720 08328899.exe winqd.exe PID 1720 wrote to memory of 1568 1720 08328899.exe winqd.exe PID 1720 wrote to memory of 1568 1720 08328899.exe winqd.exe PID 1720 wrote to memory of 1568 1720 08328899.exe winqd.exe PID 1720 wrote to memory of 1568 1720 08328899.exe winqd.exe PID 1720 wrote to memory of 1568 1720 08328899.exe winqd.exe PID 1720 wrote to memory of 1568 1720 08328899.exe winqd.exe PID 1720 wrote to memory of 1780 1720 08328899.exe test.exe PID 1720 wrote to memory of 1780 1720 08328899.exe test.exe PID 1720 wrote to memory of 1780 1720 08328899.exe test.exe PID 1720 wrote to memory of 1780 1720 08328899.exe test.exe PID 1780 wrote to memory of 760 1780 test.exe cmd.exe PID 1780 wrote to memory of 760 1780 test.exe cmd.exe PID 1780 wrote to memory of 760 1780 test.exe cmd.exe PID 1780 wrote to memory of 760 1780 test.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08328899.exe"C:\Users\Admin\AppData\Local\Temp\08328899.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\windowsqd\winqd.exe"C:\ProgramData\windowsqd\winqd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\windowsqd\test.exe"C:\ProgramData\windowsqd\test.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\ProgramData\1145143⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"1⤵
- Modifies Internet Explorer settings
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\windowsqd\test.exeFilesize
236KB
MD584e70a2bba3d81ff6b67bb4166fdf280
SHA10a82211227ffc087b09ebdf33f5435c8293a1c18
SHA256177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf
SHA51268b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7
-
C:\ProgramData\windowsqd\test.exeFilesize
236KB
MD584e70a2bba3d81ff6b67bb4166fdf280
SHA10a82211227ffc087b09ebdf33f5435c8293a1c18
SHA256177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf
SHA51268b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
\ProgramData\windowsqd\test.exeFilesize
236KB
MD584e70a2bba3d81ff6b67bb4166fdf280
SHA10a82211227ffc087b09ebdf33f5435c8293a1c18
SHA256177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf
SHA51268b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7
-
\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
memory/1568-145-0x0000000010000000-0x0000000010191000-memory.dmpFilesize
1.6MB
-
memory/1968-133-0x000007FEF5AA0000-0x000007FEF5AE2000-memory.dmpFilesize
264KB
-
memory/1968-139-0x000007FEF5A00000-0x000007FEF5A16000-memory.dmpFilesize
88KB
-
memory/1968-141-0x000007FEF59D0000-0x000007FEF5A12000-memory.dmpFilesize
264KB
-
memory/1968-143-0x000007FEF3A10000-0x000007FEF3AA1000-memory.dmpFilesize
580KB
-
memory/1968-172-0x000007FEF3A10000-0x000007FEF3AA1000-memory.dmpFilesize
580KB