Overview

overview

10

Static

static

3

08328899.exe

windows7-x64

10

08328899.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2023 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08328899.exe

  • Size

    284KB

  • MD5

    6a5b8d421e055ede3b2dcbedb9d834d7

  • SHA1

    92fc4058baf9a6d33ca3232402c7bd5511000c11

  • SHA256

    33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889

  • SHA512

    f5966b5d3a6697698e1fe5db9736101168430e6a597d94ea7426d2946fc2b533fd9e657543404cb2de777c1c8268b4d2e78000bd4ab5895715c4c6eccf566b5e

  • SSDEEP

    6144:G9hIq9bEO1QIbgTApqQCsGQZt+3Y1tMmbWsccC6g6v66666ES66666E6kD66666m:cIquhLMpqXA+3Y12wWncC6g6v66666E+

Score
10/10
gh0stratpurplefoxratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08328899.exe
    "C:\Users\Admin\AppData\Local\Temp\08328899.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\ProgramData\windowsqd\winqd.exe
      "C:\ProgramData\windowsqd\winqd.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious use of SetWindowsHookEx
      PID:1568
    • C:\ProgramData\windowsqd\test.exe
      "C:\ProgramData\windowsqd\test.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c start C:\ProgramData\114514
        3⤵
          PID:760
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"
      1⤵
      • Modifies Internet Explorer settings
      PID:1968

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\windowsqd\test.exe
      Filesize

      236KB

      MD5

      84e70a2bba3d81ff6b67bb4166fdf280

      SHA1

      0a82211227ffc087b09ebdf33f5435c8293a1c18

      SHA256

      177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf

      SHA512

      68b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7

      Download Submit
    • C:\ProgramData\windowsqd\test.exe
      Filesize

      236KB

      MD5

      84e70a2bba3d81ff6b67bb4166fdf280

      SHA1

      0a82211227ffc087b09ebdf33f5435c8293a1c18

      SHA256

      177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf

      SHA512

      68b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7

      Download Submit
    • C:\ProgramData\windowsqd\winqd.exe
      Filesize

      1.3MB

      MD5

      08f86429b9cd43cfeb4379418e5350f8

      SHA1

      15965da0b459d890e8ef0186bef97afb9301718e

      SHA256

      5d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2

      SHA512

      bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d

      Download Submit
    • C:\ProgramData\windowsqd\winqd.exe
      Filesize

      1.3MB

      MD5

      08f86429b9cd43cfeb4379418e5350f8

      SHA1

      15965da0b459d890e8ef0186bef97afb9301718e

      SHA256

      5d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2

      SHA512

      bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d

      Download Submit
    • C:\ProgramData\windowsqd\winqd.exe
      Filesize

      1.3MB

      MD5

      08f86429b9cd43cfeb4379418e5350f8

      SHA1

      15965da0b459d890e8ef0186bef97afb9301718e

      SHA256

      5d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2

      SHA512

      bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d

      Download Submit
    • \ProgramData\windowsqd\test.exe
      Filesize

      236KB

      MD5

      84e70a2bba3d81ff6b67bb4166fdf280

      SHA1

      0a82211227ffc087b09ebdf33f5435c8293a1c18

      SHA256

      177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf

      SHA512

      68b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7

      Download Submit
    • \ProgramData\windowsqd\winqd.exe
      Filesize

      1.3MB

      MD5

      08f86429b9cd43cfeb4379418e5350f8

      SHA1

      15965da0b459d890e8ef0186bef97afb9301718e

      SHA256

      5d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2

      SHA512

      bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d

      Download Submit
    • \ProgramData\windowsqd\winqd.exe
      Filesize

      1.3MB

      MD5

      08f86429b9cd43cfeb4379418e5350f8

      SHA1

      15965da0b459d890e8ef0186bef97afb9301718e

      SHA256

      5d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2

      SHA512

      bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d

      Download Submit
    • \ProgramData\windowsqd\winqd.exe
      Filesize

      1.3MB

      MD5

      08f86429b9cd43cfeb4379418e5350f8

      SHA1

      15965da0b459d890e8ef0186bef97afb9301718e

      SHA256

      5d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2

      SHA512

      bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d

      Download Submit
    • \ProgramData\windowsqd\winqd.exe
      Filesize

      1.3MB

      MD5

      08f86429b9cd43cfeb4379418e5350f8

      SHA1

      15965da0b459d890e8ef0186bef97afb9301718e

      SHA256

      5d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2

      SHA512

      bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d

      Download Submit
    • memory/1568-145-0x0000000010000000-0x0000000010191000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1968-133-0x000007FEF5AA0000-0x000007FEF5AE2000-memory.dmp
      Filesize

      264KB

      Download
    • memory/1968-139-0x000007FEF5A00000-0x000007FEF5A16000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1968-141-0x000007FEF59D0000-0x000007FEF5A12000-memory.dmp
      Filesize

      264KB

      Download
    • memory/1968-143-0x000007FEF3A10000-0x000007FEF3AA1000-memory.dmp
      Filesize

      580KB

      Download
    • memory/1968-172-0x000007FEF3A10000-0x000007FEF3AA1000-memory.dmp
      Filesize

      580KB

      Download