Analysis
-
max time kernel
104s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2023 06:37
Static task
static1
Behavioral task
behavioral1
Sample
08328899.exe
Resource
win7-20230220-en
General
-
Target
08328899.exe
-
Size
284KB
-
MD5
6a5b8d421e055ede3b2dcbedb9d834d7
-
SHA1
92fc4058baf9a6d33ca3232402c7bd5511000c11
-
SHA256
33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889
-
SHA512
f5966b5d3a6697698e1fe5db9736101168430e6a597d94ea7426d2946fc2b533fd9e657543404cb2de777c1c8268b4d2e78000bd4ab5895715c4c6eccf566b5e
-
SSDEEP
6144:G9hIq9bEO1QIbgTApqQCsGQZt+3Y1tMmbWsccC6g6v66666ES66666E6kD66666m:cIquhLMpqXA+3Y12wWncC6g6v66666E+
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1828-169-0x0000000010000000-0x0000000010191000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1828-169-0x0000000010000000-0x0000000010191000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
08328899.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation 08328899.exe -
Executes dropped EXE 2 IoCs
Processes:
winqd.exetest.exepid process 1828 winqd.exe 4408 test.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
winqd.exedescription ioc process File opened (read-only) \??\T: winqd.exe File opened (read-only) \??\F: winqd.exe File opened (read-only) \??\H: winqd.exe File opened (read-only) \??\K: winqd.exe File opened (read-only) \??\L: winqd.exe File opened (read-only) \??\O: winqd.exe File opened (read-only) \??\Q: winqd.exe File opened (read-only) \??\W: winqd.exe File opened (read-only) \??\X: winqd.exe File opened (read-only) \??\B: winqd.exe File opened (read-only) \??\G: winqd.exe File opened (read-only) \??\J: winqd.exe File opened (read-only) \??\P: winqd.exe File opened (read-only) \??\U: winqd.exe File opened (read-only) \??\V: winqd.exe File opened (read-only) \??\Y: winqd.exe File opened (read-only) \??\I: winqd.exe File opened (read-only) \??\Z: winqd.exe File opened (read-only) \??\E: winqd.exe File opened (read-only) \??\M: winqd.exe File opened (read-only) \??\N: winqd.exe File opened (read-only) \??\R: winqd.exe File opened (read-only) \??\S: winqd.exe -
Drops file in System32 directory 3 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\System32\gpedit.msc mmc.exe File opened for modification C:\Windows\System32\GroupPolicy mmc.exe File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winqd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winqd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winqd.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.exepid process 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe 4408 test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid process 2564 mmc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
mmc.exedescription pid process Token: 33 2564 mmc.exe Token: SeIncBasePriorityPrivilege 2564 mmc.exe Token: 33 2564 mmc.exe Token: SeIncBasePriorityPrivilege 2564 mmc.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
08328899.exewinqd.exemmc.exepid process 1796 08328899.exe 1828 winqd.exe 1828 winqd.exe 2564 mmc.exe 2564 mmc.exe 2564 mmc.exe 2564 mmc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
08328899.exetest.exedescription pid process target process PID 1796 wrote to memory of 1828 1796 08328899.exe winqd.exe PID 1796 wrote to memory of 1828 1796 08328899.exe winqd.exe PID 1796 wrote to memory of 1828 1796 08328899.exe winqd.exe PID 1796 wrote to memory of 4408 1796 08328899.exe test.exe PID 1796 wrote to memory of 4408 1796 08328899.exe test.exe PID 1796 wrote to memory of 4408 1796 08328899.exe test.exe PID 4408 wrote to memory of 228 4408 test.exe cmd.exe PID 4408 wrote to memory of 228 4408 test.exe cmd.exe PID 4408 wrote to memory of 228 4408 test.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08328899.exe"C:\Users\Admin\AppData\Local\Temp\08328899.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\windowsqd\winqd.exe"C:\ProgramData\windowsqd\winqd.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\windowsqd\test.exe"C:\ProgramData\windowsqd\test.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c start C:\ProgramData\1145143⤵
- Modifies registry class
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\windowsqd\test.exeFilesize
236KB
MD584e70a2bba3d81ff6b67bb4166fdf280
SHA10a82211227ffc087b09ebdf33f5435c8293a1c18
SHA256177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf
SHA51268b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7
-
C:\ProgramData\windowsqd\test.exeFilesize
236KB
MD584e70a2bba3d81ff6b67bb4166fdf280
SHA10a82211227ffc087b09ebdf33f5435c8293a1c18
SHA256177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf
SHA51268b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7
-
C:\ProgramData\windowsqd\test.exeFilesize
236KB
MD584e70a2bba3d81ff6b67bb4166fdf280
SHA10a82211227ffc087b09ebdf33f5435c8293a1c18
SHA256177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf
SHA51268b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
C:\ProgramData\windowsqd\winqd.exeFilesize
1.3MB
MD508f86429b9cd43cfeb4379418e5350f8
SHA115965da0b459d890e8ef0186bef97afb9301718e
SHA2565d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2
SHA512bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d
-
memory/1828-169-0x0000000010000000-0x0000000010191000-memory.dmpFilesize
1.6MB