Overview

overview

10

Static

static

3

08328899.exe

windows7-x64

10

08328899.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2023 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08328899.exe

  • Size

    284KB

  • MD5

    6a5b8d421e055ede3b2dcbedb9d834d7

  • SHA1

    92fc4058baf9a6d33ca3232402c7bd5511000c11

  • SHA256

    33a8f5100c1888a055f3ec238ec07e1adb4023b66f17469f1f7eb5679fecf889

  • SHA512

    f5966b5d3a6697698e1fe5db9736101168430e6a597d94ea7426d2946fc2b533fd9e657543404cb2de777c1c8268b4d2e78000bd4ab5895715c4c6eccf566b5e

  • SSDEEP

    6144:G9hIq9bEO1QIbgTApqQCsGQZt+3Y1tMmbWsccC6g6v66666ES66666E6kD66666m:cIquhLMpqXA+3Y12wWncC6g6v66666E+

Score
10/10
gh0stratpurplefoxratrootkittrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08328899.exe
    "C:\Users\Admin\AppData\Local\Temp\08328899.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\ProgramData\windowsqd\winqd.exe
      "C:\ProgramData\windowsqd\winqd.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Checks processor information in registry
      • Suspicious use of SetWindowsHookEx
      PID:1828
    • C:\ProgramData\windowsqd\test.exe
      "C:\ProgramData\windowsqd\test.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4408
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c start C:\ProgramData\114514
        3⤵
        • Modifies registry class
        PID:228
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:488
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\gpedit.msc"
      1⤵
      • Drops file in System32 directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2564

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\windowsqd\test.exe
      Filesize

      236KB

      MD5

      84e70a2bba3d81ff6b67bb4166fdf280

      SHA1

      0a82211227ffc087b09ebdf33f5435c8293a1c18

      SHA256

      177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf

      SHA512

      68b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7

      Download Submit
    • C:\ProgramData\windowsqd\test.exe
      Filesize

      236KB

      MD5

      84e70a2bba3d81ff6b67bb4166fdf280

      SHA1

      0a82211227ffc087b09ebdf33f5435c8293a1c18

      SHA256

      177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf

      SHA512

      68b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7

      Download Submit
    • C:\ProgramData\windowsqd\test.exe
      Filesize

      236KB

      MD5

      84e70a2bba3d81ff6b67bb4166fdf280

      SHA1

      0a82211227ffc087b09ebdf33f5435c8293a1c18

      SHA256

      177aae6a0cbb44a8b631a08f71613b5bdd79df07f9d8885a3174fe4ca664bcdf

      SHA512

      68b070112dbac21a86b7c9784207b27a845cd0288957da6f1f45c8c03b905a76296eff2f64a336b6f0fef55790700625a266de09691104cd06d9eaccfe89cfd7

      Download Submit
    • C:\ProgramData\windowsqd\winqd.exe
      Filesize

      1.3MB

      MD5

      08f86429b9cd43cfeb4379418e5350f8

      SHA1

      15965da0b459d890e8ef0186bef97afb9301718e

      SHA256

      5d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2

      SHA512

      bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d

      Download Submit
    • C:\ProgramData\windowsqd\winqd.exe
      Filesize

      1.3MB

      MD5

      08f86429b9cd43cfeb4379418e5350f8

      SHA1

      15965da0b459d890e8ef0186bef97afb9301718e

      SHA256

      5d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2

      SHA512

      bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d

      Download Submit
    • C:\ProgramData\windowsqd\winqd.exe
      Filesize

      1.3MB

      MD5

      08f86429b9cd43cfeb4379418e5350f8

      SHA1

      15965da0b459d890e8ef0186bef97afb9301718e

      SHA256

      5d01444b146fdcd099631627115f1bded3269fec422a6a691604e7e6279817a2

      SHA512

      bd97155343429e81873bf4058bb24343600c34a710e6ce32baa0acd0a0ff34949b40a8741060e48d756f0a90cda959b25eff8492ab886c07853c494725eb2f0d

      Download Submit
    • memory/1828-169-0x0000000010000000-0x0000000010191000-memory.dmp
      Filesize

      1.6MB

      Download