Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23/08/2023, 00:06
Static task
static1
Behavioral task
behavioral1
Sample
3cceb9656b691ee814b3de94acb46e2bcc47b6aaf9d066f125bfedb8520a9fc1.exe
Resource
win7-20230712-en
General
-
Target
3cceb9656b691ee814b3de94acb46e2bcc47b6aaf9d066f125bfedb8520a9fc1.exe
-
Size
375KB
-
MD5
a530c1734063e5538cbc6a544210bc1c
-
SHA1
1c01ae0bef0da79ef1b31ab2318fa744c0ebd4a0
-
SHA256
3cceb9656b691ee814b3de94acb46e2bcc47b6aaf9d066f125bfedb8520a9fc1
-
SHA512
22f61922056865111a951f9dc0507e64cc75e4e058f3933b10cf5fb6d7862123adf5d1a49bdbb858a14dcd02e7e9d945d9a404ea9c7fb272aa3555335da049e2
-
SSDEEP
6144:sxO+L1Czykh18bmlOEgrr8zF9r4GB30fxIb0AqhEj7OLKXe8zGy:kMzZh18aJgrrIv4GR0fxIxOLKXN
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1056-136-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/1056-137-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/1056-150-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-156-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-162-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-167-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-169-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-171-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-173-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-176-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-178-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-180-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-182-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-184-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-186-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-188-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-190-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-192-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-194-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-196-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-198-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-200-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-202-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-204-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-206-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-208-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-210-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit behavioral2/memory/3224-212-0x0000000010000000-0x00000000101A8000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 30 IoCs
resource yara_rule behavioral2/memory/1056-135-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/1056-136-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/1056-137-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/1056-150-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-154-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-156-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-162-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-167-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-169-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-171-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-173-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-176-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-178-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-180-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-182-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-184-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-186-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-188-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-190-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-192-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-194-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-196-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-198-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-200-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-202-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-204-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-206-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-208-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-210-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat behavioral2/memory/3224-212-0x0000000010000000-0x00000000101A8000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Meume.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Meume.exe -
Executes dropped EXE 1 IoCs
pid Process 3224 Meume.exe -
resource yara_rule behavioral2/memory/1056-133-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/1056-135-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/1056-136-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/1056-137-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/1056-150-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-154-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-156-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-162-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-167-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-169-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-171-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-173-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-176-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-178-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-180-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-182-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-184-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-186-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-188-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-190-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-192-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-194-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-196-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-198-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-200-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-202-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-204-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-206-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-208-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-210-0x0000000010000000-0x00000000101A8000-memory.dmp upx behavioral2/memory/3224-212-0x0000000010000000-0x00000000101A8000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: Meume.exe File opened (read-only) \??\U: Meume.exe File opened (read-only) \??\V: Meume.exe File opened (read-only) \??\Y: Meume.exe File opened (read-only) \??\L: Meume.exe File opened (read-only) \??\O: Meume.exe File opened (read-only) \??\P: Meume.exe File opened (read-only) \??\I: Meume.exe File opened (read-only) \??\M: Meume.exe File opened (read-only) \??\X: Meume.exe File opened (read-only) \??\J: Meume.exe File opened (read-only) \??\N: Meume.exe File opened (read-only) \??\Z: Meume.exe File opened (read-only) \??\H: Meume.exe File opened (read-only) \??\K: Meume.exe File opened (read-only) \??\Q: Meume.exe File opened (read-only) \??\R: Meume.exe File opened (read-only) \??\S: Meume.exe File opened (read-only) \??\B: Meume.exe File opened (read-only) \??\E: Meume.exe File opened (read-only) \??\G: Meume.exe File opened (read-only) \??\W: Meume.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 208 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe 3224 Meume.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3224 Meume.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1056 3cceb9656b691ee814b3de94acb46e2bcc47b6aaf9d066f125bfedb8520a9fc1.exe Token: SeLoadDriverPrivilege 3224 Meume.exe Token: 33 3224 Meume.exe Token: SeIncBasePriorityPrivilege 3224 Meume.exe Token: 33 3224 Meume.exe Token: SeIncBasePriorityPrivilege 3224 Meume.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1056 wrote to memory of 3224 1056 3cceb9656b691ee814b3de94acb46e2bcc47b6aaf9d066f125bfedb8520a9fc1.exe 87 PID 1056 wrote to memory of 3224 1056 3cceb9656b691ee814b3de94acb46e2bcc47b6aaf9d066f125bfedb8520a9fc1.exe 87 PID 1056 wrote to memory of 3224 1056 3cceb9656b691ee814b3de94acb46e2bcc47b6aaf9d066f125bfedb8520a9fc1.exe 87 PID 1056 wrote to memory of 544 1056 3cceb9656b691ee814b3de94acb46e2bcc47b6aaf9d066f125bfedb8520a9fc1.exe 88 PID 1056 wrote to memory of 544 1056 3cceb9656b691ee814b3de94acb46e2bcc47b6aaf9d066f125bfedb8520a9fc1.exe 88 PID 1056 wrote to memory of 544 1056 3cceb9656b691ee814b3de94acb46e2bcc47b6aaf9d066f125bfedb8520a9fc1.exe 88 PID 544 wrote to memory of 208 544 cmd.exe 91 PID 544 wrote to memory of 208 544 cmd.exe 91 PID 544 wrote to memory of 208 544 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cceb9656b691ee814b3de94acb46e2bcc47b6aaf9d066f125bfedb8520a9fc1.exe"C:\Users\Admin\AppData\Local\Temp\3cceb9656b691ee814b3de94acb46e2bcc47b6aaf9d066f125bfedb8520a9fc1.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Meume.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Meume.exe"2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\3CCEB9~1.EXE > nul2⤵
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
PID:208
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.4MB
MD5ded31f0087e1e2d58a5138ef67a46542
SHA1da6ce4d2a7b6d0cc48e08cd0514232e2d5c62472
SHA25661b0f909c731a95dc566959111f75d6607fe8348486d547bdf809fc92b3564ff
SHA512d7198722ebffff4933e2581de0f2528b4e065ca3fcfbf53f6db61b2e85d9e5f67e8905dd52309579166202bd22ada91bbadff7804b8c20c12ae7c975a49913d4
-
Filesize
10.4MB
MD5ded31f0087e1e2d58a5138ef67a46542
SHA1da6ce4d2a7b6d0cc48e08cd0514232e2d5c62472
SHA25661b0f909c731a95dc566959111f75d6607fe8348486d547bdf809fc92b3564ff
SHA512d7198722ebffff4933e2581de0f2528b4e065ca3fcfbf53f6db61b2e85d9e5f67e8905dd52309579166202bd22ada91bbadff7804b8c20c12ae7c975a49913d4
-
Filesize
10.4MB
MD5ded31f0087e1e2d58a5138ef67a46542
SHA1da6ce4d2a7b6d0cc48e08cd0514232e2d5c62472
SHA25661b0f909c731a95dc566959111f75d6607fe8348486d547bdf809fc92b3564ff
SHA512d7198722ebffff4933e2581de0f2528b4e065ca3fcfbf53f6db61b2e85d9e5f67e8905dd52309579166202bd22ada91bbadff7804b8c20c12ae7c975a49913d4