Analysis
-
max time kernel
121s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
23/08/2023, 00:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe
Resource
win7-20230712-en
7 signatures
150 seconds
General
-
Target
cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe
-
Size
1.4MB
-
MD5
7ca796d8be11773cac10ebe9d081999e
-
SHA1
0dd75f089ae93f107de599b46ff63edd191c8535
-
SHA256
cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847
-
SHA512
934edbfcaa5735c89fc7a6d1b8c396b07cec3e1df35ce7055f96ec189d0c64cf8235c0fd0a66a049a00bfa56453523638b0a1e08f867e6734fd9ec0c32c90af4
-
SSDEEP
24576:OyAQ1CwOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:OhfHPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1672-54-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1672-54-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\P: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\B: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\E: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\L: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\M: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\T: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\V: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\X: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\G: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\H: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\I: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\N: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\Y: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\S: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\U: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\W: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\Z: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\J: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\K: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\Q: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe File opened (read-only) \??\R: cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe Token: SeIncBasePriorityPrivilege 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe Token: 33 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe Token: SeIncBasePriorityPrivilege 1672 cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe"C:\Users\Admin\AppData\Local\Temp\cddadee5d5d100852814553a3416683a5f4fc4478cde8a301ef32a474de22847.exe"1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672