Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
28/08/2023, 11:08
Behavioral task
behavioral1
Sample
7a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
7a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357.exe
Resource
win10v2004-20230703-en
General
-
Target
7a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357.exe
-
Size
652KB
-
MD5
d793918f5dd516e211be5e6a14fdb607
-
SHA1
00e9f5c14895bc5d8dad8eabb5d39da6c425006a
-
SHA256
7a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357
-
SHA512
58f587433ce5f9271c49eee3de25efd7a52e76a01d99f535deabeef4697ba4715b6da561d9084c125e5076193c438cb8ba417a6997e7d5c63891079276611f8e
-
SSDEEP
12288:zm76zbLa+EuyokRmwdB9R5zxI2anAo+zciYototNWd1DWf3/jwuiUy6YYG:S76ra1uyokEN2anAobbototNWd1DWfby
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2240-1-0x0000000010000000-0x00000000101B0000-memory.dmp purplefox_rootkit behavioral1/memory/2288-26-0x0000000000400000-0x0000000000591000-memory.dmp purplefox_rootkit behavioral1/memory/2896-24-0x0000000000400000-0x0000000000591000-memory.dmp purplefox_rootkit behavioral1/memory/2240-22-0x0000000000400000-0x0000000000591000-memory.dmp purplefox_rootkit behavioral1/memory/2896-44-0x0000000000400000-0x0000000000591000-memory.dmp purplefox_rootkit -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Aqiyq.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Aqiyq.exe -
Deletes itself 1 IoCs
pid Process 2872 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2288 Aqiyq.exe 2896 Aqiyq.exe -
resource yara_rule behavioral1/memory/2240-0-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral1/files/0x0009000000012025-10.dat upx behavioral1/memory/2288-11-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral1/files/0x0009000000012025-19.dat upx behavioral1/files/0x0009000000012025-20.dat upx behavioral1/memory/2288-26-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral1/memory/2896-24-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral1/memory/2240-22-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral1/memory/2896-44-0x0000000000400000-0x0000000000591000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Aqiyq.exe File opened (read-only) \??\Q: Aqiyq.exe File opened (read-only) \??\X: Aqiyq.exe File opened (read-only) \??\I: Aqiyq.exe File opened (read-only) \??\R: Aqiyq.exe File opened (read-only) \??\S: Aqiyq.exe File opened (read-only) \??\Z: Aqiyq.exe File opened (read-only) \??\B: Aqiyq.exe File opened (read-only) \??\E: Aqiyq.exe File opened (read-only) \??\J: Aqiyq.exe File opened (read-only) \??\L: Aqiyq.exe File opened (read-only) \??\O: Aqiyq.exe File opened (read-only) \??\T: Aqiyq.exe File opened (read-only) \??\U: Aqiyq.exe File opened (read-only) \??\V: Aqiyq.exe File opened (read-only) \??\W: Aqiyq.exe File opened (read-only) \??\Y: Aqiyq.exe File opened (read-only) \??\G: Aqiyq.exe File opened (read-only) \??\K: Aqiyq.exe File opened (read-only) \??\M: Aqiyq.exe File opened (read-only) \??\N: Aqiyq.exe File opened (read-only) \??\P: Aqiyq.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Aqiyq.exe 7a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357.exe File opened for modification C:\Windows\Aqiyq.exe 7a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Aqiyq.exe Key created \REGISTRY\USER\.DEFAULT\Software Aqiyq.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie Aqiyq.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum Aqiyq.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" Aqiyq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Aqiyq.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Aqiyq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Aqiyq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Aqiyq.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft Aqiyq.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Aqiyq.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Aqiyq.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2764 PING.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe 2896 Aqiyq.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2896 Aqiyq.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2240 7a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357.exe Token: SeLoadDriverPrivilege 2896 Aqiyq.exe Token: 33 2896 Aqiyq.exe Token: SeIncBasePriorityPrivilege 2896 Aqiyq.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2896 2288 Aqiyq.exe 30 PID 2288 wrote to memory of 2896 2288 Aqiyq.exe 30 PID 2288 wrote to memory of 2896 2288 Aqiyq.exe 30 PID 2288 wrote to memory of 2896 2288 Aqiyq.exe 30 PID 2240 wrote to memory of 2872 2240 7a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357.exe 29 PID 2240 wrote to memory of 2872 2240 7a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357.exe 29 PID 2240 wrote to memory of 2872 2240 7a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357.exe 29 PID 2240 wrote to memory of 2872 2240 7a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357.exe 29 PID 2872 wrote to memory of 2764 2872 cmd.exe 32 PID 2872 wrote to memory of 2764 2872 cmd.exe 32 PID 2872 wrote to memory of 2764 2872 cmd.exe 32 PID 2872 wrote to memory of 2764 2872 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357.exe"C:\Users\Admin\AppData\Local\Temp\7a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\7A27DC~1.EXE > nul2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
PID:2764
-
-
-
C:\Windows\Aqiyq.exeC:\Windows\Aqiyq.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\Aqiyq.exeC:\Windows\Aqiyq.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
652KB
MD5d793918f5dd516e211be5e6a14fdb607
SHA100e9f5c14895bc5d8dad8eabb5d39da6c425006a
SHA2567a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357
SHA51258f587433ce5f9271c49eee3de25efd7a52e76a01d99f535deabeef4697ba4715b6da561d9084c125e5076193c438cb8ba417a6997e7d5c63891079276611f8e
-
Filesize
652KB
MD5d793918f5dd516e211be5e6a14fdb607
SHA100e9f5c14895bc5d8dad8eabb5d39da6c425006a
SHA2567a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357
SHA51258f587433ce5f9271c49eee3de25efd7a52e76a01d99f535deabeef4697ba4715b6da561d9084c125e5076193c438cb8ba417a6997e7d5c63891079276611f8e
-
Filesize
652KB
MD5d793918f5dd516e211be5e6a14fdb607
SHA100e9f5c14895bc5d8dad8eabb5d39da6c425006a
SHA2567a27dc2baf775a5e5c3fcd21dbf30708a9af444246caac78bd863ad1a8400357
SHA51258f587433ce5f9271c49eee3de25efd7a52e76a01d99f535deabeef4697ba4715b6da561d9084c125e5076193c438cb8ba417a6997e7d5c63891079276611f8e