Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
28/08/2023, 17:09
Static task
static1
Behavioral task
behavioral1
Sample
76d338876a4f7910a1e4cb8c5e06871d193a3b28246c5ae8b2d35c570612a127.exe
Resource
win7-20230712-en
8 signatures
150 seconds
General
-
Target
76d338876a4f7910a1e4cb8c5e06871d193a3b28246c5ae8b2d35c570612a127.exe
-
Size
1.3MB
-
MD5
9ea484bbe9d9302a42e09bd0ea06399c
-
SHA1
4f1d33fd61cc351ed646fa2391bb1d8e98afdbc8
-
SHA256
76d338876a4f7910a1e4cb8c5e06871d193a3b28246c5ae8b2d35c570612a127
-
SHA512
3476843cc073d40758ad40724e52ce9675349fa140b39821575b1c0e53cd5adb9e01a51b1f6b6954f4a659d5cf571e32bb9a9c891fccec1437103c28c1441bdb
-
SSDEEP
24576:NOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNZ:AHPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/5004-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/5004-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys 76d338876a4f7910a1e4cb8c5e06871d193a3b28246c5ae8b2d35c570612a127.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" 76d338876a4f7910a1e4cb8c5e06871d193a3b28246c5ae8b2d35c570612a127.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 5004 76d338876a4f7910a1e4cb8c5e06871d193a3b28246c5ae8b2d35c570612a127.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeLoadDriverPrivilege 5004 76d338876a4f7910a1e4cb8c5e06871d193a3b28246c5ae8b2d35c570612a127.exe Token: 33 5004 76d338876a4f7910a1e4cb8c5e06871d193a3b28246c5ae8b2d35c570612a127.exe Token: SeIncBasePriorityPrivilege 5004 76d338876a4f7910a1e4cb8c5e06871d193a3b28246c5ae8b2d35c570612a127.exe Token: 33 5004 76d338876a4f7910a1e4cb8c5e06871d193a3b28246c5ae8b2d35c570612a127.exe Token: SeIncBasePriorityPrivilege 5004 76d338876a4f7910a1e4cb8c5e06871d193a3b28246c5ae8b2d35c570612a127.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\76d338876a4f7910a1e4cb8c5e06871d193a3b28246c5ae8b2d35c570612a127.exe"C:\Users\Admin\AppData\Local\Temp\76d338876a4f7910a1e4cb8c5e06871d193a3b28246c5ae8b2d35c570612a127.exe"1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5004