Analysis
-
max time kernel
5s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26/12/2023, 10:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe
Resource
win7-20231215-en
windows7-x64
11 signatures
150 seconds
General
-
Target
5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe
-
Size
1.4MB
-
MD5
400644e43f796fb3c7c48dead2d5997e
-
SHA1
0afa85b6fcfdfff1f014240421d8af64106fad4a
-
SHA256
5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad
-
SHA512
7a6f14f52557c097431224f3169fb287e84b93ed6a68fb1bb0324dd7baba0e013a7d83d4015eee87e1c0170596e8594311d5d794f35f5b225c37c20411ca5455
-
SSDEEP
24576:wOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN6c:5HPkVOBTK6
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3640-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/2124-10-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/3052-17-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/3640-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/2124-10-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/3052-17-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Pqiyq.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Pqiyq.exe -
Executes dropped EXE 2 IoCs
pid Process 2124 Pqiyq.exe 3052 Pqiyq.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: Pqiyq.exe File opened (read-only) \??\O: Pqiyq.exe File opened (read-only) \??\H: Pqiyq.exe File opened (read-only) \??\L: Pqiyq.exe File opened (read-only) \??\N: Pqiyq.exe File opened (read-only) \??\Y: Pqiyq.exe File opened (read-only) \??\Z: Pqiyq.exe File opened (read-only) \??\J: Pqiyq.exe File opened (read-only) \??\G: Pqiyq.exe File opened (read-only) \??\I: Pqiyq.exe File opened (read-only) \??\P: Pqiyq.exe File opened (read-only) \??\U: Pqiyq.exe File opened (read-only) \??\B: Pqiyq.exe File opened (read-only) \??\K: Pqiyq.exe File opened (read-only) \??\Q: Pqiyq.exe File opened (read-only) \??\R: Pqiyq.exe File opened (read-only) \??\S: Pqiyq.exe File opened (read-only) \??\T: Pqiyq.exe File opened (read-only) \??\V: Pqiyq.exe File opened (read-only) \??\W: Pqiyq.exe File opened (read-only) \??\E: Pqiyq.exe File opened (read-only) \??\X: Pqiyq.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pqiyq.exe 5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe File opened for modification C:\Windows\SysWOW64\Pqiyq.exe 5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Pqiyq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Pqiyq.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Pqiyq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Pqiyq.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Pqiyq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Pqiyq.exe Key created \REGISTRY\USER\.DEFAULT\Software Pqiyq.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4164 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe 3052 Pqiyq.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3052 Pqiyq.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3640 5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe Token: SeLoadDriverPrivilege 3052 Pqiyq.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3640 wrote to memory of 2232 3640 5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe 23 PID 3640 wrote to memory of 2232 3640 5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe 23 PID 3640 wrote to memory of 2232 3640 5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe 23 PID 2124 wrote to memory of 3052 2124 Pqiyq.exe 22 PID 2124 wrote to memory of 3052 2124 Pqiyq.exe 22 PID 2124 wrote to memory of 3052 2124 Pqiyq.exe 22 PID 2232 wrote to memory of 4164 2232 cmd.exe 20 PID 2232 wrote to memory of 4164 2232 cmd.exe 20 PID 2232 wrote to memory of 4164 2232 cmd.exe 20
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe"C:\Users\Admin\AppData\Local\Temp\5b0f4b6990fcd218cae55530e1fa4b5f7d18d5d58bf16407c02b17b58ea31cad.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\5B0F4B~1.EXE > nul2⤵
- Suspicious use of WriteProcessMemory
PID:2232
-
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.11⤵
- Runs ping.exe
PID:4164
-
C:\Windows\SysWOW64\Pqiyq.exeC:\Windows\SysWOW64\Pqiyq.exe -acsi1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
C:\Windows\SysWOW64\Pqiyq.exeC:\Windows\SysWOW64\Pqiyq.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124