Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 10:21
Static task
static1
Behavioral task
behavioral1
Sample
36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exe
Resource
win7-20240221-en
General
-
Target
36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exe
-
Size
412KB
-
MD5
7e9da5d30b4a382f32849b0c1c023fc8
-
SHA1
a924946f56c22998e643e3968978cf4840f53084
-
SHA256
36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971
-
SHA512
80c3ee897533fff96912199c2aeea4bc92a5906027d92d3a16aa79ae9abd3f9b4f40c37224e6875d38eeaa686f374172e27ff78ae6edeb8da8cac17565f0f105
-
SSDEEP
6144:HSnXXvkgGTzz00trtpVIOnd4RM6P0Nmr6YmcSUJinTEZEx8UxDSwz84:yH0zlLVIO2mascS2iz8wDSwz8
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2120-2-0x0000000010000000-0x00000000101BE000-memory.dmp purplefox_rootkit behavioral1/memory/2120-4-0x0000000010000000-0x00000000101BE000-memory.dmp purplefox_rootkit behavioral1/memory/2120-12-0x0000000010000000-0x00000000101BE000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2120-2-0x0000000010000000-0x00000000101BE000-memory.dmp family_gh0strat behavioral1/memory/2120-3-0x0000000010000000-0x00000000101BE000-memory.dmp family_gh0strat behavioral1/memory/2120-4-0x0000000010000000-0x00000000101BE000-memory.dmp family_gh0strat behavioral1/memory/2120-12-0x0000000010000000-0x00000000101BE000-memory.dmp family_gh0strat behavioral1/memory/1712-15-0x0000000010000000-0x00000000101BE000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2196 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
Dtldt.exepid process 1712 Dtldt.exe -
Loads dropped DLL 1 IoCs
Processes:
36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exepid process 2120 36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exe -
Processes:
resource yara_rule behavioral1/memory/2120-0-0x0000000010000000-0x00000000101BE000-memory.dmp upx behavioral1/memory/2120-2-0x0000000010000000-0x00000000101BE000-memory.dmp upx behavioral1/memory/2120-3-0x0000000010000000-0x00000000101BE000-memory.dmp upx behavioral1/memory/2120-4-0x0000000010000000-0x00000000101BE000-memory.dmp upx behavioral1/memory/2120-12-0x0000000010000000-0x00000000101BE000-memory.dmp upx behavioral1/memory/1712-15-0x0000000010000000-0x00000000101BE000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exedescription pid process Token: SeIncBasePriorityPrivilege 2120 36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.execmd.exedescription pid process target process PID 2120 wrote to memory of 1712 2120 36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exe Dtldt.exe PID 2120 wrote to memory of 1712 2120 36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exe Dtldt.exe PID 2120 wrote to memory of 1712 2120 36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exe Dtldt.exe PID 2120 wrote to memory of 1712 2120 36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exe Dtldt.exe PID 2120 wrote to memory of 2196 2120 36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exe cmd.exe PID 2120 wrote to memory of 2196 2120 36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exe cmd.exe PID 2120 wrote to memory of 2196 2120 36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exe cmd.exe PID 2120 wrote to memory of 2196 2120 36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exe cmd.exe PID 2196 wrote to memory of 2564 2196 cmd.exe PING.EXE PID 2196 wrote to memory of 2564 2196 cmd.exe PING.EXE PID 2196 wrote to memory of 2564 2196 cmd.exe PING.EXE PID 2196 wrote to memory of 2564 2196 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exe"C:\Users\Admin\AppData\Local\Temp\36aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dtldt.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dtldt.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\36AED5~1.EXE > nul2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Dtldt.exeFilesize
412KB
MD57e9da5d30b4a382f32849b0c1c023fc8
SHA1a924946f56c22998e643e3968978cf4840f53084
SHA25636aed5f98e2fb9b5bfdd511c4523433fb064ccf8fa11e3ff35ea824263d9d971
SHA51280c3ee897533fff96912199c2aeea4bc92a5906027d92d3a16aa79ae9abd3f9b4f40c37224e6875d38eeaa686f374172e27ff78ae6edeb8da8cac17565f0f105
-
memory/1712-15-0x0000000010000000-0x00000000101BE000-memory.dmpFilesize
1.7MB
-
memory/2120-0-0x0000000010000000-0x00000000101BE000-memory.dmpFilesize
1.7MB
-
memory/2120-2-0x0000000010000000-0x00000000101BE000-memory.dmpFilesize
1.7MB
-
memory/2120-3-0x0000000010000000-0x00000000101BE000-memory.dmpFilesize
1.7MB
-
memory/2120-4-0x0000000010000000-0x00000000101BE000-memory.dmpFilesize
1.7MB
-
memory/2120-12-0x0000000010000000-0x00000000101BE000-memory.dmpFilesize
1.7MB