Analysis
-
max time kernel
145s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 11:15
Static task
static1
Behavioral task
behavioral1
Sample
8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe
Resource
win7-20231129-en
General
-
Target
8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe
-
Size
1.6MB
-
MD5
977835f800411f890e27df62a3007aa0
-
SHA1
f36c6f5f2710b1b9768e2c4cbbca436128a32069
-
SHA256
8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32
-
SHA512
0c3b80efb020b548d3ee48cdac5892df25840c3542429c140366abe08f9e2036ce0c80caa01f6e1995451cce4d0647cc011f187519c9b0b86d58032807b98354
-
SSDEEP
24576:NYAyyzawhZvk90l7RNbBOUHJYTUgESji6ywZFa6tIbJNS7q+SnqTlsKBxgCrl:NBuwhlyJuYTUgEYifwNW9Y2DKNB3
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/888-4-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral1/memory/888-6-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral1/memory/888-3-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral1/memory/2196-18-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral1/memory/2196-17-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral1/memory/888-24-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral1/memory/2196-28-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral1/memory/2984-31-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral1/memory/2984-34-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral1/memory/2984-33-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral1/memory/2984-32-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/888-4-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral1/memory/888-6-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral1/memory/888-3-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral1/memory/2196-18-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral1/memory/2196-17-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral1/memory/888-24-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral1/memory/2196-28-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral1/memory/2984-31-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral1/memory/2984-34-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral1/memory/2984-33-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral1/memory/2984-32-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2140 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Aqrjk.exeAqrjk.exepid process 2196 Aqrjk.exe 2984 Aqrjk.exe -
Loads dropped DLL 1 IoCs
Processes:
Aqrjk.exepid process 2196 Aqrjk.exe -
Processes:
resource yara_rule behavioral1/memory/888-1-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral1/memory/888-4-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral1/memory/888-6-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral1/memory/888-3-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral1/memory/2196-18-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral1/memory/2196-17-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral1/memory/888-24-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral1/memory/2196-28-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral1/memory/2984-29-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral1/memory/2984-31-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral1/memory/2984-34-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral1/memory/2984-33-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral1/memory/2984-32-0x0000000010000000-0x00000000101D0000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs
Processes:
8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exeAqrjk.exeAqrjk.exepid process 888 8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe 2196 Aqrjk.exe 2196 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe 2984 Aqrjk.exe -
Drops file in Program Files directory 2 IoCs
Processes:
8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exedescription ioc process File created C:\Program Files\Aqrjk.exe 8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe File opened for modification C:\Program Files\Aqrjk.exe 8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exedescription pid process Token: SeIncBasePriorityPrivilege 888 8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exeAqrjk.exeAqrjk.exepid process 888 8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe 2196 Aqrjk.exe 2984 Aqrjk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Aqrjk.exe8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.execmd.exedescription pid process target process PID 2196 wrote to memory of 2984 2196 Aqrjk.exe Aqrjk.exe PID 2196 wrote to memory of 2984 2196 Aqrjk.exe Aqrjk.exe PID 2196 wrote to memory of 2984 2196 Aqrjk.exe Aqrjk.exe PID 2196 wrote to memory of 2984 2196 Aqrjk.exe Aqrjk.exe PID 888 wrote to memory of 2140 888 8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe cmd.exe PID 888 wrote to memory of 2140 888 8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe cmd.exe PID 888 wrote to memory of 2140 888 8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe cmd.exe PID 888 wrote to memory of 2140 888 8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe cmd.exe PID 2140 wrote to memory of 2596 2140 cmd.exe PING.EXE PID 2140 wrote to memory of 2596 2140 cmd.exe PING.EXE PID 2140 wrote to memory of 2596 2140 cmd.exe PING.EXE PID 2140 wrote to memory of 2596 2140 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe"C:\Users\Admin\AppData\Local\Temp\8330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\8330F8~1.EXE > nul2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Program Files\Aqrjk.exe"C:\\Program Files\\Aqrjk.exe" -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Aqrjk.exe"C:\Program Files\Aqrjk.exe" -acsi2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Aqrjk.exeFilesize
1.6MB
MD5977835f800411f890e27df62a3007aa0
SHA1f36c6f5f2710b1b9768e2c4cbbca436128a32069
SHA2568330f862d22038099fde5faf8237b62db97a2c4c8c34fb7bf10179d3d56e8f32
SHA5120c3b80efb020b548d3ee48cdac5892df25840c3542429c140366abe08f9e2036ce0c80caa01f6e1995451cce4d0647cc011f187519c9b0b86d58032807b98354
-
memory/888-0-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/888-4-0x0000000010000000-0x00000000101D0000-memory.dmpFilesize
1.8MB
-
memory/888-6-0x0000000010000000-0x00000000101D0000-memory.dmpFilesize
1.8MB
-
memory/888-3-0x0000000010000000-0x00000000101D0000-memory.dmpFilesize
1.8MB
-
memory/888-1-0x0000000010000000-0x00000000101D0000-memory.dmpFilesize
1.8MB
-
memory/888-24-0x0000000010000000-0x00000000101D0000-memory.dmpFilesize
1.8MB
-
memory/888-23-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2196-11-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2196-18-0x0000000010000000-0x00000000101D0000-memory.dmpFilesize
1.8MB
-
memory/2196-17-0x0000000010000000-0x00000000101D0000-memory.dmpFilesize
1.8MB
-
memory/2196-22-0x0000000002170000-0x00000000025B2000-memory.dmpFilesize
4.3MB
-
memory/2196-27-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2196-28-0x0000000010000000-0x00000000101D0000-memory.dmpFilesize
1.8MB
-
memory/2984-31-0x0000000010000000-0x00000000101D0000-memory.dmpFilesize
1.8MB
-
memory/2984-40-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2984-25-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2984-34-0x0000000010000000-0x00000000101D0000-memory.dmpFilesize
1.8MB
-
memory/2984-33-0x0000000010000000-0x00000000101D0000-memory.dmpFilesize
1.8MB
-
memory/2984-32-0x0000000010000000-0x00000000101D0000-memory.dmpFilesize
1.8MB
-
memory/2984-37-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2984-38-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2984-39-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2984-29-0x0000000010000000-0x00000000101D0000-memory.dmpFilesize
1.8MB
-
memory/2984-41-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2984-42-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2984-43-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2984-44-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2984-45-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2984-46-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2984-47-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2984-48-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2984-49-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB
-
memory/2984-50-0x0000000000400000-0x0000000000842000-memory.dmpFilesize
4.3MB