Analysis
-
max time kernel
119s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 07:22
Static task
static1
Behavioral task
behavioral1
Sample
19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def.exe
Resource
win7-20240221-en
General
-
Target
19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def.exe
-
Size
1.1MB
-
MD5
3ad60cf4f9cfab3ffe75ba1666e0bb33
-
SHA1
01080eeb296aceb03f2a986b6af9f27a7d7e8366
-
SHA256
19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def
-
SHA512
4f4757f8b59dc2ef8c114e5ddfeececba26ced653ee878324d9213a1c967479a01f3e3bd7e801944f883a83480434aecaed95714f03ef842af8a4738ce8bbf7e
-
SSDEEP
24576:EZLzm2RyofZCfsHKAWHsm+3MnduJaaHV/V8cCD2b50Z:+m2R1faAWHP+3MnduJaaHtVH950Z
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1692-2-0x0000000010000000-0x000000001017F000-memory.dmp purplefox_rootkit behavioral1/memory/2484-25-0x0000000010000000-0x000000001017F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1692-2-0x0000000010000000-0x000000001017F000-memory.dmp family_gh0strat behavioral1/memory/2484-25-0x0000000010000000-0x000000001017F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys svchost.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2564 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exesvchost.exepid process 2616 svchost.exe 2484 svchost.exe -
Loads dropped DLL 4 IoCs
Processes:
WerFault.exepid process 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe 2456 WerFault.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\L: svchost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def.exedescription ioc process File created C:\Program Files (x86)\Common Files\Microsoft Shared\svchost.exe 19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\svchost.exe 19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2456 2616 WerFault.exe svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
svchost.exepid process 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe 2484 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
svchost.exepid process 2484 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def.exesvchost.exedescription pid process Token: SeIncBasePriorityPrivilege 1692 19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def.exe Token: SeLoadDriverPrivilege 2484 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
svchost.exe19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def.exedescription pid process target process PID 2616 wrote to memory of 2484 2616 svchost.exe svchost.exe PID 2616 wrote to memory of 2484 2616 svchost.exe svchost.exe PID 2616 wrote to memory of 2484 2616 svchost.exe svchost.exe PID 2616 wrote to memory of 2484 2616 svchost.exe svchost.exe PID 1692 wrote to memory of 2564 1692 19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def.exe cmd.exe PID 1692 wrote to memory of 2564 1692 19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def.exe cmd.exe PID 1692 wrote to memory of 2564 1692 19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def.exe cmd.exe PID 1692 wrote to memory of 2564 1692 19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def.exe cmd.exe PID 2616 wrote to memory of 2456 2616 svchost.exe WerFault.exe PID 2616 wrote to memory of 2456 2616 svchost.exe WerFault.exe PID 2616 wrote to memory of 2456 2616 svchost.exe WerFault.exe PID 2616 wrote to memory of 2456 2616 svchost.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def.exe"C:\Users\Admin\AppData\Local\Temp\19923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\19923D~1.EXE > nul2⤵
- Deletes itself
-
C:\Program Files (x86)\Common Files\Microsoft Shared\svchost.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\svchost.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\Microsoft Shared\svchost.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\svchost.exe" Win72⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 2522⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Common Files\microsoft shared\svchost.exeFilesize
1.1MB
MD53ad60cf4f9cfab3ffe75ba1666e0bb33
SHA101080eeb296aceb03f2a986b6af9f27a7d7e8366
SHA25619923d744ef7a6ffa2b8ea8f8adac9ba736090e04bc9f33610c71deb7e709def
SHA5124f4757f8b59dc2ef8c114e5ddfeececba26ced653ee878324d9213a1c967479a01f3e3bd7e801944f883a83480434aecaed95714f03ef842af8a4738ce8bbf7e
-
memory/1692-0-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1692-2-0x0000000010000000-0x000000001017F000-memory.dmpFilesize
1.5MB
-
memory/2484-25-0x0000000010000000-0x000000001017F000-memory.dmpFilesize
1.5MB