Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 16:45
Static task
static1
Behavioral task
behavioral1
Sample
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe
Resource
win7-20240221-en
General
-
Target
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe
-
Size
1.3MB
-
MD5
18cfb21212f6a3356d5685fdf2c43da8
-
SHA1
ee69992996a79696f845370b0293fc11f9990c81
-
SHA256
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506
-
SHA512
1042b8a3a42126f991d66de20175500d651e3b16922cdbcd7fc27af48225730ddec48d103f9097206690ae5fdc94342253ff30199eb7161699f84b41352dc9be
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNY:QHPkVOBTK
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2008-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral1/memory/2536-18-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2008-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral1/memory/2536-18-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
sainbox.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
sainbox.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2556 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
sainbox.exesainbox.exepid process 2832 sainbox.exe 2536 sainbox.exe -
Loads dropped DLL 1 IoCs
Processes:
sainbox.exepid process 2832 sainbox.exe -
Drops file in System32 directory 2 IoCs
Processes:
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exedescription ioc process File created C:\Windows\SysWOW64\sainbox.exe ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe File opened for modification C:\Windows\SysWOW64\sainbox.exe ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe -
Modifies data under HKEY_USERS 4 IoCs
Processes:
sainbox.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix sainbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" sainbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" sainbox.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings sainbox.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
sainbox.exepid process 2536 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exesainbox.exedescription pid process Token: SeIncBasePriorityPrivilege 2008 ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe Token: SeLoadDriverPrivilege 2536 sainbox.exe Token: 33 2536 sainbox.exe Token: SeIncBasePriorityPrivilege 2536 sainbox.exe Token: 33 2536 sainbox.exe Token: SeIncBasePriorityPrivilege 2536 sainbox.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exesainbox.execmd.exedescription pid process target process PID 2008 wrote to memory of 2556 2008 ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe cmd.exe PID 2008 wrote to memory of 2556 2008 ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe cmd.exe PID 2008 wrote to memory of 2556 2008 ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe cmd.exe PID 2008 wrote to memory of 2556 2008 ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe cmd.exe PID 2832 wrote to memory of 2536 2832 sainbox.exe sainbox.exe PID 2832 wrote to memory of 2536 2832 sainbox.exe sainbox.exe PID 2832 wrote to memory of 2536 2832 sainbox.exe sainbox.exe PID 2832 wrote to memory of 2536 2832 sainbox.exe sainbox.exe PID 2556 wrote to memory of 2592 2556 cmd.exe PING.EXE PID 2556 wrote to memory of 2592 2556 cmd.exe PING.EXE PID 2556 wrote to memory of 2592 2556 cmd.exe PING.EXE PID 2556 wrote to memory of 2592 2556 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe"C:\Users\Admin\AppData\Local\Temp\ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\BA699E~1.EXE > nul2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\sainbox.exeFilesize
1.3MB
MD518cfb21212f6a3356d5685fdf2c43da8
SHA1ee69992996a79696f845370b0293fc11f9990c81
SHA256ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506
SHA5121042b8a3a42126f991d66de20175500d651e3b16922cdbcd7fc27af48225730ddec48d103f9097206690ae5fdc94342253ff30199eb7161699f84b41352dc9be
-
memory/2008-0-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/2536-18-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB