Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 16:45
Static task
static1
Behavioral task
behavioral1
Sample
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe
Resource
win7-20240221-en
General
-
Target
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe
-
Size
1.3MB
-
MD5
18cfb21212f6a3356d5685fdf2c43da8
-
SHA1
ee69992996a79696f845370b0293fc11f9990c81
-
SHA256
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506
-
SHA512
1042b8a3a42126f991d66de20175500d651e3b16922cdbcd7fc27af48225730ddec48d103f9097206690ae5fdc94342253ff30199eb7161699f84b41352dc9be
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNY:QHPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/636-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/2756-10-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/4572-17-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/636-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/2756-10-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/4572-17-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Executes dropped EXE 2 IoCs
pid Process 2756 sainbox.exe 4572 sainbox.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\sainbox.exe ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe File opened for modification C:\Windows\SysWOW64\sainbox.exe ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" sainbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" sainbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix sainbox.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1380 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4572 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 636 ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe Token: SeLoadDriverPrivilege 4572 sainbox.exe Token: 33 4572 sainbox.exe Token: SeIncBasePriorityPrivilege 4572 sainbox.exe Token: 33 4572 sainbox.exe Token: SeIncBasePriorityPrivilege 4572 sainbox.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 636 wrote to memory of 2336 636 ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe 92 PID 636 wrote to memory of 2336 636 ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe 92 PID 636 wrote to memory of 2336 636 ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe 92 PID 2756 wrote to memory of 4572 2756 sainbox.exe 94 PID 2756 wrote to memory of 4572 2756 sainbox.exe 94 PID 2756 wrote to memory of 4572 2756 sainbox.exe 94 PID 2336 wrote to memory of 1380 2336 cmd.exe 95 PID 2336 wrote to memory of 1380 2336 cmd.exe 95 PID 2336 wrote to memory of 1380 2336 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe"C:\Users\Admin\AppData\Local\Temp\ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\BA699E~1.EXE > nul2⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
PID:1380
-
-
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:2108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD518cfb21212f6a3356d5685fdf2c43da8
SHA1ee69992996a79696f845370b0293fc11f9990c81
SHA256ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506
SHA5121042b8a3a42126f991d66de20175500d651e3b16922cdbcd7fc27af48225730ddec48d103f9097206690ae5fdc94342253ff30199eb7161699f84b41352dc9be