Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 16:45
Static task
static1
Behavioral task
behavioral1
Sample
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe
Resource
win7-20240221-en
General
-
Target
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe
-
Size
1.3MB
-
MD5
18cfb21212f6a3356d5685fdf2c43da8
-
SHA1
ee69992996a79696f845370b0293fc11f9990c81
-
SHA256
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506
-
SHA512
1042b8a3a42126f991d66de20175500d651e3b16922cdbcd7fc27af48225730ddec48d103f9097206690ae5fdc94342253ff30199eb7161699f84b41352dc9be
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNY:QHPkVOBTK
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/636-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/2756-10-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/4572-17-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/636-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/2756-10-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/4572-17-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
sainbox.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
sainbox.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Executes dropped EXE 2 IoCs
Processes:
sainbox.exesainbox.exepid process 2756 sainbox.exe 4572 sainbox.exe -
Drops file in System32 directory 2 IoCs
Processes:
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exedescription ioc process File created C:\Windows\SysWOW64\sainbox.exe ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe File opened for modification C:\Windows\SysWOW64\sainbox.exe ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
sainbox.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" sainbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" sainbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix sainbox.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
sainbox.exepid process 4572 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exesainbox.exedescription pid process Token: SeIncBasePriorityPrivilege 636 ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe Token: SeLoadDriverPrivilege 4572 sainbox.exe Token: 33 4572 sainbox.exe Token: SeIncBasePriorityPrivilege 4572 sainbox.exe Token: 33 4572 sainbox.exe Token: SeIncBasePriorityPrivilege 4572 sainbox.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exesainbox.execmd.exedescription pid process target process PID 636 wrote to memory of 2336 636 ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe cmd.exe PID 636 wrote to memory of 2336 636 ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe cmd.exe PID 636 wrote to memory of 2336 636 ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe cmd.exe PID 2756 wrote to memory of 4572 2756 sainbox.exe sainbox.exe PID 2756 wrote to memory of 4572 2756 sainbox.exe sainbox.exe PID 2756 wrote to memory of 4572 2756 sainbox.exe sainbox.exe PID 2336 wrote to memory of 1380 2336 cmd.exe PING.EXE PID 2336 wrote to memory of 1380 2336 cmd.exe PING.EXE PID 2336 wrote to memory of 1380 2336 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe"C:\Users\Admin\AppData\Local\Temp\ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\BA699E~1.EXE > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\sainbox.exeFilesize
1.3MB
MD518cfb21212f6a3356d5685fdf2c43da8
SHA1ee69992996a79696f845370b0293fc11f9990c81
SHA256ba699e77a856fe703bfdbccf0e354bc83620d70b230b9faf4476dad13615d506
SHA5121042b8a3a42126f991d66de20175500d651e3b16922cdbcd7fc27af48225730ddec48d103f9097206690ae5fdc94342253ff30199eb7161699f84b41352dc9be
-
memory/636-0-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/2756-10-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/4572-17-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB