Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 20:43
Static task
static1
Behavioral task
behavioral1
Sample
00b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3.exe
Resource
win7-20240221-en
General
-
Target
00b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3.exe
-
Size
1.3MB
-
MD5
984da3b9dbf5dacd517542539b3e53a4
-
SHA1
3d918a8a0217be25a7d971d0832b1434f19c5e19
-
SHA256
00b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3
-
SHA512
7ece78535ae1fd444269f89887dd6db8a2555751033ec16153c5b925b6eb237cfc3f74bf7188c84e925b49e964edba5d35c42aac748452d2680ce99e1c5bab76
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNE:QHPkVOBTK
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4000-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/1460-10-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4000-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/1460-10-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
sainbox.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
sainbox.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Executes dropped EXE 2 IoCs
Processes:
sainbox.exesainbox.exepid process 1460 sainbox.exe 3844 sainbox.exe -
Drops file in System32 directory 2 IoCs
Processes:
00b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3.exedescription ioc process File created C:\Windows\SysWOW64\sainbox.exe 00b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3.exe File opened for modification C:\Windows\SysWOW64\sainbox.exe 00b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
sainbox.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix sainbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" sainbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" sainbox.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
sainbox.exepid process 3844 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
00b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3.exesainbox.exedescription pid process Token: SeIncBasePriorityPrivilege 4000 00b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3.exe Token: SeLoadDriverPrivilege 3844 sainbox.exe Token: 33 3844 sainbox.exe Token: SeIncBasePriorityPrivilege 3844 sainbox.exe Token: 33 3844 sainbox.exe Token: SeIncBasePriorityPrivilege 3844 sainbox.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
00b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3.exesainbox.execmd.exedescription pid process target process PID 4000 wrote to memory of 1444 4000 00b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3.exe cmd.exe PID 4000 wrote to memory of 1444 4000 00b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3.exe cmd.exe PID 4000 wrote to memory of 1444 4000 00b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3.exe cmd.exe PID 1460 wrote to memory of 3844 1460 sainbox.exe sainbox.exe PID 1460 wrote to memory of 3844 1460 sainbox.exe sainbox.exe PID 1460 wrote to memory of 3844 1460 sainbox.exe sainbox.exe PID 1444 wrote to memory of 2060 1444 cmd.exe PING.EXE PID 1444 wrote to memory of 2060 1444 cmd.exe PING.EXE PID 1444 wrote to memory of 2060 1444 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\00b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3.exe"C:\Users\Admin\AppData\Local\Temp\00b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\00B573~1.EXE > nul2⤵
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
PID:2060
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:3424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\sainbox.exeFilesize
1.3MB
MD5984da3b9dbf5dacd517542539b3e53a4
SHA13d918a8a0217be25a7d971d0832b1434f19c5e19
SHA25600b57329744649f570fd09c77ecf182dd8e550e31c6adc1db6c3284b285b15c3
SHA5127ece78535ae1fd444269f89887dd6db8a2555751033ec16153c5b925b6eb237cfc3f74bf7188c84e925b49e964edba5d35c42aac748452d2680ce99e1c5bab76
-
memory/1460-10-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/4000-0-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB