Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 09:29
Static task
static1
Behavioral task
behavioral1
Sample
7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe
Resource
win7-20240221-en
General
-
Target
7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe
-
Size
1.3MB
-
MD5
54ab09bc389b92bb8c1457744319b04a
-
SHA1
684b749a7121e2253ec5900f1b8af3832864e19c
-
SHA256
7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d
-
SHA512
eb8f5e9ce1e40a8d39da18b8414d68303072e5434b9cab98f271c750f67d672ff7df5ffb75e8e830da4931b5f7feb1ce5ea6a527fbe1602afd87162e72d7aad2
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNC:QHPkVOBTK
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1924-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1924-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
Wxypq.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys Wxypq.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
Wxypq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Wxypq.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2960 cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
Wxypq.exeWxypq.exepid process 2756 Wxypq.exe 2564 Wxypq.exe -
Loads dropped DLL 1 IoCs
Processes:
Wxypq.exepid process 2756 Wxypq.exe -
Drops file in System32 directory 2 IoCs
Processes:
7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exedescription ioc process File created C:\Windows\SysWOW64\Wxypq.exe 7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe File opened for modification C:\Windows\SysWOW64\Wxypq.exe 7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
Wxypq.exepid process 2564 Wxypq.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exeWxypq.exedescription pid process Token: SeIncBasePriorityPrivilege 1924 7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe Token: SeLoadDriverPrivilege 2564 Wxypq.exe Token: 33 2564 Wxypq.exe Token: SeIncBasePriorityPrivilege 2564 Wxypq.exe Token: 33 2564 Wxypq.exe Token: SeIncBasePriorityPrivilege 2564 Wxypq.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exeWxypq.execmd.exedescription pid process target process PID 1924 wrote to memory of 2960 1924 7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe cmd.exe PID 1924 wrote to memory of 2960 1924 7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe cmd.exe PID 1924 wrote to memory of 2960 1924 7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe cmd.exe PID 1924 wrote to memory of 2960 1924 7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe cmd.exe PID 2756 wrote to memory of 2564 2756 Wxypq.exe Wxypq.exe PID 2756 wrote to memory of 2564 2756 Wxypq.exe Wxypq.exe PID 2756 wrote to memory of 2564 2756 Wxypq.exe Wxypq.exe PID 2756 wrote to memory of 2564 2756 Wxypq.exe Wxypq.exe PID 2960 wrote to memory of 2540 2960 cmd.exe PING.EXE PID 2960 wrote to memory of 2540 2960 cmd.exe PING.EXE PID 2960 wrote to memory of 2540 2960 cmd.exe PING.EXE PID 2960 wrote to memory of 2540 2960 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe"C:\Users\Admin\AppData\Local\Temp\7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\7FCB52~1.EXE > nul2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\Wxypq.exeC:\Windows\SysWOW64\Wxypq.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wxypq.exeC:\Windows\SysWOW64\Wxypq.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Wxypq.exeFilesize
1.3MB
MD554ab09bc389b92bb8c1457744319b04a
SHA1684b749a7121e2253ec5900f1b8af3832864e19c
SHA2567fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d
SHA512eb8f5e9ce1e40a8d39da18b8414d68303072e5434b9cab98f271c750f67d672ff7df5ffb75e8e830da4931b5f7feb1ce5ea6a527fbe1602afd87162e72d7aad2
-
memory/1924-0-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB