Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 09:29
Static task
static1
Behavioral task
behavioral1
Sample
7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe
Resource
win7-20240221-en
General
-
Target
7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe
-
Size
1.3MB
-
MD5
54ab09bc389b92bb8c1457744319b04a
-
SHA1
684b749a7121e2253ec5900f1b8af3832864e19c
-
SHA256
7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d
-
SHA512
eb8f5e9ce1e40a8d39da18b8414d68303072e5434b9cab98f271c750f67d672ff7df5ffb75e8e830da4931b5f7feb1ce5ea6a527fbe1602afd87162e72d7aad2
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNC:QHPkVOBTK
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3664-1-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/2868-10-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3664-1-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/2868-10-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
Wxypq.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys Wxypq.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
Wxypq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Wxypq.exe -
Executes dropped EXE 2 IoCs
Processes:
Wxypq.exeWxypq.exepid process 2868 Wxypq.exe 1392 Wxypq.exe -
Drops file in System32 directory 2 IoCs
Processes:
7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exedescription ioc process File created C:\Windows\SysWOW64\Wxypq.exe 7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe File opened for modification C:\Windows\SysWOW64\Wxypq.exe 7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
Wxypq.exepid process 1392 Wxypq.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exeWxypq.exedescription pid process Token: SeIncBasePriorityPrivilege 3664 7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe Token: SeLoadDriverPrivilege 1392 Wxypq.exe Token: 33 1392 Wxypq.exe Token: SeIncBasePriorityPrivilege 1392 Wxypq.exe Token: 33 1392 Wxypq.exe Token: SeIncBasePriorityPrivilege 1392 Wxypq.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exeWxypq.execmd.exedescription pid process target process PID 3664 wrote to memory of 3600 3664 7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe cmd.exe PID 3664 wrote to memory of 3600 3664 7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe cmd.exe PID 3664 wrote to memory of 3600 3664 7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe cmd.exe PID 2868 wrote to memory of 1392 2868 Wxypq.exe Wxypq.exe PID 2868 wrote to memory of 1392 2868 Wxypq.exe Wxypq.exe PID 2868 wrote to memory of 1392 2868 Wxypq.exe Wxypq.exe PID 3600 wrote to memory of 1128 3600 cmd.exe PING.EXE PID 3600 wrote to memory of 1128 3600 cmd.exe PING.EXE PID 3600 wrote to memory of 1128 3600 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe"C:\Users\Admin\AppData\Local\Temp\7fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\7FCB52~1.EXE > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\Wxypq.exeC:\Windows\SysWOW64\Wxypq.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wxypq.exeC:\Windows\SysWOW64\Wxypq.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Wxypq.exeFilesize
1.3MB
MD554ab09bc389b92bb8c1457744319b04a
SHA1684b749a7121e2253ec5900f1b8af3832864e19c
SHA2567fcb52d0f73b19fc95b1856728a6cafa62274c2c279fddeefeed4db3b9d3dc3d
SHA512eb8f5e9ce1e40a8d39da18b8414d68303072e5434b9cab98f271c750f67d672ff7df5ffb75e8e830da4931b5f7feb1ce5ea6a527fbe1602afd87162e72d7aad2
-
memory/2868-10-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/3664-1-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB