Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 09:29
Static task
static1
Behavioral task
behavioral1
Sample
5cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c.exe
Resource
win7-20240611-en
General
-
Target
5cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c.exe
-
Size
1.3MB
-
MD5
7e9e16b05b5aeb2b5575163d46adf167
-
SHA1
266129dfd4a179bb23333a9440fd90b5df86cf89
-
SHA256
5cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c
-
SHA512
3a0317c27de9ed9e4943962a1e90d1fb86f3387319a673fe29ce8d8e8d41198154633760920b691f293ced1e599c54b803366e1608a2a839f37347272460c09d
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNo:QHPkVOBTK
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/64-1-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/768-10-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/2752-18-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/64-1-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/768-10-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/2752-18-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
Wxypq.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys Wxypq.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
Wxypq.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Wxypq.exe -
Executes dropped EXE 2 IoCs
Processes:
Wxypq.exeWxypq.exepid process 768 Wxypq.exe 2752 Wxypq.exe -
Drops file in System32 directory 2 IoCs
Processes:
5cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c.exedescription ioc process File created C:\Windows\SysWOW64\Wxypq.exe 5cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c.exe File opened for modification C:\Windows\SysWOW64\Wxypq.exe 5cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
Wxypq.exepid process 2752 Wxypq.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
5cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c.exeWxypq.exedescription pid process Token: SeIncBasePriorityPrivilege 64 5cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c.exe Token: SeLoadDriverPrivilege 2752 Wxypq.exe Token: 33 2752 Wxypq.exe Token: SeIncBasePriorityPrivilege 2752 Wxypq.exe Token: 33 2752 Wxypq.exe Token: SeIncBasePriorityPrivilege 2752 Wxypq.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c.exeWxypq.execmd.exedescription pid process target process PID 64 wrote to memory of 1192 64 5cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c.exe cmd.exe PID 64 wrote to memory of 1192 64 5cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c.exe cmd.exe PID 64 wrote to memory of 1192 64 5cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c.exe cmd.exe PID 768 wrote to memory of 2752 768 Wxypq.exe Wxypq.exe PID 768 wrote to memory of 2752 768 Wxypq.exe Wxypq.exe PID 768 wrote to memory of 2752 768 Wxypq.exe Wxypq.exe PID 1192 wrote to memory of 4524 1192 cmd.exe PING.EXE PID 1192 wrote to memory of 4524 1192 cmd.exe PING.EXE PID 1192 wrote to memory of 4524 1192 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c.exe"C:\Users\Admin\AppData\Local\Temp\5cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\5CFCD9~1.EXE > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\Wxypq.exeC:\Windows\SysWOW64\Wxypq.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wxypq.exeC:\Windows\SysWOW64\Wxypq.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Wxypq.exeFilesize
1.3MB
MD57e9e16b05b5aeb2b5575163d46adf167
SHA1266129dfd4a179bb23333a9440fd90b5df86cf89
SHA2565cfcd9198cb275fc9b059b8b68ca3e5f2b41d72556a188bedf458d6c20d2a52c
SHA5123a0317c27de9ed9e4943962a1e90d1fb86f3387319a673fe29ce8d8e8d41198154633760920b691f293ced1e599c54b803366e1608a2a839f37347272460c09d
-
memory/64-1-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/768-10-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/2752-18-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB