Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 15:36
Behavioral task
behavioral1
Sample
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe
Resource
win7-20231129-en
General
-
Target
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe
-
Size
539KB
-
MD5
bd50ba38259a5c7a2a376ea20c16d895
-
SHA1
a23cc9f184aa87b8ca1e5fe1589b192d303fe0dd
-
SHA256
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
-
SHA512
30ebadd2be0c2095e7221c18a58b0799830e321a94bc5e102f48842c331c0b5743565759a5c2e1c635a7fb5efb03e10b2eaf3da4b9a41dd0bfce16a454d16c66
-
SSDEEP
12288:whymnwJFPNdgBAEHApqePJN1AmLM7uVq9sSYN:wUmwrl2Ao7sJNlM7ymsSYN
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4404-2-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/4404-16-0x0000000000400000-0x0000000000547000-memory.dmp purplefox_rootkit behavioral2/memory/3532-18-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/3532-35-0x0000000000400000-0x0000000000547000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4404-2-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/4404-16-0x0000000000400000-0x0000000000547000-memory.dmp family_gh0strat behavioral2/memory/3532-18-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/3532-35-0x0000000000400000-0x0000000000547000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
Phija.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys Phija.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
Phija.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Phija.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe -
Executes dropped EXE 1 IoCs
Processes:
Phija.exepid process 3532 Phija.exe -
Processes:
resource yara_rule behavioral2/memory/4404-0-0x0000000000400000-0x0000000000547000-memory.dmp upx C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Phija.exe upx behavioral2/memory/4404-16-0x0000000000400000-0x0000000000547000-memory.dmp upx behavioral2/memory/3532-17-0x0000000000400000-0x0000000000547000-memory.dmp upx behavioral2/memory/3532-35-0x0000000000400000-0x0000000000547000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Phija.exedescription ioc process File opened (read-only) \??\I: Phija.exe File opened (read-only) \??\R: Phija.exe File opened (read-only) \??\S: Phija.exe File opened (read-only) \??\T: Phija.exe File opened (read-only) \??\K: Phija.exe File opened (read-only) \??\L: Phija.exe File opened (read-only) \??\M: Phija.exe File opened (read-only) \??\P: Phija.exe File opened (read-only) \??\Q: Phija.exe File opened (read-only) \??\V: Phija.exe File opened (read-only) \??\W: Phija.exe File opened (read-only) \??\Y: Phija.exe File opened (read-only) \??\N: Phija.exe File opened (read-only) \??\O: Phija.exe File opened (read-only) \??\U: Phija.exe File opened (read-only) \??\B: Phija.exe File opened (read-only) \??\E: Phija.exe File opened (read-only) \??\G: Phija.exe File opened (read-only) \??\H: Phija.exe File opened (read-only) \??\J: Phija.exe File opened (read-only) \??\X: Phija.exe File opened (read-only) \??\Z: Phija.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Phija.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Phija.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Phija.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Phija.exepid process 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe 3532 Phija.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
Phija.exepid process 3532 Phija.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exePhija.exedescription pid process Token: SeIncBasePriorityPrivilege 4404 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe Token: SeLoadDriverPrivilege 3532 Phija.exe Token: 33 3532 Phija.exe Token: SeIncBasePriorityPrivilege 3532 Phija.exe Token: 33 3532 Phija.exe Token: SeIncBasePriorityPrivilege 3532 Phija.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.execmd.exedescription pid process target process PID 4404 wrote to memory of 3532 4404 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe Phija.exe PID 4404 wrote to memory of 3532 4404 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe Phija.exe PID 4404 wrote to memory of 3532 4404 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe Phija.exe PID 4404 wrote to memory of 4952 4404 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe cmd.exe PID 4404 wrote to memory of 4952 4404 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe cmd.exe PID 4404 wrote to memory of 4952 4404 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe cmd.exe PID 4952 wrote to memory of 868 4952 cmd.exe PING.EXE PID 4952 wrote to memory of 868 4952 cmd.exe PING.EXE PID 4952 wrote to memory of 868 4952 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe"C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe"2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\37D67A~1.EXE > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Phija.exeFilesize
539KB
MD5bd50ba38259a5c7a2a376ea20c16d895
SHA1a23cc9f184aa87b8ca1e5fe1589b192d303fe0dd
SHA25637d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
SHA51230ebadd2be0c2095e7221c18a58b0799830e321a94bc5e102f48842c331c0b5743565759a5c2e1c635a7fb5efb03e10b2eaf3da4b9a41dd0bfce16a454d16c66
-
memory/3532-17-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/3532-18-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/3532-35-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/4404-0-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/4404-2-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/4404-16-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB