Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 03:59
Behavioral task
behavioral1
Sample
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe
Resource
win7-20240220-en
General
-
Target
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe
-
Size
539KB
-
MD5
bd50ba38259a5c7a2a376ea20c16d895
-
SHA1
a23cc9f184aa87b8ca1e5fe1589b192d303fe0dd
-
SHA256
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
-
SHA512
30ebadd2be0c2095e7221c18a58b0799830e321a94bc5e102f48842c331c0b5743565759a5c2e1c635a7fb5efb03e10b2eaf3da4b9a41dd0bfce16a454d16c66
-
SSDEEP
12288:whymnwJFPNdgBAEHApqePJN1AmLM7uVq9sSYN:wUmwrl2Ao7sJNlM7ymsSYN
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2100-1-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral1/memory/2100-21-0x0000000000400000-0x0000000000547000-memory.dmp purplefox_rootkit behavioral1/memory/3044-20-0x0000000000400000-0x0000000000547000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2100-1-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral1/memory/2100-21-0x0000000000400000-0x0000000000547000-memory.dmp family_gh0strat behavioral1/memory/3044-20-0x0000000000400000-0x0000000000547000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
Phija.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys Phija.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
Phija.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Phija.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2524 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
Phija.exepid process 3044 Phija.exe -
Loads dropped DLL 1 IoCs
Processes:
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exepid process 2100 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe -
Processes:
resource yara_rule behavioral1/memory/2100-0-0x0000000000400000-0x0000000000547000-memory.dmp upx \ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe upx behavioral1/memory/2100-21-0x0000000000400000-0x0000000000547000-memory.dmp upx behavioral1/memory/3044-20-0x0000000000400000-0x0000000000547000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Phija.exedescription ioc process File opened (read-only) \??\R: Phija.exe File opened (read-only) \??\M: Phija.exe File opened (read-only) \??\Q: Phija.exe File opened (read-only) \??\S: Phija.exe File opened (read-only) \??\V: Phija.exe File opened (read-only) \??\Z: Phija.exe File opened (read-only) \??\B: Phija.exe File opened (read-only) \??\G: Phija.exe File opened (read-only) \??\H: Phija.exe File opened (read-only) \??\T: Phija.exe File opened (read-only) \??\E: Phija.exe File opened (read-only) \??\K: Phija.exe File opened (read-only) \??\N: Phija.exe File opened (read-only) \??\O: Phija.exe File opened (read-only) \??\P: Phija.exe File opened (read-only) \??\U: Phija.exe File opened (read-only) \??\W: Phija.exe File opened (read-only) \??\X: Phija.exe File opened (read-only) \??\I: Phija.exe File opened (read-only) \??\J: Phija.exe File opened (read-only) \??\L: Phija.exe File opened (read-only) \??\Y: Phija.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Phija.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Phija.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Phija.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
Phija.exepid process 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe 3044 Phija.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
Phija.exepid process 3044 Phija.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exePhija.exedescription pid process Token: SeIncBasePriorityPrivilege 2100 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe Token: SeLoadDriverPrivilege 3044 Phija.exe Token: 33 3044 Phija.exe Token: SeIncBasePriorityPrivilege 3044 Phija.exe Token: 33 3044 Phija.exe Token: SeIncBasePriorityPrivilege 3044 Phija.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.execmd.exedescription pid process target process PID 2100 wrote to memory of 3044 2100 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe Phija.exe PID 2100 wrote to memory of 3044 2100 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe Phija.exe PID 2100 wrote to memory of 3044 2100 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe Phija.exe PID 2100 wrote to memory of 3044 2100 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe Phija.exe PID 2100 wrote to memory of 2524 2100 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe cmd.exe PID 2100 wrote to memory of 2524 2100 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe cmd.exe PID 2100 wrote to memory of 2524 2100 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe cmd.exe PID 2100 wrote to memory of 2524 2100 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe cmd.exe PID 2524 wrote to memory of 2692 2524 cmd.exe PING.EXE PID 2524 wrote to memory of 2692 2524 cmd.exe PING.EXE PID 2524 wrote to memory of 2692 2524 cmd.exe PING.EXE PID 2524 wrote to memory of 2692 2524 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe"C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe"2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\37D67A~1.EXE > nul2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exeFilesize
539KB
MD5bd50ba38259a5c7a2a376ea20c16d895
SHA1a23cc9f184aa87b8ca1e5fe1589b192d303fe0dd
SHA25637d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
SHA51230ebadd2be0c2095e7221c18a58b0799830e321a94bc5e102f48842c331c0b5743565759a5c2e1c635a7fb5efb03e10b2eaf3da4b9a41dd0bfce16a454d16c66
-
memory/2100-0-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/2100-1-0x0000000010000000-0x000000001019F000-memory.dmpFilesize
1.6MB
-
memory/2100-21-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/3044-20-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB