Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 09:18
Static task
static1
Behavioral task
behavioral1
Sample
4b4f9ac983ed8c2ed1465a509afc6640N.exe
Resource
win7-20240705-en
windows7-x64
9 signatures
120 seconds
General
-
Target
4b4f9ac983ed8c2ed1465a509afc6640N.exe
-
Size
4.9MB
-
MD5
4b4f9ac983ed8c2ed1465a509afc6640
-
SHA1
ba2ccbe44041f609228068df517c2595d8253dd7
-
SHA256
47eb498f152469d55f7406584dd2a364a6710f3ae242f94b9c7455a90656bdf7
-
SHA512
b5faca18f2c1cc6f6db41a17d0b11278526aa12977a81df8b7d68d84b40c60aff6158ba946eb999ecf1a16aeef7ca71fdae01e493b404211e06e0cc5b48c042e
-
SSDEEP
98304:11sOWFJbtSMX3xKvclWSV7SxyqxrULsclWSV7SxyqxrP:11sOGJbFQveafeaP
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/116-0-0x0000000010000000-0x0000000010199000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/116-0-0x0000000010000000-0x0000000010199000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\T: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\Q: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\V: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\Z: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\G: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\H: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\J: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\L: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\M: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\W: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\Y: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\K: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\N: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\P: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\R: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\S: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\B: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\E: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\I: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\U: 4b4f9ac983ed8c2ed1465a509afc6640N.exe File opened (read-only) \??\X: 4b4f9ac983ed8c2ed1465a509afc6640N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b4f9ac983ed8c2ed1465a509afc6640N.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 4b4f9ac983ed8c2ed1465a509afc6640N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 4b4f9ac983ed8c2ed1465a509afc6640N.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe 116 4b4f9ac983ed8c2ed1465a509afc6640N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b4f9ac983ed8c2ed1465a509afc6640N.exe"C:\Users\Admin\AppData\Local\Temp\4b4f9ac983ed8c2ed1465a509afc6640N.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4392,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=1016 /prefetch:81⤵PID:3576