Analysis
-
max time kernel
133s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2024 08:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bba6a9f67d0f2acaf56fe23f57fb25fc69b5e5c60c055c270ebe37132b2c0758.exe
Resource
win7-20240708-en
windows7-x64
20 signatures
150 seconds
General
-
Target
bba6a9f67d0f2acaf56fe23f57fb25fc69b5e5c60c055c270ebe37132b2c0758.exe
-
Size
1.4MB
-
MD5
17d6005210c6f1aa227ad335c1f9bc5a
-
SHA1
6bcf515221fa800399f2128be4f539ba99dcedf4
-
SHA256
bba6a9f67d0f2acaf56fe23f57fb25fc69b5e5c60c055c270ebe37132b2c0758
-
SHA512
a4449c841a1fb0b3761afb68a8f55a8554bd55dc4607afe19ad8746704353936964be3c62453a26529035bccd76b0b216d4134a8d2026676eb619b02ac3566d4
-
SSDEEP
24576:F39WaOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:598HPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1776-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/2028-11-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/3132-17-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/1776-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/2028-11-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/3132-17-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Stlmn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Stlmn.exe -
Executes dropped EXE 2 IoCs
pid Process 2028 Stlmn.exe 3132 Stlmn.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: Stlmn.exe File opened (read-only) \??\B: Stlmn.exe File opened (read-only) \??\G: Stlmn.exe File opened (read-only) \??\N: Stlmn.exe File opened (read-only) \??\Q: Stlmn.exe File opened (read-only) \??\R: Stlmn.exe File opened (read-only) \??\T: Stlmn.exe File opened (read-only) \??\X: Stlmn.exe File opened (read-only) \??\I: Stlmn.exe File opened (read-only) \??\K: Stlmn.exe File opened (read-only) \??\M: Stlmn.exe File opened (read-only) \??\O: Stlmn.exe File opened (read-only) \??\H: Stlmn.exe File opened (read-only) \??\J: Stlmn.exe File opened (read-only) \??\L: Stlmn.exe File opened (read-only) \??\S: Stlmn.exe File opened (read-only) \??\V: Stlmn.exe File opened (read-only) \??\Y: Stlmn.exe File opened (read-only) \??\E: Stlmn.exe File opened (read-only) \??\P: Stlmn.exe File opened (read-only) \??\U: Stlmn.exe File opened (read-only) \??\W: Stlmn.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Stlmn.exe bba6a9f67d0f2acaf56fe23f57fb25fc69b5e5c60c055c270ebe37132b2c0758.exe File opened for modification C:\Windows\SysWOW64\Stlmn.exe bba6a9f67d0f2acaf56fe23f57fb25fc69b5e5c60c055c270ebe37132b2c0758.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bba6a9f67d0f2acaf56fe23f57fb25fc69b5e5c60c055c270ebe37132b2c0758.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stlmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stlmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3748 cmd.exe 4296 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Stlmn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Stlmn.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Stlmn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Stlmn.exe Key created \REGISTRY\USER\.DEFAULT\Software Stlmn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Stlmn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Stlmn.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4296 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe 3132 Stlmn.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3132 Stlmn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1776 bba6a9f67d0f2acaf56fe23f57fb25fc69b5e5c60c055c270ebe37132b2c0758.exe Token: SeLoadDriverPrivilege 3132 Stlmn.exe Token: 33 3132 Stlmn.exe Token: SeIncBasePriorityPrivilege 3132 Stlmn.exe Token: 33 3132 Stlmn.exe Token: SeIncBasePriorityPrivilege 3132 Stlmn.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1776 wrote to memory of 3748 1776 bba6a9f67d0f2acaf56fe23f57fb25fc69b5e5c60c055c270ebe37132b2c0758.exe 85 PID 1776 wrote to memory of 3748 1776 bba6a9f67d0f2acaf56fe23f57fb25fc69b5e5c60c055c270ebe37132b2c0758.exe 85 PID 1776 wrote to memory of 3748 1776 bba6a9f67d0f2acaf56fe23f57fb25fc69b5e5c60c055c270ebe37132b2c0758.exe 85 PID 2028 wrote to memory of 3132 2028 Stlmn.exe 86 PID 2028 wrote to memory of 3132 2028 Stlmn.exe 86 PID 2028 wrote to memory of 3132 2028 Stlmn.exe 86 PID 3748 wrote to memory of 4296 3748 cmd.exe 88 PID 3748 wrote to memory of 4296 3748 cmd.exe 88 PID 3748 wrote to memory of 4296 3748 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\bba6a9f67d0f2acaf56fe23f57fb25fc69b5e5c60c055c270ebe37132b2c0758.exe"C:\Users\Admin\AppData\Local\Temp\bba6a9f67d0f2acaf56fe23f57fb25fc69b5e5c60c055c270ebe37132b2c0758.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\BBA6A9~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4296
-
-
-
C:\Windows\SysWOW64\Stlmn.exeC:\Windows\SysWOW64\Stlmn.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Stlmn.exeC:\Windows\SysWOW64\Stlmn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD517d6005210c6f1aa227ad335c1f9bc5a
SHA16bcf515221fa800399f2128be4f539ba99dcedf4
SHA256bba6a9f67d0f2acaf56fe23f57fb25fc69b5e5c60c055c270ebe37132b2c0758
SHA512a4449c841a1fb0b3761afb68a8f55a8554bd55dc4607afe19ad8746704353936964be3c62453a26529035bccd76b0b216d4134a8d2026676eb619b02ac3566d4