Analysis
-
max time kernel
95s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2024 04:17
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
该女子返程被一名戴口罩男子尾随视频流出.exe
Resource
win7-20240903-en
windows7-x64
14 signatures
150 seconds
General
-
Target
该女子返程被一名戴口罩男子尾随视频流出.exe
-
Size
2.6MB
-
MD5
624f003dac0831d062d75c5fcd83cf0b
-
SHA1
40019566841bd1c70eeaafddd50319267bdd31dd
-
SHA256
d12aa8d3f49c9e7cff372b8111bf7dcea27be046b2c7328098a5159fb97d840d
-
SHA512
0081a9ba52dab04c5c31482d752033d30d11cab1307ccf1d40410d67521b6fb910e0fca06a443935494d1ee99335a95c3c2f7939ea278b29d18c17cdce918ad6
-
SSDEEP
49152:t1vqjdPQwZwViOoOMV+ZsZlRt8DVbP1xgp0FnKyZCbmGpVTT3:t1vqjlALilRu7vg6vW3
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/740-8-0x0000000010000000-0x0000000010199000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/740-8-0x0000000010000000-0x0000000010199000-memory.dmp family_gh0strat -
Executes dropped EXE 1 IoCs
pid Process 740 xiaoqip.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: xiaoqip.exe File opened (read-only) \??\N: xiaoqip.exe File opened (read-only) \??\O: xiaoqip.exe File opened (read-only) \??\P: xiaoqip.exe File opened (read-only) \??\S: xiaoqip.exe File opened (read-only) \??\E: xiaoqip.exe File opened (read-only) \??\J: xiaoqip.exe File opened (read-only) \??\Q: xiaoqip.exe File opened (read-only) \??\V: xiaoqip.exe File opened (read-only) \??\W: xiaoqip.exe File opened (read-only) \??\G: xiaoqip.exe File opened (read-only) \??\I: xiaoqip.exe File opened (read-only) \??\K: xiaoqip.exe File opened (read-only) \??\U: xiaoqip.exe File opened (read-only) \??\Y: xiaoqip.exe File opened (read-only) \??\Z: xiaoqip.exe File opened (read-only) \??\H: xiaoqip.exe File opened (read-only) \??\L: xiaoqip.exe File opened (read-only) \??\M: xiaoqip.exe File opened (read-only) \??\R: xiaoqip.exe File opened (read-only) \??\T: xiaoqip.exe File opened (read-only) \??\X: xiaoqip.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\xq\xiaoqip.exe 该女子返程被一名戴口罩男子尾随视频流出.exe File opened for modification C:\Windows\SysWOW64\xq\xiaoqip.exe 该女子返程被一名戴口罩男子尾随视频流出.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xiaoqip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 该女子返程被一名戴口罩男子尾随视频流出.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 xiaoqip.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz xiaoqip.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4892 该女子返程被一名戴口罩男子尾随视频流出.exe 4892 该女子返程被一名戴口罩男子尾随视频流出.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe 740 xiaoqip.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 740 xiaoqip.exe 740 xiaoqip.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4892 wrote to memory of 740 4892 该女子返程被一名戴口罩男子尾随视频流出.exe 85 PID 4892 wrote to memory of 740 4892 该女子返程被一名戴口罩男子尾随视频流出.exe 85 PID 4892 wrote to memory of 740 4892 该女子返程被一名戴口罩男子尾随视频流出.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\该女子返程被一名戴口罩男子尾随视频流出.exe"C:\Users\Admin\AppData\Local\Temp\该女子返程被一名戴口罩男子尾随视频流出.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\xq\xiaoqip.exe"C:\Windows\SysWOW64\xq\xiaoqip.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD5c64776dbebb5f079799a61980ed1f8a0
SHA18b8d62442484a046d74e31a05c105230b63f708d
SHA2561bc44bd8c21b1ca4668664984e9676ebfb7f7442c353091a893ef22a23979c94
SHA512cd5787a2b83bb6ba99353e79171b1b4da6ddeb5d3214cb5192b90b477e6704abe2f8cc212ecbbee605cf1034c42b83ff31b700a36563ed8d3a1c29b6c93af9d3