Analysis
-
max time kernel
120s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-09-2024 10:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
60e6634fe10d96f5d3032503ea265f9d76766655ee68c120cdb0683a1d7aa50c.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
General
-
Target
60e6634fe10d96f5d3032503ea265f9d76766655ee68c120cdb0683a1d7aa50c.exe
-
Size
1.4MB
-
MD5
4cb7bd6ccd252f5c48fa8fd1eec82b71
-
SHA1
89ea965e9af6cfbdf16fa6b31f9c5d13d7eef11c
-
SHA256
60e6634fe10d96f5d3032503ea265f9d76766655ee68c120cdb0683a1d7aa50c
-
SHA512
4e09af7c042a9f41b6a3ee78c8730de7f879a44400c35496d6456b49a4c544268e7e9cc73ce024fa5f7d486c2105f67420863d502eefbeffdb5ba9982251b9bc
-
SSDEEP
24576:F39WaOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:598HPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1628-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral1/memory/1484-18-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/memory/1628-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral1/memory/1484-18-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Abcst.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Abcst.exe -
Deletes itself 1 IoCs
pid Process 1644 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2404 Abcst.exe 1484 Abcst.exe -
Loads dropped DLL 1 IoCs
pid Process 2404 Abcst.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: Abcst.exe File opened (read-only) \??\X: Abcst.exe File opened (read-only) \??\E: Abcst.exe File opened (read-only) \??\I: Abcst.exe File opened (read-only) \??\K: Abcst.exe File opened (read-only) \??\N: Abcst.exe File opened (read-only) \??\O: Abcst.exe File opened (read-only) \??\R: Abcst.exe File opened (read-only) \??\G: Abcst.exe File opened (read-only) \??\J: Abcst.exe File opened (read-only) \??\L: Abcst.exe File opened (read-only) \??\U: Abcst.exe File opened (read-only) \??\Y: Abcst.exe File opened (read-only) \??\H: Abcst.exe File opened (read-only) \??\P: Abcst.exe File opened (read-only) \??\V: Abcst.exe File opened (read-only) \??\W: Abcst.exe File opened (read-only) \??\B: Abcst.exe File opened (read-only) \??\M: Abcst.exe File opened (read-only) \??\Q: Abcst.exe File opened (read-only) \??\S: Abcst.exe File opened (read-only) \??\Z: Abcst.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Abcst.exe 60e6634fe10d96f5d3032503ea265f9d76766655ee68c120cdb0683a1d7aa50c.exe File opened for modification C:\Windows\SysWOW64\Abcst.exe 60e6634fe10d96f5d3032503ea265f9d76766655ee68c120cdb0683a1d7aa50c.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 60e6634fe10d96f5d3032503ea265f9d76766655ee68c120cdb0683a1d7aa50c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1644 cmd.exe 2084 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Abcst.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Abcst.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft Abcst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie Abcst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum Abcst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Abcst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Abcst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Abcst.exe Key created \REGISTRY\USER\.DEFAULT\Software Abcst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" Abcst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Abcst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Abcst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Abcst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Abcst.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2084 PING.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe 1484 Abcst.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1484 Abcst.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1628 60e6634fe10d96f5d3032503ea265f9d76766655ee68c120cdb0683a1d7aa50c.exe Token: SeLoadDriverPrivilege 1484 Abcst.exe Token: 33 1484 Abcst.exe Token: SeIncBasePriorityPrivilege 1484 Abcst.exe Token: 33 1484 Abcst.exe Token: SeIncBasePriorityPrivilege 1484 Abcst.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1628 wrote to memory of 1644 1628 60e6634fe10d96f5d3032503ea265f9d76766655ee68c120cdb0683a1d7aa50c.exe 31 PID 1628 wrote to memory of 1644 1628 60e6634fe10d96f5d3032503ea265f9d76766655ee68c120cdb0683a1d7aa50c.exe 31 PID 1628 wrote to memory of 1644 1628 60e6634fe10d96f5d3032503ea265f9d76766655ee68c120cdb0683a1d7aa50c.exe 31 PID 1628 wrote to memory of 1644 1628 60e6634fe10d96f5d3032503ea265f9d76766655ee68c120cdb0683a1d7aa50c.exe 31 PID 2404 wrote to memory of 1484 2404 Abcst.exe 33 PID 2404 wrote to memory of 1484 2404 Abcst.exe 33 PID 2404 wrote to memory of 1484 2404 Abcst.exe 33 PID 2404 wrote to memory of 1484 2404 Abcst.exe 33 PID 1644 wrote to memory of 2084 1644 cmd.exe 34 PID 1644 wrote to memory of 2084 1644 cmd.exe 34 PID 1644 wrote to memory of 2084 1644 cmd.exe 34 PID 1644 wrote to memory of 2084 1644 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\60e6634fe10d96f5d3032503ea265f9d76766655ee68c120cdb0683a1d7aa50c.exe"C:\Users\Admin\AppData\Local\Temp\60e6634fe10d96f5d3032503ea265f9d76766655ee68c120cdb0683a1d7aa50c.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\60E663~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2084
-
-
-
C:\Windows\SysWOW64\Abcst.exeC:\Windows\SysWOW64\Abcst.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Abcst.exeC:\Windows\SysWOW64\Abcst.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD54cb7bd6ccd252f5c48fa8fd1eec82b71
SHA189ea965e9af6cfbdf16fa6b31f9c5d13d7eef11c
SHA25660e6634fe10d96f5d3032503ea265f9d76766655ee68c120cdb0683a1d7aa50c
SHA5124e09af7c042a9f41b6a3ee78c8730de7f879a44400c35496d6456b49a4c544268e7e9cc73ce024fa5f7d486c2105f67420863d502eefbeffdb5ba9982251b9bc