Analysis
-
max time kernel
60s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-09-2024 03:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1e950daa0944bbfa277b914086f331a4abce7045e83885ceefe9ba6d7184adb2N.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
120 seconds
General
-
Target
1e950daa0944bbfa277b914086f331a4abce7045e83885ceefe9ba6d7184adb2N.exe
-
Size
8.1MB
-
MD5
7fd371de503143a86523366a981e0630
-
SHA1
f30e6a7c9098be558dca19a421fe31f532a82aa2
-
SHA256
1e950daa0944bbfa277b914086f331a4abce7045e83885ceefe9ba6d7184adb2
-
SHA512
6211489f706194dd46bead683952ad82287ded5fa268f03fb0fd8af7032762adf7b44222426ad1ac7849e036801a34bce0812ae5af028332a2d9acac0ea92524
-
SSDEEP
196608:CePlm7/Czr2EKAaCQYcVdaV3YNVPK9oW7/A1Yc:CePlA/urnoC84V3O98/2Yc
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2292-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2292-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Phiya.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Phiya.exe -
Deletes itself 1 IoCs
pid Process 2128 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1892 Phiya.exe 2080 Phiya.exe -
Loads dropped DLL 1 IoCs
pid Process 1892 Phiya.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Phiya.exe File opened (read-only) \??\S: Phiya.exe File opened (read-only) \??\T: Phiya.exe File opened (read-only) \??\X: Phiya.exe File opened (read-only) \??\Z: Phiya.exe File opened (read-only) \??\G: Phiya.exe File opened (read-only) \??\L: Phiya.exe File opened (read-only) \??\N: Phiya.exe File opened (read-only) \??\R: Phiya.exe File opened (read-only) \??\U: Phiya.exe File opened (read-only) \??\E: Phiya.exe File opened (read-only) \??\H: Phiya.exe File opened (read-only) \??\Q: Phiya.exe File opened (read-only) \??\K: Phiya.exe File opened (read-only) \??\M: Phiya.exe File opened (read-only) \??\O: Phiya.exe File opened (read-only) \??\V: Phiya.exe File opened (read-only) \??\W: Phiya.exe File opened (read-only) \??\Y: Phiya.exe File opened (read-only) \??\B: Phiya.exe File opened (read-only) \??\I: Phiya.exe File opened (read-only) \??\J: Phiya.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Phiya.exe 1e950daa0944bbfa277b914086f331a4abce7045e83885ceefe9ba6d7184adb2N.exe File opened for modification C:\Windows\SysWOW64\Phiya.exe 1e950daa0944bbfa277b914086f331a4abce7045e83885ceefe9ba6d7184adb2N.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e950daa0944bbfa277b914086f331a4abce7045e83885ceefe9ba6d7184adb2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2264 PING.EXE 2128 cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Phiya.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Phiya.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum Phiya.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" Phiya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Phiya.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Phiya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Phiya.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Phiya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Phiya.exe Key created \REGISTRY\USER\.DEFAULT\Software Phiya.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft Phiya.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie Phiya.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Phiya.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Phiya.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2264 PING.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe 2080 Phiya.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2080 Phiya.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2292 1e950daa0944bbfa277b914086f331a4abce7045e83885ceefe9ba6d7184adb2N.exe Token: SeLoadDriverPrivilege 2080 Phiya.exe Token: 33 2080 Phiya.exe Token: SeIncBasePriorityPrivilege 2080 Phiya.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2128 2292 1e950daa0944bbfa277b914086f331a4abce7045e83885ceefe9ba6d7184adb2N.exe 31 PID 2292 wrote to memory of 2128 2292 1e950daa0944bbfa277b914086f331a4abce7045e83885ceefe9ba6d7184adb2N.exe 31 PID 2292 wrote to memory of 2128 2292 1e950daa0944bbfa277b914086f331a4abce7045e83885ceefe9ba6d7184adb2N.exe 31 PID 2292 wrote to memory of 2128 2292 1e950daa0944bbfa277b914086f331a4abce7045e83885ceefe9ba6d7184adb2N.exe 31 PID 1892 wrote to memory of 2080 1892 Phiya.exe 33 PID 1892 wrote to memory of 2080 1892 Phiya.exe 33 PID 1892 wrote to memory of 2080 1892 Phiya.exe 33 PID 1892 wrote to memory of 2080 1892 Phiya.exe 33 PID 2128 wrote to memory of 2264 2128 cmd.exe 34 PID 2128 wrote to memory of 2264 2128 cmd.exe 34 PID 2128 wrote to memory of 2264 2128 cmd.exe 34 PID 2128 wrote to memory of 2264 2128 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e950daa0944bbfa277b914086f331a4abce7045e83885ceefe9ba6d7184adb2N.exe"C:\Users\Admin\AppData\Local\Temp\1e950daa0944bbfa277b914086f331a4abce7045e83885ceefe9ba6d7184adb2N.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\1E950D~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2264
-
-
-
C:\Windows\SysWOW64\Phiya.exeC:\Windows\SysWOW64\Phiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Phiya.exeC:\Windows\SysWOW64\Phiya.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.1MB
MD57fd371de503143a86523366a981e0630
SHA1f30e6a7c9098be558dca19a421fe31f532a82aa2
SHA2561e950daa0944bbfa277b914086f331a4abce7045e83885ceefe9ba6d7184adb2
SHA5126211489f706194dd46bead683952ad82287ded5fa268f03fb0fd8af7032762adf7b44222426ad1ac7849e036801a34bce0812ae5af028332a2d9acac0ea92524