Analysis
-
max time kernel
120s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-09-2024 05:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
65fe8e2dc05c8ae90caf91809c77bbc3.exe
Resource
win7-20240708-en
windows7-x64
20 signatures
150 seconds
General
-
Target
65fe8e2dc05c8ae90caf91809c77bbc3.exe
-
Size
1.5MB
-
MD5
65fe8e2dc05c8ae90caf91809c77bbc3
-
SHA1
317c19da97aa28e7459d4dce179730fa1b272d1a
-
SHA256
9740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
-
SHA512
893efe2b0148d28e2919d806976df452f22914223408f68c5c33917392ddaefba5f167dff19a2057062bf640ba00c4aaeb3e295e7c49a708808e769ae811a071
-
SSDEEP
24576:eYVLN+uGOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:BTT3HPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1680-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1680-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Jbrja.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Jbrja.exe -
Deletes itself 1 IoCs
pid Process 2344 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1260 Jbrja.exe 2528 Jbrja.exe -
Loads dropped DLL 1 IoCs
pid Process 1260 Jbrja.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: Jbrja.exe File opened (read-only) \??\N: Jbrja.exe File opened (read-only) \??\O: Jbrja.exe File opened (read-only) \??\P: Jbrja.exe File opened (read-only) \??\S: Jbrja.exe File opened (read-only) \??\J: Jbrja.exe File opened (read-only) \??\H: Jbrja.exe File opened (read-only) \??\I: Jbrja.exe File opened (read-only) \??\L: Jbrja.exe File opened (read-only) \??\Q: Jbrja.exe File opened (read-only) \??\W: Jbrja.exe File opened (read-only) \??\Z: Jbrja.exe File opened (read-only) \??\E: Jbrja.exe File opened (read-only) \??\G: Jbrja.exe File opened (read-only) \??\M: Jbrja.exe File opened (read-only) \??\R: Jbrja.exe File opened (read-only) \??\T: Jbrja.exe File opened (read-only) \??\U: Jbrja.exe File opened (read-only) \??\B: Jbrja.exe File opened (read-only) \??\X: Jbrja.exe File opened (read-only) \??\Y: Jbrja.exe File opened (read-only) \??\V: Jbrja.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jbrja.exe 65fe8e2dc05c8ae90caf91809c77bbc3.exe File opened for modification C:\Windows\SysWOW64\Jbrja.exe 65fe8e2dc05c8ae90caf91809c77bbc3.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 65fe8e2dc05c8ae90caf91809c77bbc3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbrja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2344 cmd.exe 2740 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jbrja.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Jbrja.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Jbrja.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" Jbrja.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Jbrja.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Jbrja.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Jbrja.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Jbrja.exe Key created \REGISTRY\USER\.DEFAULT\Software Jbrja.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft Jbrja.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie Jbrja.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum Jbrja.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Jbrja.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Jbrja.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2740 PING.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe 2528 Jbrja.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2528 Jbrja.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1680 65fe8e2dc05c8ae90caf91809c77bbc3.exe Token: SeLoadDriverPrivilege 2528 Jbrja.exe Token: 33 2528 Jbrja.exe Token: SeIncBasePriorityPrivilege 2528 Jbrja.exe Token: 33 2528 Jbrja.exe Token: SeIncBasePriorityPrivilege 2528 Jbrja.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2344 1680 65fe8e2dc05c8ae90caf91809c77bbc3.exe 31 PID 1680 wrote to memory of 2344 1680 65fe8e2dc05c8ae90caf91809c77bbc3.exe 31 PID 1680 wrote to memory of 2344 1680 65fe8e2dc05c8ae90caf91809c77bbc3.exe 31 PID 1680 wrote to memory of 2344 1680 65fe8e2dc05c8ae90caf91809c77bbc3.exe 31 PID 1260 wrote to memory of 2528 1260 Jbrja.exe 33 PID 1260 wrote to memory of 2528 1260 Jbrja.exe 33 PID 1260 wrote to memory of 2528 1260 Jbrja.exe 33 PID 1260 wrote to memory of 2528 1260 Jbrja.exe 33 PID 2344 wrote to memory of 2740 2344 cmd.exe 34 PID 2344 wrote to memory of 2740 2344 cmd.exe 34 PID 2344 wrote to memory of 2740 2344 cmd.exe 34 PID 2344 wrote to memory of 2740 2344 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\65fe8e2dc05c8ae90caf91809c77bbc3.exe"C:\Users\Admin\AppData\Local\Temp\65fe8e2dc05c8ae90caf91809c77bbc3.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\65FE8E~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2740
-
-
-
C:\Windows\SysWOW64\Jbrja.exeC:\Windows\SysWOW64\Jbrja.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Jbrja.exeC:\Windows\SysWOW64\Jbrja.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD565fe8e2dc05c8ae90caf91809c77bbc3
SHA1317c19da97aa28e7459d4dce179730fa1b272d1a
SHA2569740fb71580a1e6809c694ebd1aa132e76d0dc985dbc0721ae6590f3bf5ed19b
SHA512893efe2b0148d28e2919d806976df452f22914223408f68c5c33917392ddaefba5f167dff19a2057062bf640ba00c4aaeb3e295e7c49a708808e769ae811a071