Analysis
-
max time kernel
93s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 11:30
Static task
static1
Behavioral task
behavioral1
Sample
55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe
Resource
win7-20240704-en
windows7-x64
9 signatures
150 seconds
General
-
Target
55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe
-
Size
1.5MB
-
MD5
e3039de219761cd74aa36f12f434fcd6
-
SHA1
4df01d6c2d55876d2aa18fc104bc2186325e2c58
-
SHA256
55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9
-
SHA512
44bfa7e8aa8d8eac5a865a38328fcd1941b88718c35acd94609eb5d9f6dec47873db1b3322c195b781d675f1831526dfdd71ac06bcee2bffaf98cc1ad808a3f1
-
SSDEEP
24576:MOeh7E7IJbtEJEHng8wGrQTLq73xaH7pbH2ApFIY6W2/z6bl:MOWFJbtSMXoTLq73xKXQ1/z6Z
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3180-0-0x0000000010000000-0x0000000010199000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3180-0-0x0000000010000000-0x0000000010199000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\K: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\L: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\M: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\P: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\S: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\G: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\H: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\Y: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\U: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\X: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\N: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\R: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\Q: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\V: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\W: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\Z: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\E: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\O: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\T: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\B: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe File opened (read-only) \??\J: 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3180 55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe"C:\Users\Admin\AppData\Local\Temp\55cb035ca1cd54370ee634cf92fbf9b762baefff9e68de0936f744e3ffa494f9.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3180