Analysis
-
max time kernel
140s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2024 08:16
Behavioral task
behavioral1
Sample
a4bae239a0bf4e869961e1a97e311ab37909cdf0f71bbfebc9d7887eb636d75d.exe
Resource
win7-20241010-en
windows7-x64
21 signatures
150 seconds
General
-
Target
a4bae239a0bf4e869961e1a97e311ab37909cdf0f71bbfebc9d7887eb636d75d.exe
-
Size
611KB
-
MD5
4b70b4cd045acdee4c9959013036ee32
-
SHA1
6f5e5a679bc4ced024748085407f9bcfe7b660af
-
SHA256
a4bae239a0bf4e869961e1a97e311ab37909cdf0f71bbfebc9d7887eb636d75d
-
SHA512
48653ce0a52694f57179c15d08cf1597d9a1ebaa27770ffaee7cffe895e00c7b8514363fc1ef561a57696bcf1a134fd2bc64f115a284c0ec90cb0af09ab4ed72
-
SSDEEP
12288:dFpuzZSkcBNrl5mTEUkDaSdJfpSaoNRVBUyMCe8VMM80B7qrI3iK1XBwZQB:dFmShDrngEUkDaiJfpSaoNRpMCe8CM82
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3000-2-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/1148-11-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/3000-18-0x0000000000400000-0x0000000000585000-memory.dmp purplefox_rootkit behavioral2/memory/1148-22-0x0000000000400000-0x0000000000585000-memory.dmp purplefox_rootkit behavioral2/memory/4680-23-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/4680-39-0x0000000000400000-0x0000000000585000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 6 IoCs
resource yara_rule behavioral2/memory/3000-2-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/1148-11-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/3000-18-0x0000000000400000-0x0000000000585000-memory.dmp family_gh0strat behavioral2/memory/1148-22-0x0000000000400000-0x0000000000585000-memory.dmp family_gh0strat behavioral2/memory/4680-23-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/4680-39-0x0000000000400000-0x0000000000585000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Vnfvn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Vnfvn.exe -
Executes dropped EXE 2 IoCs
pid Process 1148 Vnfvn.exe 4680 Vnfvn.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: Vnfvn.exe File opened (read-only) \??\L: Vnfvn.exe File opened (read-only) \??\Z: Vnfvn.exe File opened (read-only) \??\S: Vnfvn.exe File opened (read-only) \??\E: Vnfvn.exe File opened (read-only) \??\G: Vnfvn.exe File opened (read-only) \??\H: Vnfvn.exe File opened (read-only) \??\K: Vnfvn.exe File opened (read-only) \??\M: Vnfvn.exe File opened (read-only) \??\O: Vnfvn.exe File opened (read-only) \??\P: Vnfvn.exe File opened (read-only) \??\U: Vnfvn.exe File opened (read-only) \??\I: Vnfvn.exe File opened (read-only) \??\J: Vnfvn.exe File opened (read-only) \??\V: Vnfvn.exe File opened (read-only) \??\W: Vnfvn.exe File opened (read-only) \??\X: Vnfvn.exe File opened (read-only) \??\N: Vnfvn.exe File opened (read-only) \??\Q: Vnfvn.exe File opened (read-only) \??\R: Vnfvn.exe File opened (read-only) \??\T: Vnfvn.exe File opened (read-only) \??\Y: Vnfvn.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Vnfvn.exe a4bae239a0bf4e869961e1a97e311ab37909cdf0f71bbfebc9d7887eb636d75d.exe File created C:\Windows\SysWOW64\Vnfvn.exe a4bae239a0bf4e869961e1a97e311ab37909cdf0f71bbfebc9d7887eb636d75d.exe -
resource yara_rule behavioral2/memory/3000-0-0x0000000000400000-0x0000000000585000-memory.dmp upx behavioral2/files/0x000c000000023b26-9.dat upx behavioral2/memory/3000-18-0x0000000000400000-0x0000000000585000-memory.dmp upx behavioral2/memory/4680-20-0x0000000000400000-0x0000000000585000-memory.dmp upx behavioral2/memory/1148-22-0x0000000000400000-0x0000000000585000-memory.dmp upx behavioral2/memory/4680-39-0x0000000000400000-0x0000000000585000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a4bae239a0bf4e869961e1a97e311ab37909cdf0f71bbfebc9d7887eb636d75d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vnfvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vnfvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1656 cmd.exe 3812 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Vnfvn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Vnfvn.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Vnfvn.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Vnfvn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Vnfvn.exe Key created \REGISTRY\USER\.DEFAULT\Software Vnfvn.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Vnfvn.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3812 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe 4680 Vnfvn.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4680 Vnfvn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3000 a4bae239a0bf4e869961e1a97e311ab37909cdf0f71bbfebc9d7887eb636d75d.exe Token: SeLoadDriverPrivilege 4680 Vnfvn.exe Token: 33 4680 Vnfvn.exe Token: SeIncBasePriorityPrivilege 4680 Vnfvn.exe Token: 33 4680 Vnfvn.exe Token: SeIncBasePriorityPrivilege 4680 Vnfvn.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3000 wrote to memory of 1656 3000 a4bae239a0bf4e869961e1a97e311ab37909cdf0f71bbfebc9d7887eb636d75d.exe 87 PID 3000 wrote to memory of 1656 3000 a4bae239a0bf4e869961e1a97e311ab37909cdf0f71bbfebc9d7887eb636d75d.exe 87 PID 3000 wrote to memory of 1656 3000 a4bae239a0bf4e869961e1a97e311ab37909cdf0f71bbfebc9d7887eb636d75d.exe 87 PID 1148 wrote to memory of 4680 1148 Vnfvn.exe 88 PID 1148 wrote to memory of 4680 1148 Vnfvn.exe 88 PID 1148 wrote to memory of 4680 1148 Vnfvn.exe 88 PID 1656 wrote to memory of 3812 1656 cmd.exe 90 PID 1656 wrote to memory of 3812 1656 cmd.exe 90 PID 1656 wrote to memory of 3812 1656 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4bae239a0bf4e869961e1a97e311ab37909cdf0f71bbfebc9d7887eb636d75d.exe"C:\Users\Admin\AppData\Local\Temp\a4bae239a0bf4e869961e1a97e311ab37909cdf0f71bbfebc9d7887eb636d75d.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\A4BAE2~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3812
-
-
-
C:\Windows\SysWOW64\Vnfvn.exeC:\Windows\SysWOW64\Vnfvn.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Vnfvn.exeC:\Windows\SysWOW64\Vnfvn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
611KB
MD54b70b4cd045acdee4c9959013036ee32
SHA16f5e5a679bc4ced024748085407f9bcfe7b660af
SHA256a4bae239a0bf4e869961e1a97e311ab37909cdf0f71bbfebc9d7887eb636d75d
SHA51248653ce0a52694f57179c15d08cf1597d9a1ebaa27770ffaee7cffe895e00c7b8514363fc1ef561a57696bcf1a134fd2bc64f115a284c0ec90cb0af09ab4ed72