Analysis
-
max time kernel
140s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 15:17
Behavioral task
behavioral1
Sample
aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
General
-
Target
aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe
-
Size
4.4MB
-
MD5
be678db8a1b0119b2c41c4e92149a9a2
-
SHA1
df43bc7dd57e1ea06f5048f1fc0dc6948141d3bd
-
SHA256
aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683
-
SHA512
083f58031dced3423d89cfdf4eb21565308d47ae54452b2b0eeff0c721f2fd351d2782dcf087743a793011c65d7e259cc315dc78da4ad85eee6b1f292f5cd48a
-
SSDEEP
98304:Po8WASAsclWSV7SxyqxrAsclWSV7Sxyqxr7:PoTDTeaTea7
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/108-1-0x0000000010000000-0x0000000010199000-memory.dmp purplefox_rootkit behavioral1/memory/108-8-0x0000000000400000-0x0000000000584000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/memory/108-1-0x0000000010000000-0x0000000010199000-memory.dmp family_gh0strat behavioral1/memory/108-8-0x0000000000400000-0x0000000000584000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\S: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\H: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\L: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\N: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\P: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\Q: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\T: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\U: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\B: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\G: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\M: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\W: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\I: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\O: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\V: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\X: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\Y: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\Z: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\E: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\J: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe File opened (read-only) \??\K: aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe -
resource yara_rule behavioral1/memory/108-0-0x0000000000400000-0x0000000000584000-memory.dmp upx behavioral1/memory/108-8-0x0000000000400000-0x0000000000584000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 108 aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe"C:\Users\Admin\AppData\Local\Temp\aa98ff6a8ef5dfa52b6c2b45bc08b1ee2c4a64e14b9651ed8f068e3ae910c683.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:108