Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 09:09
Static task
static1
Behavioral task
behavioral1
Sample
e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exe
Resource
win7-20240903-en
General
-
Target
e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exe
-
Size
2.1MB
-
MD5
55a23539bc3282087a0379888b5e5346
-
SHA1
33472cc014d2cb8ec0f3906ac2163d3b56460b56
-
SHA256
e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e
-
SHA512
77df53a83022029554c0ec96d50adf53438c32df3816b9594f6d8c751f30a4240fa9433d96b6d914f15295a68e2bf5d5ecfae8cd00f02764cc03f5a85c038b7d
-
SSDEEP
24576:FOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNxrWPoYnJGCNY1nJGCNYB+93dt:4HPkVOBTKxrWgCka+9Nt
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4296-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/2596-10-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/432-17-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4296-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/2596-10-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/432-17-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
Gwxyq.exedescription ioc Process File created C:\Windows\system32\drivers\QAssist.sys Gwxyq.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
Gwxyq.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Gwxyq.exe -
Executes dropped EXE 2 IoCs
Processes:
Gwxyq.exeGwxyq.exepid Process 2596 Gwxyq.exe 432 Gwxyq.exe -
Drops file in System32 directory 2 IoCs
Processes:
e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exedescription ioc Process File created C:\Windows\SysWOW64\Gwxyq.exe e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exe File opened for modification C:\Windows\SysWOW64\Gwxyq.exe e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exePING.EXEe773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exeGwxyq.exeGwxyq.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gwxyq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gwxyq.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid Process 3404 cmd.exe 4792 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
Gwxyq.exepid Process 432 Gwxyq.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exeGwxyq.exedescription pid Process Token: SeIncBasePriorityPrivilege 4296 e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exe Token: SeLoadDriverPrivilege 432 Gwxyq.exe Token: 33 432 Gwxyq.exe Token: SeIncBasePriorityPrivilege 432 Gwxyq.exe Token: 33 432 Gwxyq.exe Token: SeIncBasePriorityPrivilege 432 Gwxyq.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exeGwxyq.execmd.exedescription pid Process procid_target PID 4296 wrote to memory of 3404 4296 e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exe 85 PID 4296 wrote to memory of 3404 4296 e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exe 85 PID 4296 wrote to memory of 3404 4296 e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exe 85 PID 2596 wrote to memory of 432 2596 Gwxyq.exe 86 PID 2596 wrote to memory of 432 2596 Gwxyq.exe 86 PID 2596 wrote to memory of 432 2596 Gwxyq.exe 86 PID 3404 wrote to memory of 4792 3404 cmd.exe 88 PID 3404 wrote to memory of 4792 3404 cmd.exe 88 PID 3404 wrote to memory of 4792 3404 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exe"C:\Users\Admin\AppData\Local\Temp\e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\E77371~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4792
-
-
-
C:\Windows\SysWOW64\Gwxyq.exeC:\Windows\SysWOW64\Gwxyq.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Gwxyq.exeC:\Windows\SysWOW64\Gwxyq.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:432
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD555a23539bc3282087a0379888b5e5346
SHA133472cc014d2cb8ec0f3906ac2163d3b56460b56
SHA256e773718d1b0fceff0263cea1b8a55e6becaad95e9d407019c773d014ab6c783e
SHA51277df53a83022029554c0ec96d50adf53438c32df3816b9594f6d8c751f30a4240fa9433d96b6d914f15295a68e2bf5d5ecfae8cd00f02764cc03f5a85c038b7d