Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-11-2024 17:32
Static task
static1
Behavioral task
behavioral1
Sample
002654万润科技xlsx.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
002654万润科技xlsx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
300227ϴxlsx.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
300227ϴxlsx.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
300738·xlsx.exe
Resource
win7-20240903-en
General
-
Target
300738·xlsx.exe
-
Size
224KB
-
MD5
2bdffc0196fa8fe420d450c30d3e47f9
-
SHA1
6751e2f6afae3c6dee6ebe82630d19e19ac7b3af
-
SHA256
1497ef3f6249427ac349bf5178e21d9d63aacfab84327e97bfdc4149f775b9bb
-
SHA512
cee9ef8d61f67273cd4a787754d78bbe655afa6064f3dccd9b08283a293524df98c56d2efd9c647c14f3a8c35b21971c9d51b7ede12b2617d0afd3db2d75f2b4
-
SSDEEP
3072:NJJcpg42DhdTpmrestbnZqKFUdIAP6WokM7UbGVXTYJVJhhCVh3VoCoz7pHkQ:NQpgl1dTpgeoFYBLojUbGVOSVO7F
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral5/memory/2700-12-0x0000000010000000-0x00000000101A4000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral5/memory/2700-12-0x0000000010000000-0x00000000101A4000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
RuntimeBroker.exepid Process 2700 RuntimeBroker.exe -
Loads dropped DLL 2 IoCs
Processes:
300738·xlsx.exeRuntimeBroker.exepid Process 2536 300738·xlsx.exe 2700 RuntimeBroker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RuntimeBroker.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Public\\Windows\\RuntimeBroker.exe" RuntimeBroker.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
RuntimeBroker.exedescription ioc Process File opened (read-only) \??\G: RuntimeBroker.exe File opened (read-only) \??\Q: RuntimeBroker.exe File opened (read-only) \??\Z: RuntimeBroker.exe File opened (read-only) \??\E: RuntimeBroker.exe File opened (read-only) \??\H: RuntimeBroker.exe File opened (read-only) \??\J: RuntimeBroker.exe File opened (read-only) \??\K: RuntimeBroker.exe File opened (read-only) \??\P: RuntimeBroker.exe File opened (read-only) \??\R: RuntimeBroker.exe File opened (read-only) \??\B: RuntimeBroker.exe File opened (read-only) \??\I: RuntimeBroker.exe File opened (read-only) \??\L: RuntimeBroker.exe File opened (read-only) \??\N: RuntimeBroker.exe File opened (read-only) \??\O: RuntimeBroker.exe File opened (read-only) \??\S: RuntimeBroker.exe File opened (read-only) \??\T: RuntimeBroker.exe File opened (read-only) \??\V: RuntimeBroker.exe File opened (read-only) \??\Y: RuntimeBroker.exe File opened (read-only) \??\M: RuntimeBroker.exe File opened (read-only) \??\U: RuntimeBroker.exe File opened (read-only) \??\W: RuntimeBroker.exe File opened (read-only) \??\X: RuntimeBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
RuntimeBroker.exe300738·xlsx.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RuntimeBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 300738·xlsx.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RuntimeBroker.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
RuntimeBroker.exepid Process 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe 2700 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
RuntimeBroker.exedescription pid Process Token: 33 2700 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2700 RuntimeBroker.exe Token: 33 2700 RuntimeBroker.exe Token: SeIncBasePriorityPrivilege 2700 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
300738·xlsx.exepid Process 2536 300738·xlsx.exe 2536 300738·xlsx.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
300738·xlsx.exedescription pid Process procid_target PID 2536 wrote to memory of 2700 2536 300738·xlsx.exe 32 PID 2536 wrote to memory of 2700 2536 300738·xlsx.exe 32 PID 2536 wrote to memory of 2700 2536 300738·xlsx.exe 32 PID 2536 wrote to memory of 2700 2536 300738·xlsx.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\300738·xlsx.exe"C:\Users\Admin\AppData\Local\Temp\300738·xlsx.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Public\Windows\RuntimeBroker.exe"C:\Users\Public\Windows\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD5e88fc0397333b68de30196ff07c2a704
SHA1d8ff5a6a136d68932d28c52fa36058808a7ac69c
SHA25606d4ea89ca038f6b476a04aa264ea12c3e92a0241161a56cbf2090b4fef2a30e
SHA512c613ef286c0742515e0af74c1092a2ba8e93495fe5e6947f9faa3441db3052448c453e23528edc20cae900b7b90c9934d6ed8ee5cb036b6a6eddd6000aa3d35d
-
Filesize
625KB
MD5dec397e36e9f5e8a47040adbbf04e20b
SHA1643f2b5b37723ebc493ba6993514a4b2d9171acb
SHA256534fd2d6da5c361831eb7fbfd1b203fbb80cd363d33f69abc4eafc384bafdc5e
SHA512b2cdd06c044ae8b4cf7ae5c32b65f2b03f733b93061b9076cf29103da53573460c7e5d53da72220055cdafb084c63019d4a134d562a06af81c1eaad30892845b