Analysis
-
max time kernel
120s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
06-11-2024 21:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d67499ddc7039ddd1e650bceb21fe743f598461bf665268fdf2663a585203b54.exe
Resource
win7-20240729-en
windows7-x64
22 signatures
150 seconds
General
-
Target
d67499ddc7039ddd1e650bceb21fe743f598461bf665268fdf2663a585203b54.exe
-
Size
1.4MB
-
MD5
1770cf18748c082408c26e24126c269c
-
SHA1
ebb03e48a34055833e261a5950d8f94b209930fe
-
SHA256
d67499ddc7039ddd1e650bceb21fe743f598461bf665268fdf2663a585203b54
-
SHA512
756dc1f504219544b6e8105833c10e187f39c78d930d09675228bdb05826c888314a7ae4b968b153fbffbe2f1de09cfeba42c6bf547c3db9db0d088ad8e67d6f
-
SSDEEP
24576:F39WaOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:598HPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2308-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral1/memory/2848-18-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/memory/2308-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral1/memory/2848-18-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Deletes itself 1 IoCs
pid Process 2916 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2252 sainbox.exe 2848 sainbox.exe -
Loads dropped DLL 1 IoCs
pid Process 2252 sainbox.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: sainbox.exe File opened (read-only) \??\N: sainbox.exe File opened (read-only) \??\S: sainbox.exe File opened (read-only) \??\T: sainbox.exe File opened (read-only) \??\U: sainbox.exe File opened (read-only) \??\Z: sainbox.exe File opened (read-only) \??\B: sainbox.exe File opened (read-only) \??\H: sainbox.exe File opened (read-only) \??\M: sainbox.exe File opened (read-only) \??\P: sainbox.exe File opened (read-only) \??\R: sainbox.exe File opened (read-only) \??\E: sainbox.exe File opened (read-only) \??\G: sainbox.exe File opened (read-only) \??\V: sainbox.exe File opened (read-only) \??\W: sainbox.exe File opened (read-only) \??\K: sainbox.exe File opened (read-only) \??\Q: sainbox.exe File opened (read-only) \??\O: sainbox.exe File opened (read-only) \??\X: sainbox.exe File opened (read-only) \??\Y: sainbox.exe File opened (read-only) \??\I: sainbox.exe File opened (read-only) \??\J: sainbox.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\sainbox.exe d67499ddc7039ddd1e650bceb21fe743f598461bf665268fdf2663a585203b54.exe File opened for modification C:\Windows\SysWOW64\sainbox.exe d67499ddc7039ddd1e650bceb21fe743f598461bf665268fdf2663a585203b54.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d67499ddc7039ddd1e650bceb21fe743f598461bf665268fdf2663a585203b54.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2916 cmd.exe 3024 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sainbox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz sainbox.exe -
Modifies data under HKEY_USERS 11 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie sainbox.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections sainbox.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings sainbox.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" sainbox.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 sainbox.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3024 PING.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe 2848 sainbox.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2848 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2308 d67499ddc7039ddd1e650bceb21fe743f598461bf665268fdf2663a585203b54.exe Token: SeLoadDriverPrivilege 2848 sainbox.exe Token: 33 2848 sainbox.exe Token: SeIncBasePriorityPrivilege 2848 sainbox.exe Token: 33 2848 sainbox.exe Token: SeIncBasePriorityPrivilege 2848 sainbox.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2848 2252 sainbox.exe 31 PID 2252 wrote to memory of 2848 2252 sainbox.exe 31 PID 2252 wrote to memory of 2848 2252 sainbox.exe 31 PID 2252 wrote to memory of 2848 2252 sainbox.exe 31 PID 2308 wrote to memory of 2916 2308 d67499ddc7039ddd1e650bceb21fe743f598461bf665268fdf2663a585203b54.exe 32 PID 2308 wrote to memory of 2916 2308 d67499ddc7039ddd1e650bceb21fe743f598461bf665268fdf2663a585203b54.exe 32 PID 2308 wrote to memory of 2916 2308 d67499ddc7039ddd1e650bceb21fe743f598461bf665268fdf2663a585203b54.exe 32 PID 2308 wrote to memory of 2916 2308 d67499ddc7039ddd1e650bceb21fe743f598461bf665268fdf2663a585203b54.exe 32 PID 2916 wrote to memory of 3024 2916 cmd.exe 34 PID 2916 wrote to memory of 3024 2916 cmd.exe 34 PID 2916 wrote to memory of 3024 2916 cmd.exe 34 PID 2916 wrote to memory of 3024 2916 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\d67499ddc7039ddd1e650bceb21fe743f598461bf665268fdf2663a585203b54.exe"C:\Users\Admin\AppData\Local\Temp\d67499ddc7039ddd1e650bceb21fe743f598461bf665268fdf2663a585203b54.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\D67499~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3024
-
-
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD51770cf18748c082408c26e24126c269c
SHA1ebb03e48a34055833e261a5950d8f94b209930fe
SHA256d67499ddc7039ddd1e650bceb21fe743f598461bf665268fdf2663a585203b54
SHA512756dc1f504219544b6e8105833c10e187f39c78d930d09675228bdb05826c888314a7ae4b968b153fbffbe2f1de09cfeba42c6bf547c3db9db0d088ad8e67d6f