Analysis
-
max time kernel
140s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 00:07
Behavioral task
behavioral1
Sample
0d1c78e15277eecfc41bf4cfa17fa4501acf8f29f943bcfd6fa897ef2fae43d2.exe
Resource
win7-20240903-en
windows7-x64
23 signatures
150 seconds
General
-
Target
0d1c78e15277eecfc41bf4cfa17fa4501acf8f29f943bcfd6fa897ef2fae43d2.exe
-
Size
611KB
-
MD5
76089031299894cc05345fada7a1e5d3
-
SHA1
19e22c44c57cffcf0cd68a388de96c7db8bcfc51
-
SHA256
0d1c78e15277eecfc41bf4cfa17fa4501acf8f29f943bcfd6fa897ef2fae43d2
-
SHA512
e08a7220a01a961b54dd9e4677f38f36865af3e1091bf61e194e5d62036a4b20f73783a2be7f175563a945787b9df0faf3059eacbdba55a2f00a5e94dae0b7a2
-
SSDEEP
12288:6FpuzZSkcBNrl5mTEUkDaSdJfpSaoNRVBUyMCe8VMM80B7qrI3iK1XBwZQeZ:6FmShDrngEUkDaiJfpSaoNRpMCe8CM8R
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/452-1-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/2732-11-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/452-18-0x0000000000400000-0x0000000000585000-memory.dmp purplefox_rootkit behavioral2/memory/2732-21-0x0000000000400000-0x0000000000585000-memory.dmp purplefox_rootkit behavioral2/memory/4588-39-0x0000000000400000-0x0000000000585000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 5 IoCs
resource yara_rule behavioral2/memory/452-1-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/2732-11-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/452-18-0x0000000000400000-0x0000000000585000-memory.dmp family_gh0strat behavioral2/memory/2732-21-0x0000000000400000-0x0000000000585000-memory.dmp family_gh0strat behavioral2/memory/4588-39-0x0000000000400000-0x0000000000585000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Sbcja.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Sbcja.exe -
Executes dropped EXE 2 IoCs
pid Process 2732 Sbcja.exe 4588 Sbcja.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Sbcja.exe File opened (read-only) \??\M: Sbcja.exe File opened (read-only) \??\R: Sbcja.exe File opened (read-only) \??\Z: Sbcja.exe File opened (read-only) \??\B: Sbcja.exe File opened (read-only) \??\G: Sbcja.exe File opened (read-only) \??\J: Sbcja.exe File opened (read-only) \??\N: Sbcja.exe File opened (read-only) \??\Q: Sbcja.exe File opened (read-only) \??\E: Sbcja.exe File opened (read-only) \??\H: Sbcja.exe File opened (read-only) \??\K: Sbcja.exe File opened (read-only) \??\O: Sbcja.exe File opened (read-only) \??\S: Sbcja.exe File opened (read-only) \??\W: Sbcja.exe File opened (read-only) \??\X: Sbcja.exe File opened (read-only) \??\Y: Sbcja.exe File opened (read-only) \??\I: Sbcja.exe File opened (read-only) \??\P: Sbcja.exe File opened (read-only) \??\T: Sbcja.exe File opened (read-only) \??\U: Sbcja.exe File opened (read-only) \??\V: Sbcja.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Sbcja.exe 0d1c78e15277eecfc41bf4cfa17fa4501acf8f29f943bcfd6fa897ef2fae43d2.exe File created C:\Windows\SysWOW64\Sbcja.exe 0d1c78e15277eecfc41bf4cfa17fa4501acf8f29f943bcfd6fa897ef2fae43d2.exe -
resource yara_rule behavioral2/memory/452-0-0x0000000000400000-0x0000000000585000-memory.dmp upx behavioral2/files/0x000b000000023b8e-9.dat upx behavioral2/memory/452-18-0x0000000000400000-0x0000000000585000-memory.dmp upx behavioral2/memory/2732-21-0x0000000000400000-0x0000000000585000-memory.dmp upx behavioral2/memory/4588-39-0x0000000000400000-0x0000000000585000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0d1c78e15277eecfc41bf4cfa17fa4501acf8f29f943bcfd6fa897ef2fae43d2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sbcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sbcja.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5056 cmd.exe 1116 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Sbcja.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Sbcja.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Sbcja.exe Key created \REGISTRY\USER\.DEFAULT\Software Sbcja.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Sbcja.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Sbcja.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Sbcja.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1116 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe 4588 Sbcja.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4588 Sbcja.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 452 0d1c78e15277eecfc41bf4cfa17fa4501acf8f29f943bcfd6fa897ef2fae43d2.exe Token: SeLoadDriverPrivilege 4588 Sbcja.exe Token: 33 4588 Sbcja.exe Token: SeIncBasePriorityPrivilege 4588 Sbcja.exe Token: 33 4588 Sbcja.exe Token: SeIncBasePriorityPrivilege 4588 Sbcja.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 452 wrote to memory of 5056 452 0d1c78e15277eecfc41bf4cfa17fa4501acf8f29f943bcfd6fa897ef2fae43d2.exe 84 PID 452 wrote to memory of 5056 452 0d1c78e15277eecfc41bf4cfa17fa4501acf8f29f943bcfd6fa897ef2fae43d2.exe 84 PID 452 wrote to memory of 5056 452 0d1c78e15277eecfc41bf4cfa17fa4501acf8f29f943bcfd6fa897ef2fae43d2.exe 84 PID 2732 wrote to memory of 4588 2732 Sbcja.exe 86 PID 2732 wrote to memory of 4588 2732 Sbcja.exe 86 PID 2732 wrote to memory of 4588 2732 Sbcja.exe 86 PID 5056 wrote to memory of 1116 5056 cmd.exe 88 PID 5056 wrote to memory of 1116 5056 cmd.exe 88 PID 5056 wrote to memory of 1116 5056 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d1c78e15277eecfc41bf4cfa17fa4501acf8f29f943bcfd6fa897ef2fae43d2.exe"C:\Users\Admin\AppData\Local\Temp\0d1c78e15277eecfc41bf4cfa17fa4501acf8f29f943bcfd6fa897ef2fae43d2.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\0D1C78~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1116
-
-
-
C:\Windows\SysWOW64\Sbcja.exeC:\Windows\SysWOW64\Sbcja.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Sbcja.exeC:\Windows\SysWOW64\Sbcja.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4588
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
611KB
MD576089031299894cc05345fada7a1e5d3
SHA119e22c44c57cffcf0cd68a388de96c7db8bcfc51
SHA2560d1c78e15277eecfc41bf4cfa17fa4501acf8f29f943bcfd6fa897ef2fae43d2
SHA512e08a7220a01a961b54dd9e4677f38f36865af3e1091bf61e194e5d62036a4b20f73783a2be7f175563a945787b9df0faf3059eacbdba55a2f00a5e94dae0b7a2