Analysis
-
max time kernel
121s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 05:21
Static task
static1
Behavioral task
behavioral1
Sample
e51d7e8517b99977be84d55f0be6f8ecf2994ddc180a94f838d68bc395c93789.exe
Resource
win7-20240903-en
General
-
Target
e51d7e8517b99977be84d55f0be6f8ecf2994ddc180a94f838d68bc395c93789.exe
-
Size
1.3MB
-
MD5
1791c919dbd852e46dd5e0471777aa1d
-
SHA1
e0a1b5667d3a67e489f6a551f100b50c43b75f41
-
SHA256
e51d7e8517b99977be84d55f0be6f8ecf2994ddc180a94f838d68bc395c93789
-
SHA512
93dcebc3da28cb8591cb25d0edcb248b2790e58ab305e4b496932566606f993744d6e566e192a8f06f4f7f34ab7bc0688d4670d94cbf35e59a69d47007573b65
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNm:QHPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2168-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/2856-10-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/2192-17-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/2168-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/2856-10-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/2192-17-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Executes dropped EXE 2 IoCs
pid Process 2856 sainbox.exe 2192 sainbox.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: sainbox.exe File opened (read-only) \??\W: sainbox.exe File opened (read-only) \??\X: sainbox.exe File opened (read-only) \??\E: sainbox.exe File opened (read-only) \??\H: sainbox.exe File opened (read-only) \??\J: sainbox.exe File opened (read-only) \??\P: sainbox.exe File opened (read-only) \??\R: sainbox.exe File opened (read-only) \??\T: sainbox.exe File opened (read-only) \??\V: sainbox.exe File opened (read-only) \??\B: sainbox.exe File opened (read-only) \??\I: sainbox.exe File opened (read-only) \??\N: sainbox.exe File opened (read-only) \??\U: sainbox.exe File opened (read-only) \??\Y: sainbox.exe File opened (read-only) \??\G: sainbox.exe File opened (read-only) \??\M: sainbox.exe File opened (read-only) \??\Q: sainbox.exe File opened (read-only) \??\Z: sainbox.exe File opened (read-only) \??\K: sainbox.exe File opened (read-only) \??\L: sainbox.exe File opened (read-only) \??\S: sainbox.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\sainbox.exe e51d7e8517b99977be84d55f0be6f8ecf2994ddc180a94f838d68bc395c93789.exe File opened for modification C:\Windows\SysWOW64\sainbox.exe e51d7e8517b99977be84d55f0be6f8ecf2994ddc180a94f838d68bc395c93789.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e51d7e8517b99977be84d55f0be6f8ecf2994ddc180a94f838d68bc395c93789.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3732 PING.EXE 4832 cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sainbox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz sainbox.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie sainbox.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" sainbox.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3732 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe 2192 sainbox.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2192 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2168 e51d7e8517b99977be84d55f0be6f8ecf2994ddc180a94f838d68bc395c93789.exe Token: SeLoadDriverPrivilege 2192 sainbox.exe Token: 33 2192 sainbox.exe Token: SeIncBasePriorityPrivilege 2192 sainbox.exe Token: 33 2192 sainbox.exe Token: SeIncBasePriorityPrivilege 2192 sainbox.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2168 wrote to memory of 4832 2168 e51d7e8517b99977be84d55f0be6f8ecf2994ddc180a94f838d68bc395c93789.exe 86 PID 2168 wrote to memory of 4832 2168 e51d7e8517b99977be84d55f0be6f8ecf2994ddc180a94f838d68bc395c93789.exe 86 PID 2168 wrote to memory of 4832 2168 e51d7e8517b99977be84d55f0be6f8ecf2994ddc180a94f838d68bc395c93789.exe 86 PID 2856 wrote to memory of 2192 2856 sainbox.exe 87 PID 2856 wrote to memory of 2192 2856 sainbox.exe 87 PID 2856 wrote to memory of 2192 2856 sainbox.exe 87 PID 4832 wrote to memory of 3732 4832 cmd.exe 89 PID 4832 wrote to memory of 3732 4832 cmd.exe 89 PID 4832 wrote to memory of 3732 4832 cmd.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\e51d7e8517b99977be84d55f0be6f8ecf2994ddc180a94f838d68bc395c93789.exe"C:\Users\Admin\AppData\Local\Temp\e51d7e8517b99977be84d55f0be6f8ecf2994ddc180a94f838d68bc395c93789.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\E51D7E~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3732
-
-
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD51791c919dbd852e46dd5e0471777aa1d
SHA1e0a1b5667d3a67e489f6a551f100b50c43b75f41
SHA256e51d7e8517b99977be84d55f0be6f8ecf2994ddc180a94f838d68bc395c93789
SHA51293dcebc3da28cb8591cb25d0edcb248b2790e58ab305e4b496932566606f993744d6e566e192a8f06f4f7f34ab7bc0688d4670d94cbf35e59a69d47007573b65