Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 14:41
Static task
static1
Behavioral task
behavioral1
Sample
13fc82700e8cbcfd051c643b2cbfffe57597b7fe042e481d00877ad74998ad23.exe
Resource
win7-20241010-en
General
-
Target
13fc82700e8cbcfd051c643b2cbfffe57597b7fe042e481d00877ad74998ad23.exe
-
Size
1.4MB
-
MD5
dea28e82141c270ec9fd9436c9b8aa0a
-
SHA1
d95a3f613724d9fd52f300880f96fc5598e430a3
-
SHA256
13fc82700e8cbcfd051c643b2cbfffe57597b7fe042e481d00877ad74998ad23
-
SHA512
44a04bd5b915ddf6ec9a02dbd9dc2b527bb9caf02fb9d5cc64b2dc8f985be29413c7623dd3f4029269574b022636b8a1e3e49fa82fbe6786fa0f0134c0245101
-
SSDEEP
24576:F39WkOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:59qHPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1680-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1680-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Dtldt.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Dtldt.exe -
Deletes itself 1 IoCs
pid Process 2944 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 1184 Dtldt.exe 2980 Dtldt.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dtldt.exe 13fc82700e8cbcfd051c643b2cbfffe57597b7fe042e481d00877ad74998ad23.exe File opened for modification C:\Windows\SysWOW64\Dtldt.exe 13fc82700e8cbcfd051c643b2cbfffe57597b7fe042e481d00877ad74998ad23.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 13fc82700e8cbcfd051c643b2cbfffe57597b7fe042e481d00877ad74998ad23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dtldt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dtldt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2904 PING.EXE 2944 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2904 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2980 Dtldt.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1680 13fc82700e8cbcfd051c643b2cbfffe57597b7fe042e481d00877ad74998ad23.exe Token: SeLoadDriverPrivilege 2980 Dtldt.exe Token: 33 2980 Dtldt.exe Token: SeIncBasePriorityPrivilege 2980 Dtldt.exe Token: 33 2980 Dtldt.exe Token: SeIncBasePriorityPrivilege 2980 Dtldt.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2944 1680 13fc82700e8cbcfd051c643b2cbfffe57597b7fe042e481d00877ad74998ad23.exe 30 PID 1680 wrote to memory of 2944 1680 13fc82700e8cbcfd051c643b2cbfffe57597b7fe042e481d00877ad74998ad23.exe 30 PID 1680 wrote to memory of 2944 1680 13fc82700e8cbcfd051c643b2cbfffe57597b7fe042e481d00877ad74998ad23.exe 30 PID 1680 wrote to memory of 2944 1680 13fc82700e8cbcfd051c643b2cbfffe57597b7fe042e481d00877ad74998ad23.exe 30 PID 1184 wrote to memory of 2980 1184 Dtldt.exe 31 PID 1184 wrote to memory of 2980 1184 Dtldt.exe 31 PID 1184 wrote to memory of 2980 1184 Dtldt.exe 31 PID 1184 wrote to memory of 2980 1184 Dtldt.exe 31 PID 2944 wrote to memory of 2904 2944 cmd.exe 33 PID 2944 wrote to memory of 2904 2944 cmd.exe 33 PID 2944 wrote to memory of 2904 2944 cmd.exe 33 PID 2944 wrote to memory of 2904 2944 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\13fc82700e8cbcfd051c643b2cbfffe57597b7fe042e481d00877ad74998ad23.exe"C:\Users\Admin\AppData\Local\Temp\13fc82700e8cbcfd051c643b2cbfffe57597b7fe042e481d00877ad74998ad23.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\13FC82~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2904
-
-
-
C:\Windows\SysWOW64\Dtldt.exeC:\Windows\SysWOW64\Dtldt.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Dtldt.exeC:\Windows\SysWOW64\Dtldt.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5dea28e82141c270ec9fd9436c9b8aa0a
SHA1d95a3f613724d9fd52f300880f96fc5598e430a3
SHA25613fc82700e8cbcfd051c643b2cbfffe57597b7fe042e481d00877ad74998ad23
SHA51244a04bd5b915ddf6ec9a02dbd9dc2b527bb9caf02fb9d5cc64b2dc8f985be29413c7623dd3f4029269574b022636b8a1e3e49fa82fbe6786fa0f0134c0245101