Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 15:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5f9885d8ca8f14c9cb6a37074be635960369b25f39a2f00179ad5d2ac93a4457.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
General
-
Target
5f9885d8ca8f14c9cb6a37074be635960369b25f39a2f00179ad5d2ac93a4457.exe
-
Size
1.4MB
-
MD5
0729a729cad60281ab0298df22d5ecd8
-
SHA1
201acb8881bfee6ed5c10a1bdffbf239a3778233
-
SHA256
5f9885d8ca8f14c9cb6a37074be635960369b25f39a2f00179ad5d2ac93a4457
-
SHA512
e349a5531fae111e1a82492d75549476ef81b091814344e46061c647e99a179d9ce5eefdb97205921d65bd87e0b088153b7d9b0fc74aadc814e621011dd99e92
-
SSDEEP
24576:F39WkOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:59qHPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3132-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/1176-10-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/2888-17-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/3132-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/1176-10-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/2888-17-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Sbcja.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Sbcja.exe -
Executes dropped EXE 2 IoCs
pid Process 1176 Sbcja.exe 2888 Sbcja.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Sbcja.exe File opened (read-only) \??\Z: Sbcja.exe File opened (read-only) \??\J: Sbcja.exe File opened (read-only) \??\L: Sbcja.exe File opened (read-only) \??\O: Sbcja.exe File opened (read-only) \??\U: Sbcja.exe File opened (read-only) \??\G: Sbcja.exe File opened (read-only) \??\K: Sbcja.exe File opened (read-only) \??\Q: Sbcja.exe File opened (read-only) \??\W: Sbcja.exe File opened (read-only) \??\X: Sbcja.exe File opened (read-only) \??\M: Sbcja.exe File opened (read-only) \??\S: Sbcja.exe File opened (read-only) \??\T: Sbcja.exe File opened (read-only) \??\I: Sbcja.exe File opened (read-only) \??\N: Sbcja.exe File opened (read-only) \??\P: Sbcja.exe File opened (read-only) \??\V: Sbcja.exe File opened (read-only) \??\Y: Sbcja.exe File opened (read-only) \??\B: Sbcja.exe File opened (read-only) \??\E: Sbcja.exe File opened (read-only) \??\H: Sbcja.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Sbcja.exe 5f9885d8ca8f14c9cb6a37074be635960369b25f39a2f00179ad5d2ac93a4457.exe File opened for modification C:\Windows\SysWOW64\Sbcja.exe 5f9885d8ca8f14c9cb6a37074be635960369b25f39a2f00179ad5d2ac93a4457.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5f9885d8ca8f14c9cb6a37074be635960369b25f39a2f00179ad5d2ac93a4457.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sbcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sbcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3388 cmd.exe 4940 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Sbcja.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Sbcja.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Sbcja.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Sbcja.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Sbcja.exe Key created \REGISTRY\USER\.DEFAULT\Software Sbcja.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Sbcja.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4940 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe 2888 Sbcja.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2888 Sbcja.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3132 5f9885d8ca8f14c9cb6a37074be635960369b25f39a2f00179ad5d2ac93a4457.exe Token: SeLoadDriverPrivilege 2888 Sbcja.exe Token: 33 2888 Sbcja.exe Token: SeIncBasePriorityPrivilege 2888 Sbcja.exe Token: 33 2888 Sbcja.exe Token: SeIncBasePriorityPrivilege 2888 Sbcja.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3132 wrote to memory of 3388 3132 5f9885d8ca8f14c9cb6a37074be635960369b25f39a2f00179ad5d2ac93a4457.exe 87 PID 3132 wrote to memory of 3388 3132 5f9885d8ca8f14c9cb6a37074be635960369b25f39a2f00179ad5d2ac93a4457.exe 87 PID 3132 wrote to memory of 3388 3132 5f9885d8ca8f14c9cb6a37074be635960369b25f39a2f00179ad5d2ac93a4457.exe 87 PID 1176 wrote to memory of 2888 1176 Sbcja.exe 88 PID 1176 wrote to memory of 2888 1176 Sbcja.exe 88 PID 1176 wrote to memory of 2888 1176 Sbcja.exe 88 PID 3388 wrote to memory of 4940 3388 cmd.exe 91 PID 3388 wrote to memory of 4940 3388 cmd.exe 91 PID 3388 wrote to memory of 4940 3388 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f9885d8ca8f14c9cb6a37074be635960369b25f39a2f00179ad5d2ac93a4457.exe"C:\Users\Admin\AppData\Local\Temp\5f9885d8ca8f14c9cb6a37074be635960369b25f39a2f00179ad5d2ac93a4457.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\5F9885~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4940
-
-
-
C:\Windows\SysWOW64\Sbcja.exeC:\Windows\SysWOW64\Sbcja.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Sbcja.exeC:\Windows\SysWOW64\Sbcja.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD50729a729cad60281ab0298df22d5ecd8
SHA1201acb8881bfee6ed5c10a1bdffbf239a3778233
SHA2565f9885d8ca8f14c9cb6a37074be635960369b25f39a2f00179ad5d2ac93a4457
SHA512e349a5531fae111e1a82492d75549476ef81b091814344e46061c647e99a179d9ce5eefdb97205921d65bd87e0b088153b7d9b0fc74aadc814e621011dd99e92