Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 04:33
Static task
static1
Behavioral task
behavioral1
Sample
24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe
Resource
win7-20240903-en
General
-
Target
24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe
-
Size
2.0MB
-
MD5
7c42c0289a8ef2395efc1e7925b2d16e
-
SHA1
5b75f9495a791d982e269f3fb4dcac2b95f5138c
-
SHA256
24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7
-
SHA512
01e5a6f9a5145e01603c84f772e038b2ee40e45fb4d9b307269b199411fa68127e2443ede7ea30f0c630d2c84090de2c38b75ff8e139a7886e341e82b36750bc
-
SSDEEP
24576:hCIRyPP2GXKWAftKuRz2tgJZA5r5NCLytLSBy/r4/c4W6dVypXkPckF+XM/HU93G:CPBKWO02gSAIW4k4W6fskkkF+SHU932B
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/11088-16353-0x0000000010000000-0x00000000101B5000-memory.dmp purplefox_rootkit behavioral2/memory/11088-16352-0x0000000010000000-0x00000000101B5000-memory.dmp purplefox_rootkit behavioral2/memory/1868-42503-0x0000000010000000-0x00000000101B5000-memory.dmp purplefox_rootkit behavioral2/memory/1868-42507-0x0000000010000000-0x00000000101B5000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral2/memory/11088-16353-0x0000000010000000-0x00000000101B5000-memory.dmp family_gh0strat behavioral2/memory/11088-16352-0x0000000010000000-0x00000000101B5000-memory.dmp family_gh0strat behavioral2/memory/1868-42503-0x0000000010000000-0x00000000101B5000-memory.dmp family_gh0strat behavioral2/memory/1868-42507-0x0000000010000000-0x00000000101B5000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Windows.dll -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Windows.dll -
Executes dropped EXE 4 IoCs
pid Process 1396 Windows.dll 11088 Windows.dll 1868 Windows.dll 10816 Phxph.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Phxph.exe Windows.dll File opened for modification C:\Windows\SysWOW64\Phxph.exe Windows.dll -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 10816 Phxph.exe 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 1868 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 11088 Windows.dll 1868 Windows.dll -
resource yara_rule behavioral2/memory/11088-16353-0x0000000010000000-0x00000000101B5000-memory.dmp upx behavioral2/memory/11088-16352-0x0000000010000000-0x00000000101B5000-memory.dmp upx behavioral2/memory/11088-16350-0x0000000010000000-0x00000000101B5000-memory.dmp upx behavioral2/memory/1868-42503-0x0000000010000000-0x00000000101B5000-memory.dmp upx behavioral2/memory/1868-42507-0x0000000010000000-0x00000000101B5000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows.dll Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phxph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows.dll Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows.dll Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 42624 cmd.exe 42676 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 42676 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1868 Windows.dll -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeLoadDriverPrivilege 1868 Windows.dll Token: SeIncBasePriorityPrivilege 11088 Windows.dll Token: 33 1868 Windows.dll Token: SeIncBasePriorityPrivilege 1868 Windows.dll Token: 33 1868 Windows.dll Token: SeIncBasePriorityPrivilege 1868 Windows.dll -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4036 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 4036 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4036 wrote to memory of 1396 4036 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 86 PID 4036 wrote to memory of 1396 4036 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 86 PID 4036 wrote to memory of 1396 4036 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 86 PID 4036 wrote to memory of 11088 4036 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 89 PID 4036 wrote to memory of 11088 4036 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 89 PID 4036 wrote to memory of 11088 4036 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 89 PID 4036 wrote to memory of 1868 4036 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 90 PID 4036 wrote to memory of 1868 4036 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 90 PID 4036 wrote to memory of 1868 4036 24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe 90 PID 11088 wrote to memory of 42624 11088 Windows.dll 99 PID 11088 wrote to memory of 42624 11088 Windows.dll 99 PID 11088 wrote to memory of 42624 11088 Windows.dll 99 PID 42624 wrote to memory of 42676 42624 cmd.exe 101 PID 42624 wrote to memory of 42676 42624 cmd.exe 101 PID 42624 wrote to memory of 42676 42624 cmd.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe"C:\Users\Admin\AppData\Local\Temp\24de619d714456dbba177b8461b82e889b63f96f154f722f01029d22b59399c7.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Roaming\Windows.dllC:\Users\Admin\AppData\Roaming\\Windows.dll2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1396
-
-
C:\Users\Admin\AppData\Roaming\Windows.dllC:\Users\Admin\AppData\Roaming\\Windows.dll2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:11088 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Roaming\Windows.dll > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:42624 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:42676
-
-
-
-
C:\Users\Admin\AppData\Roaming\Windows.dllC:\Users\Admin\AppData\Roaming\\Windows.dll2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1868
-
-
C:\Windows\SysWOW64\Phxph.exeC:\Windows\SysWOW64\Phxph.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:10816
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD51144ea1e19cb2a42f7ad2fa04db8e476
SHA12ef6e0f9c5e57305bff6d30080cf68c1d3e101d9
SHA25620569e9045f5c150eafa51752334b62c78b9dbc308d61dacfcb2098a76c5cf50
SHA5123df308eafc0f014a07fbdeb706b32eb5de7e02a7496e70e5035d9b76db239435a2511964fc027380aad19763755c4e07e52f4e157b691c55c5a03d5b21593556
-
Filesize
22.1MB
MD544d1ce29474bad8ada3d778af1dac0f3
SHA1319f966cc44529a564f9d5d19e0fb99e0af2ea19
SHA256d75217eccc9e4b9a2ccfb2819b1fdbf01a074042292bcf3162ec27a01b7ee1cf
SHA512511ac3bfa10928190c7cb035a976c673fb758950ce4accde4a80b81b62ee0585d5d51930571ffa177fb1d63ecd4a770415bc09800cc5cd1ac6cb7efa16b7d025