Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15-11-2024 00:06
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Backdoor.Win32.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
HEUR-Backdoor.Win32.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
HEUR-Backdoor.Win32.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
HEUR-Backdoor.Win32.exe
-
Size
30.5MB
-
MD5
4f5c45902bd6d683fde339608c73fa45
-
SHA1
d2a36781383d2a1e7e5dfa20db8b7214c210ba7e
-
SHA256
302c010ea9f48aa392bae566a6ca71376934dfd0405c81d6e897cf4b41254b6b
-
SHA512
bf9f17b80772dfe6a44f9ce1f9e834d3ed5d485f5f77d3b315c39c6344686e4fb842d3041225d3ef8a632aae3f52017763556f743e45e99c8a52a411f7ce4e42
-
SSDEEP
6144:7Iqlnp3Us0ASuxNOug5MI3KBau3EO8iZrEXA2czL6mWzdoZtAznpGuGEwJvfJ0sS:7jLUsEux9g5F6U2WOWczLygAzN6fJg
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1692-4-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/1692-2-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/1692-3-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2800-19-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2800-20-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2800-23-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 6 IoCs
resource yara_rule behavioral1/memory/1692-4-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/1692-2-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/1692-3-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2800-19-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2800-20-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2800-23-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Vnfvn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Vnfvn.exe -
Deletes itself 1 IoCs
pid Process 2720 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2800 Vnfvn.exe -
Loads dropped DLL 2 IoCs
pid Process 1692 HEUR-Backdoor.Win32.exe 1692 HEUR-Backdoor.Win32.exe -
resource yara_rule behavioral1/memory/1692-4-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/1692-2-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/1692-0-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/1692-3-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2800-19-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2800-20-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2800-23-0x0000000010000000-0x00000000101BA000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HEUR-Backdoor.Win32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vnfvn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2720 cmd.exe 2692 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2692 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2800 Vnfvn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1692 HEUR-Backdoor.Win32.exe Token: SeLoadDriverPrivilege 2800 Vnfvn.exe Token: 33 2800 Vnfvn.exe Token: SeIncBasePriorityPrivilege 2800 Vnfvn.exe Token: 33 2800 Vnfvn.exe Token: SeIncBasePriorityPrivilege 2800 Vnfvn.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1692 HEUR-Backdoor.Win32.exe 2800 Vnfvn.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1692 wrote to memory of 2800 1692 HEUR-Backdoor.Win32.exe 30 PID 1692 wrote to memory of 2800 1692 HEUR-Backdoor.Win32.exe 30 PID 1692 wrote to memory of 2800 1692 HEUR-Backdoor.Win32.exe 30 PID 1692 wrote to memory of 2800 1692 HEUR-Backdoor.Win32.exe 30 PID 1692 wrote to memory of 2720 1692 HEUR-Backdoor.Win32.exe 31 PID 1692 wrote to memory of 2720 1692 HEUR-Backdoor.Win32.exe 31 PID 1692 wrote to memory of 2720 1692 HEUR-Backdoor.Win32.exe 31 PID 1692 wrote to memory of 2720 1692 HEUR-Backdoor.Win32.exe 31 PID 2720 wrote to memory of 2692 2720 cmd.exe 33 PID 2720 wrote to memory of 2692 2720 cmd.exe 33 PID 2720 wrote to memory of 2692 2720 cmd.exe 33 PID 2720 wrote to memory of 2692 2720 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.Win32.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Vnfvn.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Vnfvn.exe"2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\HEUR-B~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2692
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
30.5MB
MD54f5c45902bd6d683fde339608c73fa45
SHA1d2a36781383d2a1e7e5dfa20db8b7214c210ba7e
SHA256302c010ea9f48aa392bae566a6ca71376934dfd0405c81d6e897cf4b41254b6b
SHA512bf9f17b80772dfe6a44f9ce1f9e834d3ed5d485f5f77d3b315c39c6344686e4fb842d3041225d3ef8a632aae3f52017763556f743e45e99c8a52a411f7ce4e42