Analysis
-
max time kernel
120s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-11-2024 08:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d1a4309a0ca0c21b3c711a1c43ec1f1eb2edc19337496402726cbd688b12ee3c.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
General
-
Target
d1a4309a0ca0c21b3c711a1c43ec1f1eb2edc19337496402726cbd688b12ee3c.exe
-
Size
1.4MB
-
MD5
cc8b4dcd81fb396033430c13d4d15c5a
-
SHA1
878df9a61fc0898fb20bdbac49f2f757da69e50d
-
SHA256
d1a4309a0ca0c21b3c711a1c43ec1f1eb2edc19337496402726cbd688b12ee3c
-
SHA512
6a863c8419c639eb52a63e8f63e51c03536f40330c62818db0b0b62823f470e4a77a340c79864946879381ab4b4acfb023978e69f54994f7fce2cfc39083a975
-
SSDEEP
24576:F39WkOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:59qHPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1636-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1636-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys svchosts.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" svchosts.exe -
Deletes itself 1 IoCs
pid Process 2576 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2188 svchosts.exe 1660 svchosts.exe -
Loads dropped DLL 1 IoCs
pid Process 2188 svchosts.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: svchosts.exe File opened (read-only) \??\Q: svchosts.exe File opened (read-only) \??\W: svchosts.exe File opened (read-only) \??\E: svchosts.exe File opened (read-only) \??\G: svchosts.exe File opened (read-only) \??\J: svchosts.exe File opened (read-only) \??\L: svchosts.exe File opened (read-only) \??\N: svchosts.exe File opened (read-only) \??\Z: svchosts.exe File opened (read-only) \??\P: svchosts.exe File opened (read-only) \??\R: svchosts.exe File opened (read-only) \??\T: svchosts.exe File opened (read-only) \??\X: svchosts.exe File opened (read-only) \??\Y: svchosts.exe File opened (read-only) \??\B: svchosts.exe File opened (read-only) \??\H: svchosts.exe File opened (read-only) \??\K: svchosts.exe File opened (read-only) \??\M: svchosts.exe File opened (read-only) \??\U: svchosts.exe File opened (read-only) \??\I: svchosts.exe File opened (read-only) \??\S: svchosts.exe File opened (read-only) \??\V: svchosts.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Google\svchosts.exe d1a4309a0ca0c21b3c711a1c43ec1f1eb2edc19337496402726cbd688b12ee3c.exe File opened for modification C:\Program Files (x86)\Google\svchosts.exe d1a4309a0ca0c21b3c711a1c43ec1f1eb2edc19337496402726cbd688b12ee3c.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1a4309a0ca0c21b3c711a1c43ec1f1eb2edc19337496402726cbd688b12ee3c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchosts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2576 cmd.exe 2416 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchosts.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchosts.exe -
Modifies data under HKEY_USERS 12 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchosts.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchosts.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchosts.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchosts.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchosts.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum svchosts.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum svchosts.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie svchosts.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" svchosts.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchosts.exe Key created \REGISTRY\USER\.DEFAULT\Software svchosts.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft svchosts.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2416 PING.EXE -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe 1660 svchosts.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1660 svchosts.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1636 d1a4309a0ca0c21b3c711a1c43ec1f1eb2edc19337496402726cbd688b12ee3c.exe Token: SeLoadDriverPrivilege 1660 svchosts.exe Token: 33 1660 svchosts.exe Token: SeIncBasePriorityPrivilege 1660 svchosts.exe Token: 33 1660 svchosts.exe Token: SeIncBasePriorityPrivilege 1660 svchosts.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1636 wrote to memory of 2576 1636 d1a4309a0ca0c21b3c711a1c43ec1f1eb2edc19337496402726cbd688b12ee3c.exe 29 PID 1636 wrote to memory of 2576 1636 d1a4309a0ca0c21b3c711a1c43ec1f1eb2edc19337496402726cbd688b12ee3c.exe 29 PID 1636 wrote to memory of 2576 1636 d1a4309a0ca0c21b3c711a1c43ec1f1eb2edc19337496402726cbd688b12ee3c.exe 29 PID 1636 wrote to memory of 2576 1636 d1a4309a0ca0c21b3c711a1c43ec1f1eb2edc19337496402726cbd688b12ee3c.exe 29 PID 2188 wrote to memory of 1660 2188 svchosts.exe 30 PID 2188 wrote to memory of 1660 2188 svchosts.exe 30 PID 2188 wrote to memory of 1660 2188 svchosts.exe 30 PID 2188 wrote to memory of 1660 2188 svchosts.exe 30 PID 2576 wrote to memory of 2416 2576 cmd.exe 32 PID 2576 wrote to memory of 2416 2576 cmd.exe 32 PID 2576 wrote to memory of 2416 2576 cmd.exe 32 PID 2576 wrote to memory of 2416 2576 cmd.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1a4309a0ca0c21b3c711a1c43ec1f1eb2edc19337496402726cbd688b12ee3c.exe"C:\Users\Admin\AppData\Local\Temp\d1a4309a0ca0c21b3c711a1c43ec1f1eb2edc19337496402726cbd688b12ee3c.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\D1A430~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2416
-
-
-
C:\Program Files (x86)\Google\svchosts.exe"C:\Program Files (x86)\Google\svchosts.exe" -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Program Files (x86)\Google\svchosts.exe"C:\Program Files (x86)\Google\svchosts.exe" -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5cc8b4dcd81fb396033430c13d4d15c5a
SHA1878df9a61fc0898fb20bdbac49f2f757da69e50d
SHA256d1a4309a0ca0c21b3c711a1c43ec1f1eb2edc19337496402726cbd688b12ee3c
SHA5126a863c8419c639eb52a63e8f63e51c03536f40330c62818db0b0b62823f470e4a77a340c79864946879381ab4b4acfb023978e69f54994f7fce2cfc39083a975