Analysis
-
max time kernel
93s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2024 03:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
120 seconds
General
-
Target
8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exe
-
Size
1.7MB
-
MD5
a7deaf4b18688d539bb682123b36ef10
-
SHA1
6cfbeb011b9a9b32521d931c2a7d116856e88c6a
-
SHA256
8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771
-
SHA512
e03a157125443605f9414688917ae915a4be6abb7ed7501133fe77b25861660361d69c20bbdce0d3b861a58112928c72e32422becc514701dc075a184a9170bb
-
SSDEEP
24576:2M8wcsjBocoT3cgEeqroaV3NSPDo7gKVbZETckLZzzb78BChn:jSbfMhywSZ7Rx
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1200-0-0x0000000010000000-0x000000001019E000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1200-0-0x0000000010000000-0x000000001019E000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
Processes:
sainbox.exedescription ioc Process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
sainbox.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exe -
Executes dropped EXE 1 IoCs
Processes:
sainbox.exepid Process 4964 sainbox.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sainbox.exedescription ioc Process File opened (read-only) \??\E: sainbox.exe File opened (read-only) \??\N: sainbox.exe File opened (read-only) \??\Q: sainbox.exe File opened (read-only) \??\X: sainbox.exe File opened (read-only) \??\S: sainbox.exe File opened (read-only) \??\G: sainbox.exe File opened (read-only) \??\H: sainbox.exe File opened (read-only) \??\I: sainbox.exe File opened (read-only) \??\K: sainbox.exe File opened (read-only) \??\L: sainbox.exe File opened (read-only) \??\M: sainbox.exe File opened (read-only) \??\R: sainbox.exe File opened (read-only) \??\Z: sainbox.exe File opened (read-only) \??\B: sainbox.exe File opened (read-only) \??\J: sainbox.exe File opened (read-only) \??\U: sainbox.exe File opened (read-only) \??\V: sainbox.exe File opened (read-only) \??\Y: sainbox.exe File opened (read-only) \??\O: sainbox.exe File opened (read-only) \??\P: sainbox.exe File opened (read-only) \??\T: sainbox.exe File opened (read-only) \??\W: sainbox.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exesainbox.execmd.exePING.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid Process 3660 cmd.exe 1704 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
sainbox.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sainbox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz sainbox.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
sainbox.exepid Process 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe 4964 sainbox.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
sainbox.exepid Process 4964 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exesainbox.exedescription pid Process Token: SeIncBasePriorityPrivilege 1200 8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exe Token: SeLoadDriverPrivilege 4964 sainbox.exe Token: 33 4964 sainbox.exe Token: SeIncBasePriorityPrivilege 4964 sainbox.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.execmd.exedescription pid Process procid_target PID 1200 wrote to memory of 4964 1200 8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exe 84 PID 1200 wrote to memory of 4964 1200 8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exe 84 PID 1200 wrote to memory of 4964 1200 8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exe 84 PID 1200 wrote to memory of 3660 1200 8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exe 85 PID 1200 wrote to memory of 3660 1200 8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exe 85 PID 1200 wrote to memory of 3660 1200 8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exe 85 PID 3660 wrote to memory of 1704 3660 cmd.exe 87 PID 3660 wrote to memory of 1704 3660 cmd.exe 87 PID 3660 wrote to memory of 1704 3660 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exe"C:\Users\Admin\AppData\Local\Temp\8c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771N.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\sainbox.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\sainbox.exe"2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\8C3080~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1704
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5a7deaf4b18688d539bb682123b36ef10
SHA16cfbeb011b9a9b32521d931c2a7d116856e88c6a
SHA2568c30808ed184a1912bfa9c30c284103a89c3aee28f09a2fbaea546b34bc8e771
SHA512e03a157125443605f9414688917ae915a4be6abb7ed7501133fe77b25861660361d69c20bbdce0d3b861a58112928c72e32422becc514701dc075a184a9170bb