Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-12-2024 11:08
Static task
static1
Behavioral task
behavioral1
Sample
f52cb5765f362b43e18ddafb2e31118fe684b22e142d3775621956ec8d1957b3.exe
Resource
win7-20240903-en
General
-
Target
f52cb5765f362b43e18ddafb2e31118fe684b22e142d3775621956ec8d1957b3.exe
-
Size
1.3MB
-
MD5
ac8fd4cc5e96f3037bd4246681b1f37a
-
SHA1
2c8bf4e25d9028a5381867b9eed9893a7c00e10d
-
SHA256
f52cb5765f362b43e18ddafb2e31118fe684b22e142d3775621956ec8d1957b3
-
SHA512
e2934f60e1796868c79e5adeb5910abd0f3d169c1834574dde7ff89ae381f609a306c4a8ab9c8bb990117cdcecda315069f26db57cb5aea1b06ffcc212d74157
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN1:QHPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2684-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2684-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Deletes itself 1 IoCs
pid Process 2852 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2928 sainbox.exe 2568 sainbox.exe -
Loads dropped DLL 1 IoCs
pid Process 2928 sainbox.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\sainbox.exe f52cb5765f362b43e18ddafb2e31118fe684b22e142d3775621956ec8d1957b3.exe File opened for modification C:\Windows\SysWOW64\sainbox.exe f52cb5765f362b43e18ddafb2e31118fe684b22e142d3775621956ec8d1957b3.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f52cb5765f362b43e18ddafb2e31118fe684b22e142d3775621956ec8d1957b3.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2852 cmd.exe 2552 PING.EXE -
Modifies data under HKEY_USERS 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" sainbox.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings sainbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix sainbox.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" sainbox.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2552 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2568 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2684 f52cb5765f362b43e18ddafb2e31118fe684b22e142d3775621956ec8d1957b3.exe Token: SeLoadDriverPrivilege 2568 sainbox.exe Token: 33 2568 sainbox.exe Token: SeIncBasePriorityPrivilege 2568 sainbox.exe Token: 33 2568 sainbox.exe Token: SeIncBasePriorityPrivilege 2568 sainbox.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2684 wrote to memory of 2852 2684 f52cb5765f362b43e18ddafb2e31118fe684b22e142d3775621956ec8d1957b3.exe 32 PID 2684 wrote to memory of 2852 2684 f52cb5765f362b43e18ddafb2e31118fe684b22e142d3775621956ec8d1957b3.exe 32 PID 2684 wrote to memory of 2852 2684 f52cb5765f362b43e18ddafb2e31118fe684b22e142d3775621956ec8d1957b3.exe 32 PID 2684 wrote to memory of 2852 2684 f52cb5765f362b43e18ddafb2e31118fe684b22e142d3775621956ec8d1957b3.exe 32 PID 2928 wrote to memory of 2568 2928 sainbox.exe 34 PID 2928 wrote to memory of 2568 2928 sainbox.exe 34 PID 2928 wrote to memory of 2568 2928 sainbox.exe 34 PID 2928 wrote to memory of 2568 2928 sainbox.exe 34 PID 2852 wrote to memory of 2552 2852 cmd.exe 35 PID 2852 wrote to memory of 2552 2852 cmd.exe 35 PID 2852 wrote to memory of 2552 2852 cmd.exe 35 PID 2852 wrote to memory of 2552 2852 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\f52cb5765f362b43e18ddafb2e31118fe684b22e142d3775621956ec8d1957b3.exe"C:\Users\Admin\AppData\Local\Temp\f52cb5765f362b43e18ddafb2e31118fe684b22e142d3775621956ec8d1957b3.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\F52CB5~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2552
-
-
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5ac8fd4cc5e96f3037bd4246681b1f37a
SHA12c8bf4e25d9028a5381867b9eed9893a7c00e10d
SHA256f52cb5765f362b43e18ddafb2e31118fe684b22e142d3775621956ec8d1957b3
SHA512e2934f60e1796868c79e5adeb5910abd0f3d169c1834574dde7ff89ae381f609a306c4a8ab9c8bb990117cdcecda315069f26db57cb5aea1b06ffcc212d74157