Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 16:13
Static task
static1
Behavioral task
behavioral1
Sample
3093cf90addca7bbefe5eee024ca75f149a16d892873a20a2ff4052d9c693647.exe
Resource
win7-20241023-en
General
-
Target
3093cf90addca7bbefe5eee024ca75f149a16d892873a20a2ff4052d9c693647.exe
-
Size
1.3MB
-
MD5
8ddb43200545067aa88371131269f9dd
-
SHA1
00d2e629017dd3d568a6b7e266a8976ba14a60ab
-
SHA256
3093cf90addca7bbefe5eee024ca75f149a16d892873a20a2ff4052d9c693647
-
SHA512
68d78af9545eee487daf1f990084aa7dda7eac425b675ae35735a2cd4b6e37ec044f7f1ea63850f5e4eeb5103119d962144fe1b1a708787605b7f379fecd5134
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNC:QHPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4852-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/4016-11-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/3248-18-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/4852-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/4016-11-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/3248-18-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys WPS.png -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" WPS.png -
Executes dropped EXE 2 IoCs
pid Process 4016 WPS.png 3248 WPS.png -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\AppPatch\WPS.png 3093cf90addca7bbefe5eee024ca75f149a16d892873a20a2ff4052d9c693647.exe File created C:\Program Files (x86)\AppPatch\WPS.png 3093cf90addca7bbefe5eee024ca75f149a16d892873a20a2ff4052d9c693647.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WPS.png Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WPS.png Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3093cf90addca7bbefe5eee024ca75f149a16d892873a20a2ff4052d9c693647.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2952 cmd.exe 64 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 64 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3248 WPS.png -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4852 3093cf90addca7bbefe5eee024ca75f149a16d892873a20a2ff4052d9c693647.exe Token: SeLoadDriverPrivilege 3248 WPS.png Token: 33 3248 WPS.png Token: SeIncBasePriorityPrivilege 3248 WPS.png Token: 33 3248 WPS.png Token: SeIncBasePriorityPrivilege 3248 WPS.png -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4852 wrote to memory of 2952 4852 3093cf90addca7bbefe5eee024ca75f149a16d892873a20a2ff4052d9c693647.exe 83 PID 4852 wrote to memory of 2952 4852 3093cf90addca7bbefe5eee024ca75f149a16d892873a20a2ff4052d9c693647.exe 83 PID 4852 wrote to memory of 2952 4852 3093cf90addca7bbefe5eee024ca75f149a16d892873a20a2ff4052d9c693647.exe 83 PID 4016 wrote to memory of 3248 4016 WPS.png 84 PID 4016 wrote to memory of 3248 4016 WPS.png 84 PID 4016 wrote to memory of 3248 4016 WPS.png 84 PID 2952 wrote to memory of 64 2952 cmd.exe 86 PID 2952 wrote to memory of 64 2952 cmd.exe 86 PID 2952 wrote to memory of 64 2952 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\3093cf90addca7bbefe5eee024ca75f149a16d892873a20a2ff4052d9c693647.exe"C:\Users\Admin\AppData\Local\Temp\3093cf90addca7bbefe5eee024ca75f149a16d892873a20a2ff4052d9c693647.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\3093CF~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:64
-
-
-
C:\Program Files (x86)\AppPatch\WPS.png"C:\Program Files (x86)\AppPatch\WPS.png" -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Program Files (x86)\AppPatch\WPS.png"C:\Program Files (x86)\AppPatch\WPS.png" -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.3MB
MD5b7526ff8350283086169d48ac7db333d
SHA11518bbd2dfdcfa2f31eaee2b1946edb7be586dc9
SHA256d00360fe336dd3d907664bb0aad7731c297b57383c24c57c00afb5769064b773
SHA5120b86f5bf972641acbd966426d71570d9fcf45bea861a7539b211843542f2b2c1178556cb39c85ec2ba2e89b02f05696fa714bb5a82361a0a84eadf71116f5f76