Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 11:40
Static task
static1
Behavioral task
behavioral1
Sample
41c40a3bba776f610cf0aff32c8e78efe797e100f999d755d2feab820fc037e4.exe
Resource
win7-20240903-en
General
-
Target
41c40a3bba776f610cf0aff32c8e78efe797e100f999d755d2feab820fc037e4.exe
-
Size
1.3MB
-
MD5
3d8a630c180e93afabc980eccc108606
-
SHA1
eef6bac852712611ae9897bc1d6aaca0ca40426b
-
SHA256
41c40a3bba776f610cf0aff32c8e78efe797e100f999d755d2feab820fc037e4
-
SHA512
508ce53f7d808ca85105021133553b2b9b191cac8b3f48cda62c7d60169a632626d37e0dba8520d44e9e1ba6c771dec46b6f61be1d8b694739b51d9aa6fe5354
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNJ:QHPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3408-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/2044-11-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/3620-17-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/3408-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/2044-11-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/3620-17-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Executes dropped EXE 2 IoCs
pid Process 2044 sainbox.exe 3620 sainbox.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\sainbox.exe 41c40a3bba776f610cf0aff32c8e78efe797e100f999d755d2feab820fc037e4.exe File opened for modification C:\Windows\SysWOW64\sainbox.exe 41c40a3bba776f610cf0aff32c8e78efe797e100f999d755d2feab820fc037e4.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 41c40a3bba776f610cf0aff32c8e78efe797e100f999d755d2feab820fc037e4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4736 cmd.exe 1440 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1440 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3620 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3408 41c40a3bba776f610cf0aff32c8e78efe797e100f999d755d2feab820fc037e4.exe Token: SeLoadDriverPrivilege 3620 sainbox.exe Token: 33 3620 sainbox.exe Token: SeIncBasePriorityPrivilege 3620 sainbox.exe Token: 33 3620 sainbox.exe Token: SeIncBasePriorityPrivilege 3620 sainbox.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3408 wrote to memory of 4736 3408 41c40a3bba776f610cf0aff32c8e78efe797e100f999d755d2feab820fc037e4.exe 84 PID 3408 wrote to memory of 4736 3408 41c40a3bba776f610cf0aff32c8e78efe797e100f999d755d2feab820fc037e4.exe 84 PID 3408 wrote to memory of 4736 3408 41c40a3bba776f610cf0aff32c8e78efe797e100f999d755d2feab820fc037e4.exe 84 PID 2044 wrote to memory of 3620 2044 sainbox.exe 85 PID 2044 wrote to memory of 3620 2044 sainbox.exe 85 PID 2044 wrote to memory of 3620 2044 sainbox.exe 85 PID 4736 wrote to memory of 1440 4736 cmd.exe 87 PID 4736 wrote to memory of 1440 4736 cmd.exe 87 PID 4736 wrote to memory of 1440 4736 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\41c40a3bba776f610cf0aff32c8e78efe797e100f999d755d2feab820fc037e4.exe"C:\Users\Admin\AppData\Local\Temp\41c40a3bba776f610cf0aff32c8e78efe797e100f999d755d2feab820fc037e4.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\41C40A~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1440
-
-
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD53d8a630c180e93afabc980eccc108606
SHA1eef6bac852712611ae9897bc1d6aaca0ca40426b
SHA25641c40a3bba776f610cf0aff32c8e78efe797e100f999d755d2feab820fc037e4
SHA512508ce53f7d808ca85105021133553b2b9b191cac8b3f48cda62c7d60169a632626d37e0dba8520d44e9e1ba6c771dec46b6f61be1d8b694739b51d9aa6fe5354