Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 17:17
Static task
static1
Behavioral task
behavioral1
Sample
f17551082a9e650f6d1b2def54a46a5788efb11144547d0b5db3b137a3d9d69d.exe
Resource
win7-20241010-en
General
-
Target
f17551082a9e650f6d1b2def54a46a5788efb11144547d0b5db3b137a3d9d69d.exe
-
Size
1.3MB
-
MD5
8c8ec8c6889ce6efcb5e78801b0e7372
-
SHA1
4953fc26267d1ae140b79d23e36de5a6221a8332
-
SHA256
f17551082a9e650f6d1b2def54a46a5788efb11144547d0b5db3b137a3d9d69d
-
SHA512
2a0d4dee2b08f41a5a33c7354eab786b2693c374d120db8ad727d131b98ef8024cfd011407f403b63652803be20226efad81e85a036276be4ff3dc06484f5b0b
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNr:QHPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3644-1-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/4464-10-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/1540-17-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/3644-1-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/4464-10-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/1540-17-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Executes dropped EXE 2 IoCs
pid Process 4464 sainbox.exe 1540 sainbox.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f17551082a9e650f6d1b2def54a46a5788efb11144547d0b5db3b137a3d9d69d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3316 cmd.exe 4128 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4128 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1540 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3644 f17551082a9e650f6d1b2def54a46a5788efb11144547d0b5db3b137a3d9d69d.exe Token: SeLoadDriverPrivilege 1540 sainbox.exe Token: 33 1540 sainbox.exe Token: SeIncBasePriorityPrivilege 1540 sainbox.exe Token: 33 1540 sainbox.exe Token: SeIncBasePriorityPrivilege 1540 sainbox.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3644 wrote to memory of 3316 3644 f17551082a9e650f6d1b2def54a46a5788efb11144547d0b5db3b137a3d9d69d.exe 85 PID 3644 wrote to memory of 3316 3644 f17551082a9e650f6d1b2def54a46a5788efb11144547d0b5db3b137a3d9d69d.exe 85 PID 3644 wrote to memory of 3316 3644 f17551082a9e650f6d1b2def54a46a5788efb11144547d0b5db3b137a3d9d69d.exe 85 PID 4464 wrote to memory of 1540 4464 sainbox.exe 87 PID 4464 wrote to memory of 1540 4464 sainbox.exe 87 PID 4464 wrote to memory of 1540 4464 sainbox.exe 87 PID 3316 wrote to memory of 4128 3316 cmd.exe 88 PID 3316 wrote to memory of 4128 3316 cmd.exe 88 PID 3316 wrote to memory of 4128 3316 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\f17551082a9e650f6d1b2def54a46a5788efb11144547d0b5db3b137a3d9d69d.exe"C:\Users\Admin\AppData\Local\Temp\f17551082a9e650f6d1b2def54a46a5788efb11144547d0b5db3b137a3d9d69d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\F17551~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4128
-
-
-
C:\ProgramData\Application Data\DRM\sainbox.exe"C:\ProgramData\Application Data\DRM\sainbox.exe" -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\ProgramData\Application Data\DRM\sainbox.exe"C:\ProgramData\Application Data\DRM\sainbox.exe" -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD58c8ec8c6889ce6efcb5e78801b0e7372
SHA14953fc26267d1ae140b79d23e36de5a6221a8332
SHA256f17551082a9e650f6d1b2def54a46a5788efb11144547d0b5db3b137a3d9d69d
SHA5122a0d4dee2b08f41a5a33c7354eab786b2693c374d120db8ad727d131b98ef8024cfd011407f403b63652803be20226efad81e85a036276be4ff3dc06484f5b0b