Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 18:30
Static task
static1
Behavioral task
behavioral1
Sample
4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe
Resource
win7-20240903-en
General
-
Target
4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe
-
Size
3.6MB
-
MD5
baecee8312e9a67ca151513e41ac84bf
-
SHA1
efebb50a06185ccf23c4a613c92001a1f0f50bf3
-
SHA256
4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d
-
SHA512
57cb8683cbe5463c201e3f604ccc020ba61f22ed992a1b59a91076409408dac7f17443f38327a7641c1c5d6c1869031699933033a78d35ef1147188bf85dae0e
-
SSDEEP
49152:moRLXMJPb7aa1u+ENFAoWo2DqbfQ1rmo6mxQXiDGTMD1TRLjXpWMiI:DpXMJPb1U+EKo2Dqb07BxQXGB3XpWHI
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/844-17-0x0000000010000000-0x00000000101B0000-memory.dmp purplefox_rootkit behavioral1/memory/844-34-0x0000000000400000-0x0000000000591000-memory.dmp purplefox_rootkit behavioral1/memory/1988-35-0x0000000001330000-0x00000000014C1000-memory.dmp purplefox_rootkit behavioral1/memory/1988-39-0x0000000000400000-0x0000000000591000-memory.dmp purplefox_rootkit behavioral1/memory/1200-55-0x0000000000400000-0x0000000000591000-memory.dmp purplefox_rootkit -
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys conhost.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" conhost.exe -
Executes dropped EXE 3 IoCs
pid Process 844 conhost.exe 1988 conhost.exe 1200 conhost.exe -
Loads dropped DLL 1 IoCs
pid Process 1696 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe -
resource yara_rule behavioral1/files/0x0008000000016c3a-11.dat upx behavioral1/memory/844-16-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral1/memory/1696-13-0x000000001A880000-0x000000001AA11000-memory.dmp upx behavioral1/memory/844-34-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral1/memory/1200-36-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral1/memory/1988-39-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral1/memory/1200-55-0x0000000000400000-0x0000000000591000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\conhost.exe 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe File opened for modification C:\Windows\conhost.exe 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe File opened for modification C:\Windows\conhost.exe conhost.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language conhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language conhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language conhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2076 cmd.exe 1500 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1500 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1200 conhost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 844 conhost.exe Token: SeLoadDriverPrivilege 1200 conhost.exe Token: 33 1200 conhost.exe Token: SeIncBasePriorityPrivilege 1200 conhost.exe Token: 33 1200 conhost.exe Token: SeIncBasePriorityPrivilege 1200 conhost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1696 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe 1696 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1696 wrote to memory of 844 1696 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe 30 PID 1696 wrote to memory of 844 1696 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe 30 PID 1696 wrote to memory of 844 1696 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe 30 PID 1696 wrote to memory of 844 1696 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe 30 PID 1988 wrote to memory of 1200 1988 conhost.exe 32 PID 1988 wrote to memory of 1200 1988 conhost.exe 32 PID 1988 wrote to memory of 1200 1988 conhost.exe 32 PID 1988 wrote to memory of 1200 1988 conhost.exe 32 PID 844 wrote to memory of 2076 844 conhost.exe 33 PID 844 wrote to memory of 2076 844 conhost.exe 33 PID 844 wrote to memory of 2076 844 conhost.exe 33 PID 844 wrote to memory of 2076 844 conhost.exe 33 PID 2076 wrote to memory of 1500 2076 cmd.exe 35 PID 2076 wrote to memory of 1500 2076 cmd.exe 35 PID 2076 wrote to memory of 1500 2076 cmd.exe 35 PID 2076 wrote to memory of 1500 2076 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe"C:\Users\Admin\AppData\Local\Temp\4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\conhost.exeC:\Windows\conhost.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Windows\conhost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1500
-
-
-
-
C:\Windows\conhost.exeC:\Windows\conhost.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\conhost.exeC:\Windows\conhost.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
652KB
MD54f883e7d4d89a581845bc451d7f7a90c
SHA115dd39b9401b946330288a147437af3d9722bdf1
SHA2567c36b489a2fe329398415fd58a73c3b61f8127d4a4ebb002a64d604cfe2d7387
SHA51256e54e4e03f783fddad2b61ace38f7adfec5bcc0f591aeb9004c82eb674daaafc584037f057123789bafbfedc914d01a7d92af685b2239b232668a3ef2e1f61f
-
Filesize
2.8MB
MD59134ef6a44e4a9cb311e1139e4590812
SHA17ae8250a4afd225dbc8420183116e8af1cf15cfe
SHA25630000de63dd389b0aef61d01cdae2ed38f4bc0e03ca04e585780ca7b55b47662
SHA51277fa1b7ff4dd4d96041b5b0f6df62b4cea39820163d12921af5fff5a959f26078441e6fd5652f7d4b72565a5fe4e217e869efd724d910d531d24637c5cb74ed8