Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 18:30
Static task
static1
Behavioral task
behavioral1
Sample
4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe
Resource
win7-20240903-en
General
-
Target
4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe
-
Size
3.6MB
-
MD5
baecee8312e9a67ca151513e41ac84bf
-
SHA1
efebb50a06185ccf23c4a613c92001a1f0f50bf3
-
SHA256
4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d
-
SHA512
57cb8683cbe5463c201e3f604ccc020ba61f22ed992a1b59a91076409408dac7f17443f38327a7641c1c5d6c1869031699933033a78d35ef1147188bf85dae0e
-
SSDEEP
49152:moRLXMJPb7aa1u+ENFAoWo2DqbfQ1rmo6mxQXiDGTMD1TRLjXpWMiI:DpXMJPb1U+EKo2Dqb07BxQXGB3XpWHI
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3460-14-0x0000000010000000-0x00000000101B0000-memory.dmp purplefox_rootkit behavioral2/memory/1896-23-0x0000000010000000-0x00000000101B0000-memory.dmp purplefox_rootkit behavioral2/memory/3460-31-0x0000000000400000-0x0000000000591000-memory.dmp purplefox_rootkit behavioral2/memory/1896-34-0x0000000000400000-0x0000000000591000-memory.dmp purplefox_rootkit behavioral2/memory/1144-52-0x0000000000400000-0x0000000000591000-memory.dmp purplefox_rootkit -
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys conhost.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" conhost.exe -
Executes dropped EXE 3 IoCs
pid Process 3460 conhost.exe 1896 conhost.exe 1144 conhost.exe -
Loads dropped DLL 1 IoCs
pid Process 2984 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe -
resource yara_rule behavioral2/files/0x000a000000023b6a-11.dat upx behavioral2/memory/3460-12-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral2/memory/1896-22-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral2/memory/3460-31-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral2/memory/1896-34-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral2/memory/1144-52-0x0000000000400000-0x0000000000591000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\conhost.exe 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe File opened for modification C:\Windows\conhost.exe conhost.exe File created C:\Windows\conhost.exe 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language conhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language conhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language conhost.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 820 PING.EXE 5080 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 820 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1144 conhost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3460 conhost.exe Token: SeLoadDriverPrivilege 1144 conhost.exe Token: 33 1144 conhost.exe Token: SeIncBasePriorityPrivilege 1144 conhost.exe Token: 33 1144 conhost.exe Token: SeIncBasePriorityPrivilege 1144 conhost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2984 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe 2984 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2984 wrote to memory of 3460 2984 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe 82 PID 2984 wrote to memory of 3460 2984 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe 82 PID 2984 wrote to memory of 3460 2984 4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe 82 PID 3460 wrote to memory of 5080 3460 conhost.exe 84 PID 3460 wrote to memory of 5080 3460 conhost.exe 84 PID 3460 wrote to memory of 5080 3460 conhost.exe 84 PID 1896 wrote to memory of 1144 1896 conhost.exe 85 PID 1896 wrote to memory of 1144 1896 conhost.exe 85 PID 1896 wrote to memory of 1144 1896 conhost.exe 85 PID 5080 wrote to memory of 820 5080 cmd.exe 87 PID 5080 wrote to memory of 820 5080 cmd.exe 87 PID 5080 wrote to memory of 820 5080 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe"C:\Users\Admin\AppData\Local\Temp\4f796d84e88afc6fbb94db40ad396e54ae4f9c90189fab78fec42baa56f2141d.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\conhost.exeC:\Windows\conhost.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Windows\conhost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:820
-
-
-
-
C:\Windows\conhost.exeC:\Windows\conhost.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\conhost.exeC:\Windows\conhost.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesta798370668.e2.luyouxia.netIN AResponsea798370668.e2.luyouxia.netIN CNAMEe2.luyouxia.nete2.luyouxia.netIN A123.99.198.201
-
Remote address:8.8.8.8:53Request17.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.49.80.91.in-addr.arpaIN PTRResponse
-
260 B 5
-
156 B 3
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
72 B 102 B 1 1
DNS Request
a798370668.e2.luyouxia.net
DNS Response
123.99.198.201
-
72 B 158 B 1 1
DNS Request
17.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
70 B 145 B 1 1
DNS Request
22.49.80.91.in-addr.arpa
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD59134ef6a44e4a9cb311e1139e4590812
SHA17ae8250a4afd225dbc8420183116e8af1cf15cfe
SHA25630000de63dd389b0aef61d01cdae2ed38f4bc0e03ca04e585780ca7b55b47662
SHA51277fa1b7ff4dd4d96041b5b0f6df62b4cea39820163d12921af5fff5a959f26078441e6fd5652f7d4b72565a5fe4e217e869efd724d910d531d24637c5cb74ed8
-
Filesize
652KB
MD54f883e7d4d89a581845bc451d7f7a90c
SHA115dd39b9401b946330288a147437af3d9722bdf1
SHA2567c36b489a2fe329398415fd58a73c3b61f8127d4a4ebb002a64d604cfe2d7387
SHA51256e54e4e03f783fddad2b61ace38f7adfec5bcc0f591aeb9004c82eb674daaafc584037f057123789bafbfedc914d01a7d92af685b2239b232668a3ef2e1f61f