Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 18:09
Static task
static1
Behavioral task
behavioral1
Sample
13865fc1b24aba80c30a353b9a707bde93e5cfa8097b2bbcc3a5e158cac45e68.exe
Resource
win7-20240903-en
General
-
Target
13865fc1b24aba80c30a353b9a707bde93e5cfa8097b2bbcc3a5e158cac45e68.exe
-
Size
1.3MB
-
MD5
7b73e46389fbff427059ee9d6691a7c1
-
SHA1
f449327faa3f233a9e3b98e2b27a7eedc670748e
-
SHA256
13865fc1b24aba80c30a353b9a707bde93e5cfa8097b2bbcc3a5e158cac45e68
-
SHA512
e8a21d04b1ab2c82c3416b26ee94360bcce13e55cbbd0f973bf1f83b3e069c155365538677c1356bf3ea114418a0e89077b0c2b1f8ab2b5d0560ba2fe13a74db
-
SSDEEP
24576:JOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNrJ:EHPkVOBTKd
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4796-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/912-11-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral2/memory/4796-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/912-11-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Executes dropped EXE 2 IoCs
pid Process 912 sainbox.exe 4264 sainbox.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: sainbox.exe File opened (read-only) \??\L: sainbox.exe File opened (read-only) \??\M: sainbox.exe File opened (read-only) \??\Q: sainbox.exe File opened (read-only) \??\V: sainbox.exe File opened (read-only) \??\E: sainbox.exe File opened (read-only) \??\H: sainbox.exe File opened (read-only) \??\I: sainbox.exe File opened (read-only) \??\N: sainbox.exe File opened (read-only) \??\O: sainbox.exe File opened (read-only) \??\S: sainbox.exe File opened (read-only) \??\Y: sainbox.exe File opened (read-only) \??\G: sainbox.exe File opened (read-only) \??\J: sainbox.exe File opened (read-only) \??\K: sainbox.exe File opened (read-only) \??\P: sainbox.exe File opened (read-only) \??\R: sainbox.exe File opened (read-only) \??\T: sainbox.exe File opened (read-only) \??\U: sainbox.exe File opened (read-only) \??\X: sainbox.exe File opened (read-only) \??\B: sainbox.exe File opened (read-only) \??\Z: sainbox.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 13865fc1b24aba80c30a353b9a707bde93e5cfa8097b2bbcc3a5e158cac45e68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5036 cmd.exe 1956 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz sainbox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sainbox.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie sainbox.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software sainbox.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1956 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe 4264 sainbox.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4264 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4796 13865fc1b24aba80c30a353b9a707bde93e5cfa8097b2bbcc3a5e158cac45e68.exe Token: SeLoadDriverPrivilege 4264 sainbox.exe Token: 33 4264 sainbox.exe Token: SeIncBasePriorityPrivilege 4264 sainbox.exe Token: 33 4264 sainbox.exe Token: SeIncBasePriorityPrivilege 4264 sainbox.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4796 wrote to memory of 5036 4796 13865fc1b24aba80c30a353b9a707bde93e5cfa8097b2bbcc3a5e158cac45e68.exe 84 PID 4796 wrote to memory of 5036 4796 13865fc1b24aba80c30a353b9a707bde93e5cfa8097b2bbcc3a5e158cac45e68.exe 84 PID 4796 wrote to memory of 5036 4796 13865fc1b24aba80c30a353b9a707bde93e5cfa8097b2bbcc3a5e158cac45e68.exe 84 PID 912 wrote to memory of 4264 912 sainbox.exe 85 PID 912 wrote to memory of 4264 912 sainbox.exe 85 PID 912 wrote to memory of 4264 912 sainbox.exe 85 PID 5036 wrote to memory of 1956 5036 cmd.exe 87 PID 5036 wrote to memory of 1956 5036 cmd.exe 87 PID 5036 wrote to memory of 1956 5036 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\13865fc1b24aba80c30a353b9a707bde93e5cfa8097b2bbcc3a5e158cac45e68.exe"C:\Users\Admin\AppData\Local\Temp\13865fc1b24aba80c30a353b9a707bde93e5cfa8097b2bbcc3a5e158cac45e68.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\13865F~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1956
-
-
-
C:\ProgramData\Application Data\DRM\sainbox.exe"C:\ProgramData\Application Data\DRM\sainbox.exe" -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:912 -
C:\ProgramData\Application Data\DRM\sainbox.exe"C:\ProgramData\Application Data\DRM\sainbox.exe" -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD57b73e46389fbff427059ee9d6691a7c1
SHA1f449327faa3f233a9e3b98e2b27a7eedc670748e
SHA25613865fc1b24aba80c30a353b9a707bde93e5cfa8097b2bbcc3a5e158cac45e68
SHA512e8a21d04b1ab2c82c3416b26ee94360bcce13e55cbbd0f973bf1f83b3e069c155365538677c1356bf3ea114418a0e89077b0c2b1f8ab2b5d0560ba2fe13a74db