Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 18:51
Static task
static1
Behavioral task
behavioral1
Sample
2e87b4405288b43eb209d9141da10244decd3af869e416f571ec0fb7f2b02660.exe
Resource
win7-20240903-en
General
-
Target
2e87b4405288b43eb209d9141da10244decd3af869e416f571ec0fb7f2b02660.exe
-
Size
1.3MB
-
MD5
1baff9d4ae43f5ca5d57eb846e0314f3
-
SHA1
7f3b8acdd911ec1d08072ea61ef7e24d7c2c24dd
-
SHA256
2e87b4405288b43eb209d9141da10244decd3af869e416f571ec0fb7f2b02660
-
SHA512
5137f24a854064a18382da65737a497dac870cf40399e3deb6857c62b2c744d15231cd003bea6a2a43a8995e346beaa1d93d3369dc20a89374381edd78da23cb
-
SSDEEP
24576:dOyHutimZ9VSly2hVvHW6qMnSbTBBhBMNX:QHPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1352-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/1060-11-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/3480-18-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/1352-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/1060-11-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/3480-18-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Abcst.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Abcst.exe -
Executes dropped EXE 2 IoCs
pid Process 1060 Abcst.exe 3480 Abcst.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e87b4405288b43eb209d9141da10244decd3af869e416f571ec0fb7f2b02660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2432 cmd.exe 464 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 464 PING.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3480 Abcst.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1352 2e87b4405288b43eb209d9141da10244decd3af869e416f571ec0fb7f2b02660.exe Token: SeLoadDriverPrivilege 3480 Abcst.exe Token: 33 3480 Abcst.exe Token: SeIncBasePriorityPrivilege 3480 Abcst.exe Token: 33 3480 Abcst.exe Token: SeIncBasePriorityPrivilege 3480 Abcst.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1352 wrote to memory of 2432 1352 2e87b4405288b43eb209d9141da10244decd3af869e416f571ec0fb7f2b02660.exe 83 PID 1352 wrote to memory of 2432 1352 2e87b4405288b43eb209d9141da10244decd3af869e416f571ec0fb7f2b02660.exe 83 PID 1352 wrote to memory of 2432 1352 2e87b4405288b43eb209d9141da10244decd3af869e416f571ec0fb7f2b02660.exe 83 PID 1060 wrote to memory of 3480 1060 Abcst.exe 85 PID 1060 wrote to memory of 3480 1060 Abcst.exe 85 PID 1060 wrote to memory of 3480 1060 Abcst.exe 85 PID 2432 wrote to memory of 464 2432 cmd.exe 86 PID 2432 wrote to memory of 464 2432 cmd.exe 86 PID 2432 wrote to memory of 464 2432 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e87b4405288b43eb209d9141da10244decd3af869e416f571ec0fb7f2b02660.exe"C:\Users\Admin\AppData\Local\Temp\2e87b4405288b43eb209d9141da10244decd3af869e416f571ec0fb7f2b02660.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\2E87B4~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:464
-
-
-
C:\ProgramData\Application Data\DRM\Abcst.exe"C:\ProgramData\Application Data\DRM\Abcst.exe" -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\ProgramData\Application Data\DRM\Abcst.exe"C:\ProgramData\Application Data\DRM\Abcst.exe" -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1