Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-01-2025 01:38
Static task
static1
Behavioral task
behavioral1
Sample
239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
General
-
Target
239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82.exe
-
Size
1.7MB
-
MD5
b88618da47199a491035253366fe0d18
-
SHA1
1dd4a6778874d3bb35b0726cffdbb9f3006c3b74
-
SHA256
239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82
-
SHA512
56abd967efd42cce55983263b130dd5b4cb9cc19eb31ede20d858da81cc85e572f5275974c6043f7fa1ea3b2b406e848456949d0485f27d78403b48ba4b86913
-
SSDEEP
24576:uM8wcsjBocoT3cgEeqroaV3NSPDo7gKVbZETckLZzzb78QnDP:LSbfMhywSZ7N
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4712-0-0x0000000010000000-0x000000001019E000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/4712-0-0x0000000010000000-0x000000001019E000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Phxph.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Phxph.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82.exe -
Executes dropped EXE 1 IoCs
pid Process 4456 Phxph.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Phxph.exe File opened (read-only) \??\I: Phxph.exe File opened (read-only) \??\K: Phxph.exe File opened (read-only) \??\L: Phxph.exe File opened (read-only) \??\P: Phxph.exe File opened (read-only) \??\R: Phxph.exe File opened (read-only) \??\E: Phxph.exe File opened (read-only) \??\H: Phxph.exe File opened (read-only) \??\Q: Phxph.exe File opened (read-only) \??\B: Phxph.exe File opened (read-only) \??\M: Phxph.exe File opened (read-only) \??\U: Phxph.exe File opened (read-only) \??\Y: Phxph.exe File opened (read-only) \??\Z: Phxph.exe File opened (read-only) \??\W: Phxph.exe File opened (read-only) \??\X: Phxph.exe File opened (read-only) \??\J: Phxph.exe File opened (read-only) \??\N: Phxph.exe File opened (read-only) \??\O: Phxph.exe File opened (read-only) \??\S: Phxph.exe File opened (read-only) \??\T: Phxph.exe File opened (read-only) \??\V: Phxph.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phxph.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5052 cmd.exe 2164 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Phxph.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Phxph.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2164 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe 4456 Phxph.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4456 Phxph.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 4712 239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82.exe Token: SeLoadDriverPrivilege 4456 Phxph.exe Token: 33 4456 Phxph.exe Token: SeIncBasePriorityPrivilege 4456 Phxph.exe Token: 33 4456 Phxph.exe Token: SeIncBasePriorityPrivilege 4456 Phxph.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4712 wrote to memory of 4456 4712 239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82.exe 83 PID 4712 wrote to memory of 4456 4712 239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82.exe 83 PID 4712 wrote to memory of 4456 4712 239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82.exe 83 PID 4712 wrote to memory of 5052 4712 239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82.exe 84 PID 4712 wrote to memory of 5052 4712 239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82.exe 84 PID 4712 wrote to memory of 5052 4712 239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82.exe 84 PID 5052 wrote to memory of 2164 5052 cmd.exe 86 PID 5052 wrote to memory of 2164 5052 cmd.exe 86 PID 5052 wrote to memory of 2164 5052 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82.exe"C:\Users\Admin\AppData\Local\Temp\239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phxph.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phxph.exe"2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\239B95~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2164
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD5b88618da47199a491035253366fe0d18
SHA11dd4a6778874d3bb35b0726cffdbb9f3006c3b74
SHA256239b950b58f92539d632689453cd37a38506be0a51778f4decd2377c050a0b82
SHA51256abd967efd42cce55983263b130dd5b4cb9cc19eb31ede20d858da81cc85e572f5275974c6043f7fa1ea3b2b406e848456949d0485f27d78403b48ba4b86913