Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2025 13:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1ae7bcc3d50008be28df42137d4a04914838eff19c05899d50490d423bb0a9fd.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
General
-
Target
1ae7bcc3d50008be28df42137d4a04914838eff19c05899d50490d423bb0a9fd.exe
-
Size
491KB
-
MD5
490f8d68cac9580c6c43c1ceec229c5f
-
SHA1
80550be11d4c828534266a5c1403ced39d49cdc5
-
SHA256
1ae7bcc3d50008be28df42137d4a04914838eff19c05899d50490d423bb0a9fd
-
SHA512
fb7d3d80102c450884bfc7150b54fc397f726cf287f3673d1176b8d986683605cdc8fcfbccd64dfce83aeaa90108396fc0b790fc1bb4c9446cd6f2f07463efb3
-
SSDEEP
6144:GpoMkequERu8qQ1fjYMMW9eKZH+IdISTUL24qL9cPKcPzR2RV6lZv:oDR+u8pfjYMMWNvdhUSByFPzrv
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3560-3-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral2/memory/3560-4-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral2/memory/3560-5-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral2/memory/3560-6-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral2/memory/3560-2-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral2/memory/2096-13-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral2/memory/2096-14-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral2/memory/2096-16-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral2/memory/2096-26-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral2/memory/3896-24-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral2/memory/3896-25-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit behavioral2/memory/3896-30-0x0000000010000000-0x00000000101D0000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 12 IoCs
resource yara_rule behavioral2/memory/3560-3-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral2/memory/3560-4-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral2/memory/3560-5-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral2/memory/3560-6-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral2/memory/3560-2-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral2/memory/2096-13-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral2/memory/2096-14-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral2/memory/2096-16-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral2/memory/2096-26-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral2/memory/3896-24-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral2/memory/3896-25-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat behavioral2/memory/3896-30-0x0000000010000000-0x00000000101D0000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Executes dropped EXE 2 IoCs
pid Process 2096 Vwopq.exe 3896 Vwopq.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: Vwopq.exe File opened (read-only) \??\T: Vwopq.exe File opened (read-only) \??\Z: Vwopq.exe File opened (read-only) \??\B: Vwopq.exe File opened (read-only) \??\K: Vwopq.exe File opened (read-only) \??\O: Vwopq.exe File opened (read-only) \??\P: Vwopq.exe File opened (read-only) \??\Q: Vwopq.exe File opened (read-only) \??\R: Vwopq.exe File opened (read-only) \??\H: Vwopq.exe File opened (read-only) \??\I: Vwopq.exe File opened (read-only) \??\J: Vwopq.exe File opened (read-only) \??\U: Vwopq.exe File opened (read-only) \??\V: Vwopq.exe File opened (read-only) \??\X: Vwopq.exe File opened (read-only) \??\E: Vwopq.exe File opened (read-only) \??\L: Vwopq.exe File opened (read-only) \??\N: Vwopq.exe File opened (read-only) \??\Y: Vwopq.exe File opened (read-only) \??\G: Vwopq.exe File opened (read-only) \??\M: Vwopq.exe File opened (read-only) \??\W: Vwopq.exe -
resource yara_rule behavioral2/memory/3560-3-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral2/memory/3560-4-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral2/memory/3560-5-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral2/memory/3560-6-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral2/memory/3560-1-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral2/memory/3560-2-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral2/memory/2096-13-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral2/memory/2096-14-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral2/memory/2096-16-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral2/memory/2096-11-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral2/memory/2096-26-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral2/memory/3896-24-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral2/memory/3896-25-0x0000000010000000-0x00000000101D0000-memory.dmp upx behavioral2/memory/3896-30-0x0000000010000000-0x00000000101D0000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Vwopq.exe 1ae7bcc3d50008be28df42137d4a04914838eff19c05899d50490d423bb0a9fd.exe File opened for modification C:\Program Files\Vwopq.exe 1ae7bcc3d50008be28df42137d4a04914838eff19c05899d50490d423bb0a9fd.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vwopq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1ae7bcc3d50008be28df42137d4a04914838eff19c05899d50490d423bb0a9fd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vwopq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 816 cmd.exe 3944 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Vwopq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Vwopq.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software Vwopq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Vwopq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Vwopq.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Vwopq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Vwopq.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3944 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe 3896 Vwopq.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3560 1ae7bcc3d50008be28df42137d4a04914838eff19c05899d50490d423bb0a9fd.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3560 wrote to memory of 816 3560 1ae7bcc3d50008be28df42137d4a04914838eff19c05899d50490d423bb0a9fd.exe 87 PID 3560 wrote to memory of 816 3560 1ae7bcc3d50008be28df42137d4a04914838eff19c05899d50490d423bb0a9fd.exe 87 PID 3560 wrote to memory of 816 3560 1ae7bcc3d50008be28df42137d4a04914838eff19c05899d50490d423bb0a9fd.exe 87 PID 2096 wrote to memory of 3896 2096 Vwopq.exe 88 PID 2096 wrote to memory of 3896 2096 Vwopq.exe 88 PID 2096 wrote to memory of 3896 2096 Vwopq.exe 88 PID 816 wrote to memory of 3944 816 cmd.exe 90 PID 816 wrote to memory of 3944 816 cmd.exe 90 PID 816 wrote to memory of 3944 816 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ae7bcc3d50008be28df42137d4a04914838eff19c05899d50490d423bb0a9fd.exe"C:\Users\Admin\AppData\Local\Temp\1ae7bcc3d50008be28df42137d4a04914838eff19c05899d50490d423bb0a9fd.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\1AE7BC~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3944
-
-
-
C:\Program Files\Vwopq.exe"C:\\Program Files\\Vwopq.exe" -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Program Files\Vwopq.exe"C:\Program Files\Vwopq.exe" -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
491KB
MD5490f8d68cac9580c6c43c1ceec229c5f
SHA180550be11d4c828534266a5c1403ced39d49cdc5
SHA2561ae7bcc3d50008be28df42137d4a04914838eff19c05899d50490d423bb0a9fd
SHA512fb7d3d80102c450884bfc7150b54fc397f726cf287f3673d1176b8d986683605cdc8fcfbccd64dfce83aeaa90108396fc0b790fc1bb4c9446cd6f2f07463efb3