Analysis
-
max time kernel
121s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 10:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e191875312138b468454bcf4775484c078068eb9b79f43b0d2b9f35e615a60b0.exe
Resource
win7-20240903-en
windows7-x64
22 signatures
150 seconds
General
-
Target
e191875312138b468454bcf4775484c078068eb9b79f43b0d2b9f35e615a60b0.exe
-
Size
1.5MB
-
MD5
79dfccfb01f343bf29ac1b34d7ffca6a
-
SHA1
a80c5dfc5118f554fcb251b9d95d7a2216dab569
-
SHA256
e191875312138b468454bcf4775484c078068eb9b79f43b0d2b9f35e615a60b0
-
SHA512
a9119954f3479c381cbca567ce17458fd4bb652afa92fd2163cc19737faf88fdef8be128705082172252dfc08f27e16f1a1ad5a2ffec0a66daf4c7e8d887b3ef
-
SSDEEP
24576:uYVLN+uGOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:RTT3HPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/5040-0-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/4008-11-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral2/memory/5080-17-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/5040-0-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/4008-11-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral2/memory/5080-17-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Executes dropped EXE 2 IoCs
pid Process 4008 sainbox.exe 5080 sainbox.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: sainbox.exe File opened (read-only) \??\P: sainbox.exe File opened (read-only) \??\X: sainbox.exe File opened (read-only) \??\Q: sainbox.exe File opened (read-only) \??\R: sainbox.exe File opened (read-only) \??\E: sainbox.exe File opened (read-only) \??\G: sainbox.exe File opened (read-only) \??\I: sainbox.exe File opened (read-only) \??\J: sainbox.exe File opened (read-only) \??\L: sainbox.exe File opened (read-only) \??\N: sainbox.exe File opened (read-only) \??\M: sainbox.exe File opened (read-only) \??\S: sainbox.exe File opened (read-only) \??\T: sainbox.exe File opened (read-only) \??\V: sainbox.exe File opened (read-only) \??\Y: sainbox.exe File opened (read-only) \??\Z: sainbox.exe File opened (read-only) \??\K: sainbox.exe File opened (read-only) \??\O: sainbox.exe File opened (read-only) \??\U: sainbox.exe File opened (read-only) \??\W: sainbox.exe File opened (read-only) \??\B: sainbox.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\sainbox.exe e191875312138b468454bcf4775484c078068eb9b79f43b0d2b9f35e615a60b0.exe File opened for modification C:\Windows\SysWOW64\sainbox.exe e191875312138b468454bcf4775484c078068eb9b79f43b0d2b9f35e615a60b0.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sainbox.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e191875312138b468454bcf4775484c078068eb9b79f43b0d2b9f35e615a60b0.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3744 cmd.exe 4264 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sainbox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz sainbox.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie sainbox.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4264 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe 5080 sainbox.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 5080 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 5040 e191875312138b468454bcf4775484c078068eb9b79f43b0d2b9f35e615a60b0.exe Token: SeLoadDriverPrivilege 5080 sainbox.exe Token: 33 5080 sainbox.exe Token: SeIncBasePriorityPrivilege 5080 sainbox.exe Token: 33 5080 sainbox.exe Token: SeIncBasePriorityPrivilege 5080 sainbox.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5040 wrote to memory of 3744 5040 e191875312138b468454bcf4775484c078068eb9b79f43b0d2b9f35e615a60b0.exe 87 PID 5040 wrote to memory of 3744 5040 e191875312138b468454bcf4775484c078068eb9b79f43b0d2b9f35e615a60b0.exe 87 PID 5040 wrote to memory of 3744 5040 e191875312138b468454bcf4775484c078068eb9b79f43b0d2b9f35e615a60b0.exe 87 PID 4008 wrote to memory of 5080 4008 sainbox.exe 88 PID 4008 wrote to memory of 5080 4008 sainbox.exe 88 PID 4008 wrote to memory of 5080 4008 sainbox.exe 88 PID 3744 wrote to memory of 4264 3744 cmd.exe 90 PID 3744 wrote to memory of 4264 3744 cmd.exe 90 PID 3744 wrote to memory of 4264 3744 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\e191875312138b468454bcf4775484c078068eb9b79f43b0d2b9f35e615a60b0.exe"C:\Users\Admin\AppData\Local\Temp\e191875312138b468454bcf4775484c078068eb9b79f43b0d2b9f35e615a60b0.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\E19187~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4264
-
-
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD579dfccfb01f343bf29ac1b34d7ffca6a
SHA1a80c5dfc5118f554fcb251b9d95d7a2216dab569
SHA256e191875312138b468454bcf4775484c078068eb9b79f43b0d2b9f35e615a60b0
SHA512a9119954f3479c381cbca567ce17458fd4bb652afa92fd2163cc19737faf88fdef8be128705082172252dfc08f27e16f1a1ad5a2ffec0a66daf4c7e8d887b3ef