Analysis
-
max time kernel
136s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2025, 12:27
Static task
static1
General
-
Target
d9a5b5942b59ca5d06fcf0cd180be9703d8bb67278aa751bbe85cb2ea6772a63.exe
-
Size
2.4MB
-
MD5
7fe144958cad790f3bc24842c7df659a
-
SHA1
28e2c3c28479a3b8b39fe58b2c16ee26b475f5c7
-
SHA256
d9a5b5942b59ca5d06fcf0cd180be9703d8bb67278aa751bbe85cb2ea6772a63
-
SHA512
5ac443f72e1d6c1e6d9ff943d88766e46ccd688a1232e9c918366585947219015ecd392a31dbc3253ae49408856ca08a4a0f649a24a24b71fa947ce6c3b5c20f
-
SSDEEP
49152:x2hu3wWLkSNn16adVi2thaK4haxtsJ1r0qgO41F8yuF13/SyfmsP1w8m2s2/:Skka1djthh4hdJ109z8yuF1qyfmsP1wk
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2776-12-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2776-12-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 3 4420 d9a5b5942b59ca5d06fcf0cd180be9703d8bb67278aa751bbe85cb2ea6772a63.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation d9a5b5942b59ca5d06fcf0cd180be9703d8bb67278aa751bbe85cb2ea6772a63.exe -
Executes dropped EXE 2 IoCs
pid Process 2776 fil1e.exe 3548 open.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: fil1e.exe File opened (read-only) \??\Q: fil1e.exe File opened (read-only) \??\T: fil1e.exe File opened (read-only) \??\X: fil1e.exe File opened (read-only) \??\E: fil1e.exe File opened (read-only) \??\H: fil1e.exe File opened (read-only) \??\J: fil1e.exe File opened (read-only) \??\K: fil1e.exe File opened (read-only) \??\L: fil1e.exe File opened (read-only) \??\M: fil1e.exe File opened (read-only) \??\R: fil1e.exe File opened (read-only) \??\U: fil1e.exe File opened (read-only) \??\G: fil1e.exe File opened (read-only) \??\N: fil1e.exe File opened (read-only) \??\O: fil1e.exe File opened (read-only) \??\P: fil1e.exe File opened (read-only) \??\V: fil1e.exe File opened (read-only) \??\W: fil1e.exe File opened (read-only) \??\Y: fil1e.exe File opened (read-only) \??\Z: fil1e.exe File opened (read-only) \??\B: fil1e.exe File opened (read-only) \??\S: fil1e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9a5b5942b59ca5d06fcf0cd180be9703d8bb67278aa751bbe85cb2ea6772a63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fil1e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language open.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz fil1e.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fil1e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe 2776 fil1e.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2776 fil1e.exe Token: SeIncBasePriorityPrivilege 2776 fil1e.exe Token: 33 2776 fil1e.exe Token: SeIncBasePriorityPrivilege 2776 fil1e.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4420 wrote to memory of 2776 4420 d9a5b5942b59ca5d06fcf0cd180be9703d8bb67278aa751bbe85cb2ea6772a63.exe 99 PID 4420 wrote to memory of 2776 4420 d9a5b5942b59ca5d06fcf0cd180be9703d8bb67278aa751bbe85cb2ea6772a63.exe 99 PID 4420 wrote to memory of 2776 4420 d9a5b5942b59ca5d06fcf0cd180be9703d8bb67278aa751bbe85cb2ea6772a63.exe 99 PID 4420 wrote to memory of 3548 4420 d9a5b5942b59ca5d06fcf0cd180be9703d8bb67278aa751bbe85cb2ea6772a63.exe 100 PID 4420 wrote to memory of 3548 4420 d9a5b5942b59ca5d06fcf0cd180be9703d8bb67278aa751bbe85cb2ea6772a63.exe 100 PID 4420 wrote to memory of 3548 4420 d9a5b5942b59ca5d06fcf0cd180be9703d8bb67278aa751bbe85cb2ea6772a63.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9a5b5942b59ca5d06fcf0cd180be9703d8bb67278aa751bbe85cb2ea6772a63.exe"C:\Users\Admin\AppData\Local\Temp\d9a5b5942b59ca5d06fcf0cd180be9703d8bb67278aa751bbe85cb2ea6772a63.exe"1⤵
- Downloads MZ/PE file
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Public\Documents\fil1e.exe"C:\Users\Public\Documents\fil1e.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Users\Public\Documents\open.exe"C:\Users\Public\Documents\open.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5209d25a3c2f6eed88c5eb5165b00ea67
SHA10f668f09080eb6b41a04527244a60e32bf89ef72
SHA256bd049d8a598306ed55ad9d6c069c3e67026a813afd68995aa64ebbc91e98d445
SHA512fa6fe828afc905ccc2df03b64f7d046272fad8185a336a873288099c57098a6c1f3b8e428aef71157729df8b9b919f4d597514b6818048086da8ac461da2bd74
-
Filesize
2.4MB
MD57fe144958cad790f3bc24842c7df659a
SHA128e2c3c28479a3b8b39fe58b2c16ee26b475f5c7
SHA256d9a5b5942b59ca5d06fcf0cd180be9703d8bb67278aa751bbe85cb2ea6772a63
SHA5125ac443f72e1d6c1e6d9ff943d88766e46ccd688a1232e9c918366585947219015ecd392a31dbc3253ae49408856ca08a4a0f649a24a24b71fa947ce6c3b5c20f