Analysis
-
max time kernel
120s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
16/04/2025, 17:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c6d48e829a4c81b33a94aefd4036ff1c838f0f8893e58fed1ac200c0ef935a63.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
c6d48e829a4c81b33a94aefd4036ff1c838f0f8893e58fed1ac200c0ef935a63.exe
-
Size
1.4MB
-
MD5
6489a3db52495a95e43b95e875b2811b
-
SHA1
3fbc47e8d65af7e06f58878f94af6cb689c55ace
-
SHA256
c6d48e829a4c81b33a94aefd4036ff1c838f0f8893e58fed1ac200c0ef935a63
-
SHA512
f84439e3d74a083bf16244cf7e71642e911599f643e36e0036c4ffbd10d22899e40a23abfc86038752bb834fa9384cb739cfd327ca71307d009b77f1bf7dd0b6
-
SSDEEP
24576:F39WaOyHutimZ9VSly2hVvHW6qMnSbTBBhBMN:598HPkVOBTK
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/5888-1-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral1/memory/5076-10-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit behavioral1/memory/1864-17-0x0000000010000000-0x000000001019F000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral1/memory/5888-1-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral1/memory/5076-10-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat behavioral1/memory/1864-17-0x0000000010000000-0x000000001019F000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Telegram.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Telegram.exe -
Executes dropped EXE 2 IoCs
pid Process 5076 Telegram.exe 1864 Telegram.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Telegram.exe File opened (read-only) \??\M: Telegram.exe File opened (read-only) \??\N: Telegram.exe File opened (read-only) \??\O: Telegram.exe File opened (read-only) \??\Q: Telegram.exe File opened (read-only) \??\W: Telegram.exe File opened (read-only) \??\Y: Telegram.exe File opened (read-only) \??\B: Telegram.exe File opened (read-only) \??\I: Telegram.exe File opened (read-only) \??\R: Telegram.exe File opened (read-only) \??\S: Telegram.exe File opened (read-only) \??\V: Telegram.exe File opened (read-only) \??\X: Telegram.exe File opened (read-only) \??\Z: Telegram.exe File opened (read-only) \??\H: Telegram.exe File opened (read-only) \??\L: Telegram.exe File opened (read-only) \??\P: Telegram.exe File opened (read-only) \??\T: Telegram.exe File opened (read-only) \??\U: Telegram.exe File opened (read-only) \??\E: Telegram.exe File opened (read-only) \??\J: Telegram.exe File opened (read-only) \??\K: Telegram.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Telegram.exe c6d48e829a4c81b33a94aefd4036ff1c838f0f8893e58fed1ac200c0ef935a63.exe File opened for modification C:\Windows\SysWOW64\Telegram.exe c6d48e829a4c81b33a94aefd4036ff1c838f0f8893e58fed1ac200c0ef935a63.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c6d48e829a4c81b33a94aefd4036ff1c838f0f8893e58fed1ac200c0ef935a63.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Telegram.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Telegram.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1796 cmd.exe 5808 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Telegram.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Telegram.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Telegram.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Telegram.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Telegram.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5808 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe 1864 Telegram.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 1864 Telegram.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 5888 c6d48e829a4c81b33a94aefd4036ff1c838f0f8893e58fed1ac200c0ef935a63.exe Token: SeLoadDriverPrivilege 1864 Telegram.exe Token: 33 1864 Telegram.exe Token: SeIncBasePriorityPrivilege 1864 Telegram.exe Token: 33 1864 Telegram.exe Token: SeIncBasePriorityPrivilege 1864 Telegram.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5076 wrote to memory of 1864 5076 Telegram.exe 89 PID 5076 wrote to memory of 1864 5076 Telegram.exe 89 PID 5076 wrote to memory of 1864 5076 Telegram.exe 89 PID 5888 wrote to memory of 1796 5888 c6d48e829a4c81b33a94aefd4036ff1c838f0f8893e58fed1ac200c0ef935a63.exe 88 PID 5888 wrote to memory of 1796 5888 c6d48e829a4c81b33a94aefd4036ff1c838f0f8893e58fed1ac200c0ef935a63.exe 88 PID 5888 wrote to memory of 1796 5888 c6d48e829a4c81b33a94aefd4036ff1c838f0f8893e58fed1ac200c0ef935a63.exe 88 PID 1796 wrote to memory of 5808 1796 cmd.exe 91 PID 1796 wrote to memory of 5808 1796 cmd.exe 91 PID 1796 wrote to memory of 5808 1796 cmd.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\c6d48e829a4c81b33a94aefd4036ff1c838f0f8893e58fed1ac200c0ef935a63.exe"C:\Users\Admin\AppData\Local\Temp\c6d48e829a4c81b33a94aefd4036ff1c838f0f8893e58fed1ac200c0ef935a63.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5888 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\C6D48E~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5808
-
-
-
C:\Windows\SysWOW64\Telegram.exeC:\Windows\SysWOW64\Telegram.exe -auto1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\Telegram.exeC:\Windows\SysWOW64\Telegram.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD56489a3db52495a95e43b95e875b2811b
SHA13fbc47e8d65af7e06f58878f94af6cb689c55ace
SHA256c6d48e829a4c81b33a94aefd4036ff1c838f0f8893e58fed1ac200c0ef935a63
SHA512f84439e3d74a083bf16244cf7e71642e911599f643e36e0036c4ffbd10d22899e40a23abfc86038752bb834fa9384cb739cfd327ca71307d009b77f1bf7dd0b6