Analysis
-
max time kernel
82s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2022 05:49
Static task
static1
Behavioral task
behavioral1
Sample
65814bb9a7587d67592175aef1bab54877864389126238cfe8569e68d1bd9ac7.exe
Resource
win7-20220812-en
General
-
Target
65814bb9a7587d67592175aef1bab54877864389126238cfe8569e68d1bd9ac7.exe
-
Size
1.5MB
-
MD5
b2ff166474c866182a8021c80a738003
-
SHA1
3fa58f813fa60e1c33957ad0ac222f8c4944388b
-
SHA256
65814bb9a7587d67592175aef1bab54877864389126238cfe8569e68d1bd9ac7
-
SHA512
0e72d3a2305acd78c628a7152198273a18c9ac1c91d7e4b16f3f650258668dba87425f8fc711c70a0ac9c95e2ec47594aec7680dbc49f35a338c977662dee4c5
-
SSDEEP
24576:DJaKB/+bh75hSaByQ4D1Tt2q+S5YeZOjgIJn8/9Jd6VufkrIlzuChEot:cKBWJ58ll4sYeojwlkMzEo
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/5112-139-0x0000000002F20000-0x00000000030C2000-memory.dmp purplefox_rootkit behavioral2/memory/5112-145-0x0000000010000000-0x0000000010162000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5112-139-0x0000000002F20000-0x00000000030C2000-memory.dmp family_gh0strat behavioral2/memory/5112-145-0x0000000010000000-0x0000000010162000-memory.dmp family_gh0strat -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\ProgramData\qbcore.dll acprotect C:\ProgramData\qbcore.dll acprotect -
Executes dropped EXE 2 IoCs
Processes:
Tantsaz.exeTenantsaz.exepid process 828 Tantsaz.exe 5112 Tenantsaz.exe -
Processes:
resource yara_rule C:\ProgramData\qbcore.dll upx C:\ProgramData\qbcore.dll upx behavioral2/memory/5112-145-0x0000000010000000-0x0000000010162000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
Tenantsaz.exepid process 5112 Tenantsaz.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Tenantsaz.exedescription ioc process File opened (read-only) \??\Q: Tenantsaz.exe File opened (read-only) \??\F: Tenantsaz.exe File opened (read-only) \??\H: Tenantsaz.exe File opened (read-only) \??\K: Tenantsaz.exe File opened (read-only) \??\T: Tenantsaz.exe File opened (read-only) \??\V: Tenantsaz.exe File opened (read-only) \??\B: Tenantsaz.exe File opened (read-only) \??\I: Tenantsaz.exe File opened (read-only) \??\O: Tenantsaz.exe File opened (read-only) \??\R: Tenantsaz.exe File opened (read-only) \??\U: Tenantsaz.exe File opened (read-only) \??\W: Tenantsaz.exe File opened (read-only) \??\X: Tenantsaz.exe File opened (read-only) \??\Z: Tenantsaz.exe File opened (read-only) \??\G: Tenantsaz.exe File opened (read-only) \??\N: Tenantsaz.exe File opened (read-only) \??\L: Tenantsaz.exe File opened (read-only) \??\M: Tenantsaz.exe File opened (read-only) \??\P: Tenantsaz.exe File opened (read-only) \??\S: Tenantsaz.exe File opened (read-only) \??\Y: Tenantsaz.exe File opened (read-only) \??\E: Tenantsaz.exe File opened (read-only) \??\J: Tenantsaz.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Tenantsaz.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Tenantsaz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Tenantsaz.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Tantsaz.exeTenantsaz.exepid process 828 Tantsaz.exe 828 Tantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe 5112 Tenantsaz.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Tantsaz.exedescription pid process Token: SeDebugPrivilege 828 Tantsaz.exe Token: SeDebugPrivilege 828 Tantsaz.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
65814bb9a7587d67592175aef1bab54877864389126238cfe8569e68d1bd9ac7.exedescription pid process target process PID 4984 wrote to memory of 828 4984 65814bb9a7587d67592175aef1bab54877864389126238cfe8569e68d1bd9ac7.exe Tantsaz.exe PID 4984 wrote to memory of 828 4984 65814bb9a7587d67592175aef1bab54877864389126238cfe8569e68d1bd9ac7.exe Tantsaz.exe PID 4984 wrote to memory of 828 4984 65814bb9a7587d67592175aef1bab54877864389126238cfe8569e68d1bd9ac7.exe Tantsaz.exe PID 4984 wrote to memory of 5112 4984 65814bb9a7587d67592175aef1bab54877864389126238cfe8569e68d1bd9ac7.exe Tenantsaz.exe PID 4984 wrote to memory of 5112 4984 65814bb9a7587d67592175aef1bab54877864389126238cfe8569e68d1bd9ac7.exe Tenantsaz.exe PID 4984 wrote to memory of 5112 4984 65814bb9a7587d67592175aef1bab54877864389126238cfe8569e68d1bd9ac7.exe Tenantsaz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65814bb9a7587d67592175aef1bab54877864389126238cfe8569e68d1bd9ac7.exe"C:\Users\Admin\AppData\Local\Temp\65814bb9a7587d67592175aef1bab54877864389126238cfe8569e68d1bd9ac7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Tantsaz.exeC:\ProgramData\Tantsaz.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Tenantsaz.exeC:\ProgramData\Tenantsaz.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Tantsaz.exeFilesize
185KB
MD5e4c9bb52a044fa4f86828ad268b664c0
SHA126861c2d0ed3223a022ad95abc5105eb3fb4f127
SHA256d3c83d21f04f553b63093ee36566d5f5dc1e69222a9e22c9a8ed1436fb82d0aa
SHA512df7e98f80b31daa6cec82b74a81773288220b599a6457375f3fee151916e03bd4de5fd50d18265a80ad8d9561594c783ea29793e76eb434cca29dbdaf9d4cd81
-
C:\ProgramData\Tantsaz.exeFilesize
185KB
MD5e4c9bb52a044fa4f86828ad268b664c0
SHA126861c2d0ed3223a022ad95abc5105eb3fb4f127
SHA256d3c83d21f04f553b63093ee36566d5f5dc1e69222a9e22c9a8ed1436fb82d0aa
SHA512df7e98f80b31daa6cec82b74a81773288220b599a6457375f3fee151916e03bd4de5fd50d18265a80ad8d9561594c783ea29793e76eb434cca29dbdaf9d4cd81
-
C:\ProgramData\Tenantsaz.exeFilesize
618KB
MD5babe108a26dd274c9803af606d02194e
SHA154ff6609cb158f7aa24802eedde4c20032144537
SHA256f55ba30f85670ecf19bcb9a54a2faf3c5af09da22f55a498e5f370c2bdfa2105
SHA512ec66a406221c017aa5f91143a3b318db86a7c31dbf4a1bf56f0256038d818dc306650ba31930db5063f411157e2394db79ed0888c994c0213818b0ecdd382125
-
C:\ProgramData\qbcore.dllFilesize
559KB
MD5eb67506152313e81302643139f633642
SHA195775f229349e41e1393fc464fd2b6f092656f39
SHA256b62d89344312fcd3083af41d87c7a5e958bf0d22372cecdb8e0302487639cb87
SHA512a7eaef46f1d3e7dd4b6b2aaadf52108bad3f5b6d7f973d235d3d15de0c2f221614aed20ec6f9307c32b361e1662120dd145a1db1c6f030efc5f831d2388ba35d
-
C:\ProgramData\qbcore.dllFilesize
559KB
MD5eb67506152313e81302643139f633642
SHA195775f229349e41e1393fc464fd2b6f092656f39
SHA256b62d89344312fcd3083af41d87c7a5e958bf0d22372cecdb8e0302487639cb87
SHA512a7eaef46f1d3e7dd4b6b2aaadf52108bad3f5b6d7f973d235d3d15de0c2f221614aed20ec6f9307c32b361e1662120dd145a1db1c6f030efc5f831d2388ba35d
-
memory/828-132-0x0000000000000000-mapping.dmp
-
memory/5112-135-0x0000000000000000-mapping.dmp
-
memory/5112-139-0x0000000002F20000-0x00000000030C2000-memory.dmpFilesize
1.6MB
-
memory/5112-145-0x0000000010000000-0x0000000010162000-memory.dmpFilesize
1.4MB