Analysis
-
max time kernel
60s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2022 13:15
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
windows7-x64
8 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
396KB
-
MD5
fd2b5d4d3603c053932eefa363d9dfd9
-
SHA1
3a98a6897f622e841f9a6e64b35aeef169ccb518
-
SHA256
f1a0004d18648fa4e83aa95b51cf4c3f14b9de9335222b911cdf7f10534dd52e
-
SHA512
c1418cd6105596a5ee6c80bd9fd793c0e6d14250c9f3c2db8c38ee83b3434d157baeea03c321b23d5ade1c9a9eec21c618f2e6c5d3bdfd94aed7f88493b35163
-
SSDEEP
12288:sb5DbPowllDRf9Ib2JONfUcri1RcQP2a5:s9Dbg6lV9C2JOBUIc12a5
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/812-134-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral2/memory/812-135-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral2/memory/812-136-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral2/memory/812-137-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/812-134-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral2/memory/812-135-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral2/memory/812-136-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral2/memory/812-137-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat -
Processes:
resource yara_rule behavioral2/memory/812-132-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral2/memory/812-134-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral2/memory/812-135-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral2/memory/812-136-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral2/memory/812-137-0x0000000010000000-0x00000000101B9000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
tmp.exedescription ioc process File opened (read-only) \??\B: tmp.exe File opened (read-only) \??\F: tmp.exe File opened (read-only) \??\H: tmp.exe File opened (read-only) \??\M: tmp.exe File opened (read-only) \??\V: tmp.exe File opened (read-only) \??\Y: tmp.exe File opened (read-only) \??\Z: tmp.exe File opened (read-only) \??\E: tmp.exe File opened (read-only) \??\G: tmp.exe File opened (read-only) \??\J: tmp.exe File opened (read-only) \??\K: tmp.exe File opened (read-only) \??\P: tmp.exe File opened (read-only) \??\S: tmp.exe File opened (read-only) \??\X: tmp.exe File opened (read-only) \??\I: tmp.exe File opened (read-only) \??\L: tmp.exe File opened (read-only) \??\O: tmp.exe File opened (read-only) \??\R: tmp.exe File opened (read-only) \??\T: tmp.exe File opened (read-only) \??\W: tmp.exe File opened (read-only) \??\N: tmp.exe File opened (read-only) \??\Q: tmp.exe File opened (read-only) \??\U: tmp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz tmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tmp.exepid process 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe 812 tmp.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/812-132-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/812-134-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/812-135-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/812-136-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/812-137-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB