gh0strat | e4eccd14ddab4b33cf74174761400c803e86ff3555e68f110f181364ea54c1cd

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
13-10-2022 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

21KB
MD5

b2f9d8fc21155fec9fa5dff0100670fb
SHA1

10ed75e54267648008e11acf22171b23237b6c7b
SHA256

e4eccd14ddab4b33cf74174761400c803e86ff3555e68f110f181364ea54c1cd
SHA512

d19546c6455aae9153b24cc7ba61dfb78a4d8546945fcf4ce90651a3d96caba5a3a815506d871ef2443906f4b4c43de9eb02621014a570651cd605cb06422d39
SSDEEP

384:W1aRvy3ENlCggXzCh8w41MhZDGlT4i/8E9VFee:W1SzgzLw2MhZDGReEH

Score

10^/10

gh0strat purplefox rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/1756-4829-0x0000000000400000-0x0000000000791000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1756-4829-0x0000000000400000-0x0000000000791000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

winsine.exe

pid process

1756 winsine.exe
Loads dropped DLL 2 IoCs

Processes:

tmp.exe

pid process

1048 tmp.exe
1048 tmp.exe

pid	process
1048	tmp.exe
1048	tmp.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

winsine.exe

description	ioc	process
File opened (read-only)	\??\T:	winsine.exe
File opened (read-only)	\??\X:	winsine.exe
File opened (read-only)	\??\G:	winsine.exe
File opened (read-only)	\??\O:	winsine.exe
File opened (read-only)	\??\R:	winsine.exe
File opened (read-only)	\??\S:	winsine.exe
File opened (read-only)	\??\J:	winsine.exe
File opened (read-only)	\??\I:	winsine.exe
File opened (read-only)	\??\L:	winsine.exe
File opened (read-only)	\??\N:	winsine.exe
File opened (read-only)	\??\Q:	winsine.exe
File opened (read-only)	\??\V:	winsine.exe
File opened (read-only)	\??\W:	winsine.exe
File opened (read-only)	\??\E:	winsine.exe
File opened (read-only)	\??\F:	winsine.exe
File opened (read-only)	\??\H:	winsine.exe
File opened (read-only)	\??\K:	winsine.exe
File opened (read-only)	\??\M:	winsine.exe
File opened (read-only)	\??\P:	winsine.exe
File opened (read-only)	\??\U:	winsine.exe
File opened (read-only)	\??\Y:	winsine.exe
File opened (read-only)	\??\B:	winsine.exe
File opened (read-only)	\??\Z:	winsine.exe

Drops file in System32 directory 1 IoCs

Processes:

tmp.exe

description ioc process

File created C:\windows\SysWOW64\winsine.exe tmp.exe

description	ioc	process
File created	C:\windows\SysWOW64\winsine.exe	tmp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

winsine.exe

pid	process
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winsine.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winsine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	winsine.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

winsine.exe

pid	process
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe
1756	winsine.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

winsine.exe

pid process

1756 winsine.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

tmp.exe

description	pid	process	target process
PID 1048 wrote to memory of 1756	1048	tmp.exe	winsine.exe
PID 1048 wrote to memory of 1756	1048	tmp.exe	winsine.exe
PID 1048 wrote to memory of 1756	1048	tmp.exe	winsine.exe
PID 1048 wrote to memory of 1756	1048	tmp.exe	winsine.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1048

C:\windows\SysWOW64\winsine.exe
C:\windows\system32\winsine.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winsine.exe
Filesize
2.1MB

MD5
4db6c274bdb87cfbabea3066318925ed

SHA1
b01afe8c6121f130e2e17ca50e738d634f870cb9

SHA256
b33e3aa68ebcf5503bfbf592f6354701c336df72762922a27e29e71193ea25ab

SHA512
d4d81a22e56075a5e3f449e741c37def17d27d6da138c1cab3ce79f70ed4ce3cf91fe543f18f1e4651fcecff005a273f4a4390ad4ee9f8104604b4ff96c7d2fd

Download Submit
C:\Windows\SysWOW64\winsine.exe
Filesize
2.1MB

MD5
4db6c274bdb87cfbabea3066318925ed

SHA1
b01afe8c6121f130e2e17ca50e738d634f870cb9

SHA256
b33e3aa68ebcf5503bfbf592f6354701c336df72762922a27e29e71193ea25ab

SHA512
d4d81a22e56075a5e3f449e741c37def17d27d6da138c1cab3ce79f70ed4ce3cf91fe543f18f1e4651fcecff005a273f4a4390ad4ee9f8104604b4ff96c7d2fd

Download Submit
\Windows\SysWOW64\winsine.exe
Filesize
2.1MB

MD5
4db6c274bdb87cfbabea3066318925ed

SHA1
b01afe8c6121f130e2e17ca50e738d634f870cb9

SHA256
b33e3aa68ebcf5503bfbf592f6354701c336df72762922a27e29e71193ea25ab

SHA512
d4d81a22e56075a5e3f449e741c37def17d27d6da138c1cab3ce79f70ed4ce3cf91fe543f18f1e4651fcecff005a273f4a4390ad4ee9f8104604b4ff96c7d2fd

Download Submit
\Windows\SysWOW64\winsine.exe
Filesize
2.1MB

MD5
4db6c274bdb87cfbabea3066318925ed

SHA1
b01afe8c6121f130e2e17ca50e738d634f870cb9

SHA256
b33e3aa68ebcf5503bfbf592f6354701c336df72762922a27e29e71193ea25ab

SHA512
d4d81a22e56075a5e3f449e741c37def17d27d6da138c1cab3ce79f70ed4ce3cf91fe543f18f1e4651fcecff005a273f4a4390ad4ee9f8104604b4ff96c7d2fd

Download Submit
memory/1048-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1756-57-0x0000000000000000-mapping.dmp

Download
memory/1756-60-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download
memory/1756-62-0x00000000759A0000-0x00000000759E7000-memory.dmp

Filesize
284KB

Download
memory/1756-468-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-469-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-470-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-471-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-472-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-473-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-474-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-475-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-476-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-477-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-478-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-479-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-480-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-482-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-481-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-483-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-484-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-486-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-487-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-488-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-490-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-491-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-492-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-493-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-494-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-496-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-498-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-499-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-500-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-502-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-504-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-506-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-507-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-509-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-511-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-513-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-517-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-520-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-523-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-526-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-528-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-527-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-525-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-524-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-522-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-521-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-519-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-518-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-516-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-515-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-514-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-512-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-510-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-508-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-505-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-503-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-501-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-497-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-495-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-489-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-485-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-1337-0x00000000020B0000-0x00000000021B0000-memory.dmp

Filesize
1024KB

Download
memory/1756-1340-0x0000000002220000-0x00000000023A1000-memory.dmp

Filesize
1.5MB

Download
memory/1756-4577-0x00000000020B0000-0x00000000021B0000-memory.dmp

Filesize
1024KB

Download
memory/1756-4820-0x00000000024D0000-0x00000000025E1000-memory.dmp

Filesize
1.1MB

Download
memory/1756-4829-0x0000000000400000-0x0000000000791000-memory.dmp

Filesize
3.6MB

Download