Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2022 16:56
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
General
-
Target
tmp.exe
-
Size
21KB
-
MD5
b2f9d8fc21155fec9fa5dff0100670fb
-
SHA1
10ed75e54267648008e11acf22171b23237b6c7b
-
SHA256
e4eccd14ddab4b33cf74174761400c803e86ff3555e68f110f181364ea54c1cd
-
SHA512
d19546c6455aae9153b24cc7ba61dfb78a4d8546945fcf4ce90651a3d96caba5a3a815506d871ef2443906f4b4c43de9eb02621014a570651cd605cb06422d39
-
SSDEEP
384:W1aRvy3ENlCggXzCh8w41MhZDGlT4i/8E9VFee:W1SzgzLw2MhZDGReEH
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1412-1490-0x0000000010000000-0x0000000010192000-memory.dmp purplefox_rootkit behavioral2/memory/1412-1492-0x0000000000400000-0x0000000000791000-memory.dmp purplefox_rootkit behavioral2/memory/1412-1497-0x0000000000400000-0x0000000000791000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1412-1490-0x0000000010000000-0x0000000010192000-memory.dmp family_gh0strat behavioral2/memory/1412-1492-0x0000000000400000-0x0000000000791000-memory.dmp family_gh0strat behavioral2/memory/1412-1497-0x0000000000400000-0x0000000000791000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
winsine.exepid process 1412 winsine.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
winsine.exedescription ioc process File opened (read-only) \??\O: winsine.exe File opened (read-only) \??\R: winsine.exe File opened (read-only) \??\U: winsine.exe File opened (read-only) \??\V: winsine.exe File opened (read-only) \??\Y: winsine.exe File opened (read-only) \??\Z: winsine.exe File opened (read-only) \??\J: winsine.exe File opened (read-only) \??\M: winsine.exe File opened (read-only) \??\I: winsine.exe File opened (read-only) \??\P: winsine.exe File opened (read-only) \??\Q: winsine.exe File opened (read-only) \??\T: winsine.exe File opened (read-only) \??\X: winsine.exe File opened (read-only) \??\E: winsine.exe File opened (read-only) \??\F: winsine.exe File opened (read-only) \??\H: winsine.exe File opened (read-only) \??\N: winsine.exe File opened (read-only) \??\S: winsine.exe File opened (read-only) \??\B: winsine.exe File opened (read-only) \??\G: winsine.exe File opened (read-only) \??\W: winsine.exe File opened (read-only) \??\K: winsine.exe File opened (read-only) \??\L: winsine.exe -
Drops file in System32 directory 1 IoCs
Processes:
tmp.exedescription ioc process File created C:\windows\SysWOW64\winsine.exe tmp.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs
Processes:
winsine.exepid process 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
winsine.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winsine.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz winsine.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winsine.exepid process 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe 1412 winsine.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
winsine.exepid process 1412 winsine.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
tmp.exedescription pid process target process PID 5076 wrote to memory of 1412 5076 tmp.exe winsine.exe PID 5076 wrote to memory of 1412 5076 tmp.exe winsine.exe PID 5076 wrote to memory of 1412 5076 tmp.exe winsine.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\winsine.exeC:\windows\system32\winsine.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\winsine.exeFilesize
2.1MB
MD54db6c274bdb87cfbabea3066318925ed
SHA1b01afe8c6121f130e2e17ca50e738d634f870cb9
SHA256b33e3aa68ebcf5503bfbf592f6354701c336df72762922a27e29e71193ea25ab
SHA512d4d81a22e56075a5e3f449e741c37def17d27d6da138c1cab3ce79f70ed4ce3cf91fe543f18f1e4651fcecff005a273f4a4390ad4ee9f8104604b4ff96c7d2fd
-
C:\windows\SysWOW64\winsine.exeFilesize
2.1MB
MD54db6c274bdb87cfbabea3066318925ed
SHA1b01afe8c6121f130e2e17ca50e738d634f870cb9
SHA256b33e3aa68ebcf5503bfbf592f6354701c336df72762922a27e29e71193ea25ab
SHA512d4d81a22e56075a5e3f449e741c37def17d27d6da138c1cab3ce79f70ed4ce3cf91fe543f18f1e4651fcecff005a273f4a4390ad4ee9f8104604b4ff96c7d2fd
-
memory/1412-1484-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/1412-135-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/1412-136-0x0000000077370000-0x0000000077513000-memory.dmpFilesize
1.6MB
-
memory/1412-137-0x0000000075620000-0x0000000075835000-memory.dmpFilesize
2.1MB
-
memory/1412-139-0x00000000752E0000-0x0000000075480000-memory.dmpFilesize
1.6MB
-
memory/1412-140-0x0000000076F10000-0x0000000076F8A000-memory.dmpFilesize
488KB
-
memory/1412-132-0x0000000000000000-mapping.dmp
-
memory/1412-1485-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/1412-1486-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/1412-1487-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/1412-1489-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/1412-1490-0x0000000010000000-0x0000000010192000-memory.dmpFilesize
1.6MB
-
memory/1412-1492-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/1412-1497-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB