Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
13-10-2022 16:56
General
-
Target
tmp.exe
-
Size
21KB
-
MD5
b2f9d8fc21155fec9fa5dff0100670fb
-
SHA1
10ed75e54267648008e11acf22171b23237b6c7b
-
SHA256
e4eccd14ddab4b33cf74174761400c803e86ff3555e68f110f181364ea54c1cd
-
SHA512
d19546c6455aae9153b24cc7ba61dfb78a4d8546945fcf4ce90651a3d96caba5a3a815506d871ef2443906f4b4c43de9eb02621014a570651cd605cb06422d39
-
SSDEEP
384:W1aRvy3ENlCggXzCh8w41MhZDGlT4i/8E9VFee:W1SzgzLw2MhZDGReEH
Malware Config
Signatures
-
Detect PurpleFox Rootkit 3 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 3 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\winsine.exeC:\windows\system32\winsine.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\winsine.exeFilesize
2.1MB
MD54db6c274bdb87cfbabea3066318925ed
SHA1b01afe8c6121f130e2e17ca50e738d634f870cb9
SHA256b33e3aa68ebcf5503bfbf592f6354701c336df72762922a27e29e71193ea25ab
SHA512d4d81a22e56075a5e3f449e741c37def17d27d6da138c1cab3ce79f70ed4ce3cf91fe543f18f1e4651fcecff005a273f4a4390ad4ee9f8104604b4ff96c7d2fd
-
C:\windows\SysWOW64\winsine.exeFilesize
2.1MB
MD54db6c274bdb87cfbabea3066318925ed
SHA1b01afe8c6121f130e2e17ca50e738d634f870cb9
SHA256b33e3aa68ebcf5503bfbf592f6354701c336df72762922a27e29e71193ea25ab
SHA512d4d81a22e56075a5e3f449e741c37def17d27d6da138c1cab3ce79f70ed4ce3cf91fe543f18f1e4651fcecff005a273f4a4390ad4ee9f8104604b4ff96c7d2fd
-
memory/1412-1484-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/1412-135-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/1412-136-0x0000000077370000-0x0000000077513000-memory.dmpFilesize
1.6MB
-
memory/1412-137-0x0000000075620000-0x0000000075835000-memory.dmpFilesize
2.1MB
-
memory/1412-139-0x00000000752E0000-0x0000000075480000-memory.dmpFilesize
1.6MB
-
memory/1412-140-0x0000000076F10000-0x0000000076F8A000-memory.dmpFilesize
488KB
-
memory/1412-132-0x0000000000000000-mapping.dmp
-
memory/1412-1485-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/1412-1486-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/1412-1487-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/1412-1489-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/1412-1490-0x0000000010000000-0x0000000010192000-memory.dmpFilesize
1.6MB
-
memory/1412-1492-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB
-
memory/1412-1497-0x0000000000400000-0x0000000000791000-memory.dmpFilesize
3.6MB