Analysis
-
max time kernel
123s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
18-12-2022 22:04
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
General
-
Target
tmp.exe
-
Size
1.4MB
-
MD5
52bf7eabbd7166fc9a3338ea7924cd1b
-
SHA1
414968161f53d327617470b92a5af5067036d845
-
SHA256
63b1815d8584510e5da95988b8c611608c7e6d612d840392757175f255024e96
-
SHA512
7e398819ff0437000048c4896051133f0084b0039c872de97fee24b0e0d2ae1b794bdf2f3563b57524ae2be0b09dfc5ebc1044978710eb0373138f93f3b3055a
-
SSDEEP
24576:+d5hczucXF3NHOFJQ2Bdj59SW/IX2u9Av1:scSFLj7k2l
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1708-55-0x0000000010000000-0x00000000101AF000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1708-55-0x0000000010000000-0x00000000101AF000-memory.dmp family_gh0strat -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1224 svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 584 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
tmp.exepid process 1708 tmp.exe 1708 tmp.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\X: svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
svchost.exepid process 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe 1224 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeIncBasePriorityPrivilege 1708 tmp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
tmp.exesvchost.exepid process 1708 tmp.exe 1224 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
tmp.execmd.exedescription pid process target process PID 1708 wrote to memory of 1224 1708 tmp.exe svchost.exe PID 1708 wrote to memory of 1224 1708 tmp.exe svchost.exe PID 1708 wrote to memory of 1224 1708 tmp.exe svchost.exe PID 1708 wrote to memory of 1224 1708 tmp.exe svchost.exe PID 1708 wrote to memory of 584 1708 tmp.exe cmd.exe PID 1708 wrote to memory of 584 1708 tmp.exe cmd.exe PID 1708 wrote to memory of 584 1708 tmp.exe cmd.exe PID 1708 wrote to memory of 584 1708 tmp.exe cmd.exe PID 584 wrote to memory of 1860 584 cmd.exe PING.EXE PID 584 wrote to memory of 1860 584 cmd.exe PING.EXE PID 584 wrote to memory of 1860 584 cmd.exe PING.EXE PID 584 wrote to memory of 1860 584 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\tmp.exe > nul2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeFilesize
1.4MB
MD552bf7eabbd7166fc9a3338ea7924cd1b
SHA1414968161f53d327617470b92a5af5067036d845
SHA25663b1815d8584510e5da95988b8c611608c7e6d612d840392757175f255024e96
SHA5127e398819ff0437000048c4896051133f0084b0039c872de97fee24b0e0d2ae1b794bdf2f3563b57524ae2be0b09dfc5ebc1044978710eb0373138f93f3b3055a
-
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeFilesize
1.4MB
MD552bf7eabbd7166fc9a3338ea7924cd1b
SHA1414968161f53d327617470b92a5af5067036d845
SHA25663b1815d8584510e5da95988b8c611608c7e6d612d840392757175f255024e96
SHA5127e398819ff0437000048c4896051133f0084b0039c872de97fee24b0e0d2ae1b794bdf2f3563b57524ae2be0b09dfc5ebc1044978710eb0373138f93f3b3055a
-
\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeFilesize
1.4MB
MD552bf7eabbd7166fc9a3338ea7924cd1b
SHA1414968161f53d327617470b92a5af5067036d845
SHA25663b1815d8584510e5da95988b8c611608c7e6d612d840392757175f255024e96
SHA5127e398819ff0437000048c4896051133f0084b0039c872de97fee24b0e0d2ae1b794bdf2f3563b57524ae2be0b09dfc5ebc1044978710eb0373138f93f3b3055a
-
memory/584-67-0x0000000000000000-mapping.dmp
-
memory/1224-63-0x0000000000000000-mapping.dmp
-
memory/1708-54-0x0000000075111000-0x0000000075113000-memory.dmpFilesize
8KB
-
memory/1708-55-0x0000000010000000-0x00000000101AF000-memory.dmpFilesize
1.7MB
-
memory/1860-73-0x0000000000000000-mapping.dmp