Analysis
-
max time kernel
96s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2022 22:04
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220901-en
General
-
Target
tmp.exe
-
Size
1.4MB
-
MD5
52bf7eabbd7166fc9a3338ea7924cd1b
-
SHA1
414968161f53d327617470b92a5af5067036d845
-
SHA256
63b1815d8584510e5da95988b8c611608c7e6d612d840392757175f255024e96
-
SHA512
7e398819ff0437000048c4896051133f0084b0039c872de97fee24b0e0d2ae1b794bdf2f3563b57524ae2be0b09dfc5ebc1044978710eb0373138f93f3b3055a
-
SSDEEP
24576:+d5hczucXF3NHOFJQ2Bdj59SW/IX2u9Av1:scSFLj7k2l
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1800-132-0x0000000010000000-0x00000000101AF000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1800-132-0x0000000010000000-0x00000000101AF000-memory.dmp family_gh0strat -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4852 svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation tmp.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\F: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\U: svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe 4852 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeIncBasePriorityPrivilege 1800 tmp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
tmp.exesvchost.exepid process 1800 tmp.exe 4852 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
tmp.execmd.exedescription pid process target process PID 1800 wrote to memory of 4852 1800 tmp.exe svchost.exe PID 1800 wrote to memory of 4852 1800 tmp.exe svchost.exe PID 1800 wrote to memory of 4852 1800 tmp.exe svchost.exe PID 1800 wrote to memory of 3460 1800 tmp.exe cmd.exe PID 1800 wrote to memory of 3460 1800 tmp.exe cmd.exe PID 1800 wrote to memory of 3460 1800 tmp.exe cmd.exe PID 3460 wrote to memory of 4336 3460 cmd.exe PING.EXE PID 3460 wrote to memory of 4336 3460 cmd.exe PING.EXE PID 3460 wrote to memory of 4336 3460 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\tmp.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\svchost.exeFilesize
1.4MB
MD552bf7eabbd7166fc9a3338ea7924cd1b
SHA1414968161f53d327617470b92a5af5067036d845
SHA25663b1815d8584510e5da95988b8c611608c7e6d612d840392757175f255024e96
SHA5127e398819ff0437000048c4896051133f0084b0039c872de97fee24b0e0d2ae1b794bdf2f3563b57524ae2be0b09dfc5ebc1044978710eb0373138f93f3b3055a
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exeFilesize
1.4MB
MD552bf7eabbd7166fc9a3338ea7924cd1b
SHA1414968161f53d327617470b92a5af5067036d845
SHA25663b1815d8584510e5da95988b8c611608c7e6d612d840392757175f255024e96
SHA5127e398819ff0437000048c4896051133f0084b0039c872de97fee24b0e0d2ae1b794bdf2f3563b57524ae2be0b09dfc5ebc1044978710eb0373138f93f3b3055a
-
memory/1800-132-0x0000000010000000-0x00000000101AF000-memory.dmpFilesize
1.7MB
-
memory/3460-140-0x0000000000000000-mapping.dmp
-
memory/4336-146-0x0000000000000000-mapping.dmp
-
memory/4852-138-0x0000000000000000-mapping.dmp