Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-12-2022 20:24
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
General
-
Target
tmp.exe
-
Size
375KB
-
MD5
ae8feb1dadf827be9a522b4159f3ac9a
-
SHA1
b93774b6d58ccbe20aaf95d22636502a5eb9f762
-
SHA256
0108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
-
SHA512
ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
SSDEEP
6144:ORjbUHOvGUNIE/FDjBazqjWgR+MSEtvlZTONpRGX5B4PY3mA0O0Gp8Nh/5Jod:ejbh9tDjiuT+xEtl0u4w3mAZyUd
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2004-57-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral1/memory/2004-58-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral1/memory/2004-65-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral1/memory/2000-78-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral1/memory/788-85-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral1/memory/788-84-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral1/memory/788-86-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral1/memory/788-87-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2004-57-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral1/memory/2004-58-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral1/memory/2004-65-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral1/memory/2000-78-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral1/memory/788-85-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral1/memory/788-84-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral1/memory/788-86-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral1/memory/788-87-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
sainbox.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Executes dropped EXE 2 IoCs
Processes:
sainbox.exesainbox.exepid process 2000 sainbox.exe 788 sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
sainbox.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Processes:
resource yara_rule behavioral1/memory/2004-55-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral1/memory/2004-57-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral1/memory/2004-58-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral1/memory/2004-65-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral1/memory/2000-78-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral1/memory/788-82-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral1/memory/788-85-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral1/memory/788-84-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral1/memory/788-86-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral1/memory/788-87-0x0000000010000000-0x00000000101A5000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 596 cmd.exe -
Loads dropped DLL 7 IoCs
Processes:
sainbox.exesainbox.exepid process 2000 sainbox.exe 2000 sainbox.exe 2000 sainbox.exe 2000 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sainbox.exedescription ioc process File opened (read-only) \??\F: sainbox.exe File opened (read-only) \??\N: sainbox.exe File opened (read-only) \??\P: sainbox.exe File opened (read-only) \??\W: sainbox.exe File opened (read-only) \??\K: sainbox.exe File opened (read-only) \??\S: sainbox.exe File opened (read-only) \??\T: sainbox.exe File opened (read-only) \??\Y: sainbox.exe File opened (read-only) \??\E: sainbox.exe File opened (read-only) \??\O: sainbox.exe File opened (read-only) \??\Q: sainbox.exe File opened (read-only) \??\U: sainbox.exe File opened (read-only) \??\V: sainbox.exe File opened (read-only) \??\B: sainbox.exe File opened (read-only) \??\G: sainbox.exe File opened (read-only) \??\H: sainbox.exe File opened (read-only) \??\I: sainbox.exe File opened (read-only) \??\J: sainbox.exe File opened (read-only) \??\L: sainbox.exe File opened (read-only) \??\M: sainbox.exe File opened (read-only) \??\R: sainbox.exe File opened (read-only) \??\X: sainbox.exe File opened (read-only) \??\Z: sainbox.exe -
Drops file in System32 directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Windows\SysWOW64\sainbox.exe tmp.exe File opened for modification C:\Windows\SysWOW64\sainbox.exe tmp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
sainbox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sainbox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz sainbox.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
sainbox.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie sainbox.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum sainbox.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software sainbox.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft sainbox.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
sainbox.exepid process 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe 788 sainbox.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
sainbox.exepid process 788 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
tmp.exesainbox.exedescription pid process Token: SeIncBasePriorityPrivilege 2004 tmp.exe Token: SeLoadDriverPrivilege 788 sainbox.exe Token: 33 788 sainbox.exe Token: SeIncBasePriorityPrivilege 788 sainbox.exe Token: 33 788 sainbox.exe Token: SeIncBasePriorityPrivilege 788 sainbox.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
sainbox.exetmp.execmd.exedescription pid process target process PID 2000 wrote to memory of 788 2000 sainbox.exe sainbox.exe PID 2000 wrote to memory of 788 2000 sainbox.exe sainbox.exe PID 2000 wrote to memory of 788 2000 sainbox.exe sainbox.exe PID 2000 wrote to memory of 788 2000 sainbox.exe sainbox.exe PID 2000 wrote to memory of 788 2000 sainbox.exe sainbox.exe PID 2000 wrote to memory of 788 2000 sainbox.exe sainbox.exe PID 2000 wrote to memory of 788 2000 sainbox.exe sainbox.exe PID 2004 wrote to memory of 596 2004 tmp.exe cmd.exe PID 2004 wrote to memory of 596 2004 tmp.exe cmd.exe PID 2004 wrote to memory of 596 2004 tmp.exe cmd.exe PID 2004 wrote to memory of 596 2004 tmp.exe cmd.exe PID 2004 wrote to memory of 596 2004 tmp.exe cmd.exe PID 2004 wrote to memory of 596 2004 tmp.exe cmd.exe PID 2004 wrote to memory of 596 2004 tmp.exe cmd.exe PID 596 wrote to memory of 1844 596 cmd.exe PING.EXE PID 596 wrote to memory of 1844 596 cmd.exe PING.EXE PID 596 wrote to memory of 1844 596 cmd.exe PING.EXE PID 596 wrote to memory of 1844 596 cmd.exe PING.EXE PID 596 wrote to memory of 1844 596 cmd.exe PING.EXE PID 596 wrote to memory of 1844 596 cmd.exe PING.EXE PID 596 wrote to memory of 1844 596 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\tmp.exe > nul2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -acsi2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\sainbox.exeFilesize
375KB
MD5ae8feb1dadf827be9a522b4159f3ac9a
SHA1b93774b6d58ccbe20aaf95d22636502a5eb9f762
SHA2560108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
SHA512ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
C:\Windows\SysWOW64\sainbox.exeFilesize
375KB
MD5ae8feb1dadf827be9a522b4159f3ac9a
SHA1b93774b6d58ccbe20aaf95d22636502a5eb9f762
SHA2560108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
SHA512ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
C:\Windows\SysWOW64\sainbox.exeFilesize
375KB
MD5ae8feb1dadf827be9a522b4159f3ac9a
SHA1b93774b6d58ccbe20aaf95d22636502a5eb9f762
SHA2560108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
SHA512ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
\Windows\SysWOW64\sainbox.exeFilesize
375KB
MD5ae8feb1dadf827be9a522b4159f3ac9a
SHA1b93774b6d58ccbe20aaf95d22636502a5eb9f762
SHA2560108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
SHA512ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
\Windows\SysWOW64\sainbox.exeFilesize
375KB
MD5ae8feb1dadf827be9a522b4159f3ac9a
SHA1b93774b6d58ccbe20aaf95d22636502a5eb9f762
SHA2560108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
SHA512ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
\Windows\SysWOW64\sainbox.exeFilesize
375KB
MD5ae8feb1dadf827be9a522b4159f3ac9a
SHA1b93774b6d58ccbe20aaf95d22636502a5eb9f762
SHA2560108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
SHA512ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
\Windows\SysWOW64\sainbox.exeFilesize
375KB
MD5ae8feb1dadf827be9a522b4159f3ac9a
SHA1b93774b6d58ccbe20aaf95d22636502a5eb9f762
SHA2560108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
SHA512ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
\Windows\SysWOW64\sainbox.exeFilesize
375KB
MD5ae8feb1dadf827be9a522b4159f3ac9a
SHA1b93774b6d58ccbe20aaf95d22636502a5eb9f762
SHA2560108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
SHA512ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
\Windows\SysWOW64\sainbox.exeFilesize
375KB
MD5ae8feb1dadf827be9a522b4159f3ac9a
SHA1b93774b6d58ccbe20aaf95d22636502a5eb9f762
SHA2560108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
SHA512ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
\Windows\SysWOW64\sainbox.exeFilesize
375KB
MD5ae8feb1dadf827be9a522b4159f3ac9a
SHA1b93774b6d58ccbe20aaf95d22636502a5eb9f762
SHA2560108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
SHA512ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
memory/596-72-0x0000000000000000-mapping.dmp
-
memory/788-82-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/788-71-0x0000000000000000-mapping.dmp
-
memory/788-85-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/788-84-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/788-86-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/788-87-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/1844-80-0x0000000000000000-mapping.dmp
-
memory/2000-78-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/2004-54-0x00000000753D1000-0x00000000753D3000-memory.dmpFilesize
8KB
-
memory/2004-57-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/2004-55-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/2004-58-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/2004-65-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB