Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2022 20:24
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
General
-
Target
tmp.exe
-
Size
375KB
-
MD5
ae8feb1dadf827be9a522b4159f3ac9a
-
SHA1
b93774b6d58ccbe20aaf95d22636502a5eb9f762
-
SHA256
0108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
-
SHA512
ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
SSDEEP
6144:ORjbUHOvGUNIE/FDjBazqjWgR+MSEtvlZTONpRGX5B4PY3mA0O0Gp8Nh/5Jod:ejbh9tDjiuT+xEtl0u4w3mAZyUd
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4984-134-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/4984-135-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/4984-138-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/4852-142-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/4852-143-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/4852-147-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/4296-151-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/4296-152-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/4296-153-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit behavioral2/memory/4296-154-0x0000000010000000-0x00000000101A5000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 10 IoCs
Processes:
resource yara_rule behavioral2/memory/4984-134-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/4984-135-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/4984-138-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/4852-142-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/4852-143-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/4852-147-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/4296-151-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/4296-152-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/4296-153-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat behavioral2/memory/4296-154-0x0000000010000000-0x00000000101A5000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
sainbox.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys sainbox.exe -
Executes dropped EXE 2 IoCs
Processes:
sainbox.exesainbox.exepid process 4852 sainbox.exe 4296 sainbox.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
sainbox.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" sainbox.exe -
Processes:
resource yara_rule behavioral2/memory/4984-132-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4984-134-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4984-135-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4984-138-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4852-139-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4852-142-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4852-143-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4852-147-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4296-149-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4296-151-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4296-152-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4296-153-0x0000000010000000-0x00000000101A5000-memory.dmp upx behavioral2/memory/4296-154-0x0000000010000000-0x00000000101A5000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
sainbox.exedescription ioc process File opened (read-only) \??\P: sainbox.exe File opened (read-only) \??\R: sainbox.exe File opened (read-only) \??\V: sainbox.exe File opened (read-only) \??\X: sainbox.exe File opened (read-only) \??\E: sainbox.exe File opened (read-only) \??\G: sainbox.exe File opened (read-only) \??\I: sainbox.exe File opened (read-only) \??\O: sainbox.exe File opened (read-only) \??\Y: sainbox.exe File opened (read-only) \??\K: sainbox.exe File opened (read-only) \??\Q: sainbox.exe File opened (read-only) \??\T: sainbox.exe File opened (read-only) \??\U: sainbox.exe File opened (read-only) \??\F: sainbox.exe File opened (read-only) \??\H: sainbox.exe File opened (read-only) \??\J: sainbox.exe File opened (read-only) \??\S: sainbox.exe File opened (read-only) \??\W: sainbox.exe File opened (read-only) \??\Z: sainbox.exe File opened (read-only) \??\B: sainbox.exe File opened (read-only) \??\L: sainbox.exe File opened (read-only) \??\M: sainbox.exe File opened (read-only) \??\N: sainbox.exe -
Drops file in System32 directory 2 IoCs
Processes:
tmp.exedescription ioc process File created C:\Windows\SysWOW64\sainbox.exe tmp.exe File opened for modification C:\Windows\SysWOW64\sainbox.exe tmp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
sainbox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 sainbox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz sainbox.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
sainbox.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie sainbox.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" sainbox.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum sainbox.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
sainbox.exepid process 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe 4296 sainbox.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
sainbox.exepid process 4296 sainbox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
tmp.exesainbox.exedescription pid process Token: SeIncBasePriorityPrivilege 4984 tmp.exe Token: SeLoadDriverPrivilege 4296 sainbox.exe Token: 33 4296 sainbox.exe Token: SeIncBasePriorityPrivilege 4296 sainbox.exe Token: 33 4296 sainbox.exe Token: SeIncBasePriorityPrivilege 4296 sainbox.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
tmp.exesainbox.execmd.exedescription pid process target process PID 4984 wrote to memory of 4244 4984 tmp.exe cmd.exe PID 4984 wrote to memory of 4244 4984 tmp.exe cmd.exe PID 4984 wrote to memory of 4244 4984 tmp.exe cmd.exe PID 4852 wrote to memory of 4296 4852 sainbox.exe sainbox.exe PID 4852 wrote to memory of 4296 4852 sainbox.exe sainbox.exe PID 4852 wrote to memory of 4296 4852 sainbox.exe sainbox.exe PID 4244 wrote to memory of 1932 4244 cmd.exe PING.EXE PID 4244 wrote to memory of 1932 4244 cmd.exe PING.EXE PID 4244 wrote to memory of 1932 4244 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\tmp.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sainbox.exeC:\Windows\SysWOW64\sainbox.exe -acsi2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\sainbox.exeFilesize
375KB
MD5ae8feb1dadf827be9a522b4159f3ac9a
SHA1b93774b6d58ccbe20aaf95d22636502a5eb9f762
SHA2560108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
SHA512ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
C:\Windows\SysWOW64\sainbox.exeFilesize
375KB
MD5ae8feb1dadf827be9a522b4159f3ac9a
SHA1b93774b6d58ccbe20aaf95d22636502a5eb9f762
SHA2560108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
SHA512ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
C:\Windows\SysWOW64\sainbox.exeFilesize
375KB
MD5ae8feb1dadf827be9a522b4159f3ac9a
SHA1b93774b6d58ccbe20aaf95d22636502a5eb9f762
SHA2560108aa34b802442199c1c4d33aa6826c4a098fe72343a4aa690ea5be5cfba7d0
SHA512ff607684539d533f385576b0cd14f902b8f3abe3eb3d9ccf7d35dae117e224ec177a53e8b1571df6785ff92626d3f73c666ecd09e2d7a47689d3f4c1932d47b2
-
memory/1932-148-0x0000000000000000-mapping.dmp
-
memory/4244-144-0x0000000000000000-mapping.dmp
-
memory/4296-145-0x0000000000000000-mapping.dmp
-
memory/4296-154-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4296-153-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4296-152-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4296-151-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4296-149-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4852-143-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4852-147-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4852-142-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4852-139-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4984-132-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4984-138-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4984-135-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB
-
memory/4984-134-0x0000000010000000-0x00000000101A5000-memory.dmpFilesize
1.6MB