Analysis
-
max time kernel
31s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
08-04-2023 10:45
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
windows7-x64
9 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
724KB
-
MD5
aafb88179338a12e6587bf530f01af8b
-
SHA1
5a3e0f8db8384c6cad9d0db26f9c3b72d11ad9d1
-
SHA256
fc45a2906721098cabe88828b7c7607bc55f8813e7f0cfaa10e0e2d8cb8b0277
-
SHA512
30a6d739f8138cb6b08b7d91a0b68f385214060e8b84426d35f5a2e8231c7f26ea072b39554ed808fb90b650733d660ab948a4fecd409c365b06719ce6c4cb88
-
SSDEEP
12288:rUnIcs/mNZzwQEgyn3f3env0RlpztCUO9W2Pwq0UNglWZcKe6yRDHF/i506O7JBF:rUb0mPzwRfuv0RlRtCP/0U2MSK/OM2PF
Malware Config
Extracted
Family
gh0strat
C2
103.195.150.229
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1956-58-0x0000000010000000-0x0000000010192000-memory.dmp purplefox_rootkit behavioral1/memory/1956-64-0x0000000000400000-0x0000000000630000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1956-58-0x0000000010000000-0x0000000010192000-memory.dmp family_gh0strat behavioral1/memory/1956-64-0x0000000000400000-0x0000000000630000-memory.dmp family_gh0strat -
Processes:
resource yara_rule behavioral1/memory/1956-54-0x0000000000400000-0x0000000000630000-memory.dmp vmprotect behavioral1/memory/1956-64-0x0000000000400000-0x0000000000630000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
tmp.exedescription ioc process File opened (read-only) \??\B: tmp.exe File opened (read-only) \??\I: tmp.exe File opened (read-only) \??\L: tmp.exe File opened (read-only) \??\R: tmp.exe File opened (read-only) \??\X: tmp.exe File opened (read-only) \??\Y: tmp.exe File opened (read-only) \??\M: tmp.exe File opened (read-only) \??\Q: tmp.exe File opened (read-only) \??\W: tmp.exe File opened (read-only) \??\E: tmp.exe File opened (read-only) \??\G: tmp.exe File opened (read-only) \??\K: tmp.exe File opened (read-only) \??\N: tmp.exe File opened (read-only) \??\O: tmp.exe File opened (read-only) \??\T: tmp.exe File opened (read-only) \??\V: tmp.exe File opened (read-only) \??\Z: tmp.exe File opened (read-only) \??\F: tmp.exe File opened (read-only) \??\H: tmp.exe File opened (read-only) \??\J: tmp.exe File opened (read-only) \??\P: tmp.exe File opened (read-only) \??\S: tmp.exe File opened (read-only) \??\U: tmp.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
tmp.exepid process 1956 tmp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz tmp.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
tmp.exepid process 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe 1956 tmp.exe