Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2023 10:45
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
windows7-x64
9 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
724KB
-
MD5
aafb88179338a12e6587bf530f01af8b
-
SHA1
5a3e0f8db8384c6cad9d0db26f9c3b72d11ad9d1
-
SHA256
fc45a2906721098cabe88828b7c7607bc55f8813e7f0cfaa10e0e2d8cb8b0277
-
SHA512
30a6d739f8138cb6b08b7d91a0b68f385214060e8b84426d35f5a2e8231c7f26ea072b39554ed808fb90b650733d660ab948a4fecd409c365b06719ce6c4cb88
-
SSDEEP
12288:rUnIcs/mNZzwQEgyn3f3env0RlpztCUO9W2Pwq0UNglWZcKe6yRDHF/i506O7JBF:rUb0mPzwRfuv0RlRtCP/0U2MSK/OM2PF
Malware Config
Extracted
Family
gh0strat
C2
103.195.150.229
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2880-137-0x0000000010000000-0x0000000010192000-memory.dmp purplefox_rootkit behavioral2/memory/2880-145-0x0000000000400000-0x0000000000630000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2880-137-0x0000000010000000-0x0000000010192000-memory.dmp family_gh0strat behavioral2/memory/2880-145-0x0000000000400000-0x0000000000630000-memory.dmp family_gh0strat -
Processes:
resource yara_rule behavioral2/memory/2880-133-0x0000000000400000-0x0000000000630000-memory.dmp vmprotect behavioral2/memory/2880-145-0x0000000000400000-0x0000000000630000-memory.dmp vmprotect -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
tmp.exedescription ioc process File opened (read-only) \??\H: tmp.exe File opened (read-only) \??\I: tmp.exe File opened (read-only) \??\O: tmp.exe File opened (read-only) \??\T: tmp.exe File opened (read-only) \??\B: tmp.exe File opened (read-only) \??\S: tmp.exe File opened (read-only) \??\W: tmp.exe File opened (read-only) \??\X: tmp.exe File opened (read-only) \??\Y: tmp.exe File opened (read-only) \??\N: tmp.exe File opened (read-only) \??\M: tmp.exe File opened (read-only) \??\R: tmp.exe File opened (read-only) \??\U: tmp.exe File opened (read-only) \??\V: tmp.exe File opened (read-only) \??\Z: tmp.exe File opened (read-only) \??\L: tmp.exe File opened (read-only) \??\F: tmp.exe File opened (read-only) \??\G: tmp.exe File opened (read-only) \??\J: tmp.exe File opened (read-only) \??\K: tmp.exe File opened (read-only) \??\P: tmp.exe File opened (read-only) \??\Q: tmp.exe File opened (read-only) \??\E: tmp.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
tmp.exepid process 2880 tmp.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz tmp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tmp.exepid process 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe 2880 tmp.exe