Analysis
-
max time kernel
43s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-09-2022 23:57
Static task
static1
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20220812-en
General
-
Target
Server.exe
-
Size
396KB
-
MD5
5efd6f7577970a139e6c496353a4d440
-
SHA1
9eb248739c9ee37463dc7894556dbab953e830d6
-
SHA256
3cb2fd26e550c2210a94d899a48ecd53216457e9c33f4a623bb3bb63263062a8
-
SHA512
d46d560854e594a7426075b482d39b728d8ad02907ada85fa24acf63903e5ed012d975698cba975d3247174c6be7f7686014a66d5f8df326eeef54997cb20761
-
SSDEEP
12288:sb5DbPowllDRf9Ib2JONfUcri1RcQP2a+:s9Dbg6lV9C2JOBUIc12a+
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1956-57-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral1/memory/1956-58-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral1/memory/1956-59-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral1/memory/952-71-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit behavioral1/memory/1416-77-0x0000000010000000-0x00000000101B9000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1956-57-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral1/memory/1956-58-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral1/memory/1956-59-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral1/memory/952-71-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat behavioral1/memory/1416-77-0x0000000010000000-0x00000000101B9000-memory.dmp family_gh0strat -
Executes dropped EXE 2 IoCs
Processes:
Ghiya.exeGhiya.exepid process 952 Ghiya.exe 1416 Ghiya.exe -
Processes:
resource yara_rule behavioral1/memory/1956-55-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral1/memory/1956-57-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral1/memory/1956-58-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral1/memory/1956-59-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral1/memory/952-71-0x0000000010000000-0x00000000101B9000-memory.dmp upx behavioral1/memory/1416-77-0x0000000010000000-0x00000000101B9000-memory.dmp upx -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1380 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
Ghiya.exepid process 952 Ghiya.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Ghiya.exedescription ioc process File opened (read-only) \??\K: Ghiya.exe File opened (read-only) \??\R: Ghiya.exe File opened (read-only) \??\S: Ghiya.exe File opened (read-only) \??\Y: Ghiya.exe File opened (read-only) \??\I: Ghiya.exe File opened (read-only) \??\T: Ghiya.exe File opened (read-only) \??\U: Ghiya.exe File opened (read-only) \??\V: Ghiya.exe File opened (read-only) \??\W: Ghiya.exe File opened (read-only) \??\X: Ghiya.exe File opened (read-only) \??\H: Ghiya.exe File opened (read-only) \??\G: Ghiya.exe File opened (read-only) \??\J: Ghiya.exe File opened (read-only) \??\M: Ghiya.exe File opened (read-only) \??\N: Ghiya.exe File opened (read-only) \??\P: Ghiya.exe File opened (read-only) \??\Q: Ghiya.exe File opened (read-only) \??\Z: Ghiya.exe File opened (read-only) \??\E: Ghiya.exe File opened (read-only) \??\F: Ghiya.exe File opened (read-only) \??\L: Ghiya.exe File opened (read-only) \??\O: Ghiya.exe File opened (read-only) \??\B: Ghiya.exe -
Drops file in System32 directory 2 IoCs
Processes:
Server.exedescription ioc process File created C:\Windows\SysWOW64\Ghiya.exe Server.exe File opened for modification C:\Windows\SysWOW64\Ghiya.exe Server.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Ghiya.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Ghiya.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Ghiya.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
Ghiya.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Ghiya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Ghiya.exe Key created \REGISTRY\USER\.DEFAULT\Software Ghiya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Ghiya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Ghiya.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Ghiya.exepid process 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe 1416 Ghiya.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Server.exedescription pid process Token: SeIncBasePriorityPrivilege 1956 Server.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Ghiya.exeServer.execmd.exedescription pid process target process PID 952 wrote to memory of 1416 952 Ghiya.exe Ghiya.exe PID 952 wrote to memory of 1416 952 Ghiya.exe Ghiya.exe PID 952 wrote to memory of 1416 952 Ghiya.exe Ghiya.exe PID 952 wrote to memory of 1416 952 Ghiya.exe Ghiya.exe PID 952 wrote to memory of 1416 952 Ghiya.exe Ghiya.exe PID 952 wrote to memory of 1416 952 Ghiya.exe Ghiya.exe PID 952 wrote to memory of 1416 952 Ghiya.exe Ghiya.exe PID 1956 wrote to memory of 1380 1956 Server.exe cmd.exe PID 1956 wrote to memory of 1380 1956 Server.exe cmd.exe PID 1956 wrote to memory of 1380 1956 Server.exe cmd.exe PID 1956 wrote to memory of 1380 1956 Server.exe cmd.exe PID 1380 wrote to memory of 532 1380 cmd.exe PING.EXE PID 1380 wrote to memory of 532 1380 cmd.exe PING.EXE PID 1380 wrote to memory of 532 1380 cmd.exe PING.EXE PID 1380 wrote to memory of 532 1380 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\Server.exe > nul2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\Ghiya.exeFilesize
396KB
MD55efd6f7577970a139e6c496353a4d440
SHA19eb248739c9ee37463dc7894556dbab953e830d6
SHA2563cb2fd26e550c2210a94d899a48ecd53216457e9c33f4a623bb3bb63263062a8
SHA512d46d560854e594a7426075b482d39b728d8ad02907ada85fa24acf63903e5ed012d975698cba975d3247174c6be7f7686014a66d5f8df326eeef54997cb20761
-
C:\Windows\SysWOW64\Ghiya.exeFilesize
396KB
MD55efd6f7577970a139e6c496353a4d440
SHA19eb248739c9ee37463dc7894556dbab953e830d6
SHA2563cb2fd26e550c2210a94d899a48ecd53216457e9c33f4a623bb3bb63263062a8
SHA512d46d560854e594a7426075b482d39b728d8ad02907ada85fa24acf63903e5ed012d975698cba975d3247174c6be7f7686014a66d5f8df326eeef54997cb20761
-
\Windows\SysWOW64\Ghiya.exeFilesize
396KB
MD55efd6f7577970a139e6c496353a4d440
SHA19eb248739c9ee37463dc7894556dbab953e830d6
SHA2563cb2fd26e550c2210a94d899a48ecd53216457e9c33f4a623bb3bb63263062a8
SHA512d46d560854e594a7426075b482d39b728d8ad02907ada85fa24acf63903e5ed012d975698cba975d3247174c6be7f7686014a66d5f8df326eeef54997cb20761
-
memory/532-76-0x0000000000000000-mapping.dmp
-
memory/952-71-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/1380-68-0x0000000000000000-mapping.dmp
-
memory/1416-67-0x0000000000000000-mapping.dmp
-
memory/1416-77-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/1956-58-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/1956-59-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/1956-57-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB
-
memory/1956-54-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB
-
memory/1956-55-0x0000000010000000-0x00000000101B9000-memory.dmpFilesize
1.7MB