Analysis
-
max time kernel
47s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
05-04-2023 11:02
General
-
Target
059386b0be7a262d5a27655ac0b48d9f44ce1a3d894407886032ff2254933859.exe
-
Size
1.2MB
-
MD5
1d95cacc1b68dbe100e5d50856486d59
-
SHA1
352e53eb65ce65c5a4c52a1520d97018079415b3
-
SHA256
059386b0be7a262d5a27655ac0b48d9f44ce1a3d894407886032ff2254933859
-
SHA512
2eadc6cd3e2ffb0936f5f2d79986e1306b45879ed037c7c42748616a96818ec2f89ae27af503af920052aed9305e9082c5a3c1101a1c7edaf4f75b79dee6d2bf
-
SSDEEP
24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtiE:WIwgMEuy+inDfp3/XoCw57XYBwKE
Malware Config
Signatures
-
Detect PurpleFox Rootkit 7 IoCs
Detect PurpleFox Rootkit.
-
Gh0st RAT payload 8 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Drops file in Drivers directory 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 4 IoCs
Detects executables packed with VMProtect commercial packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\059386b0be7a262d5a27655ac0b48d9f44ce1a3d894407886032ff2254933859.exe"C:\Users\Admin\AppData\Local\Temp\059386b0be7a262d5a27655ac0b48d9f44ce1a3d894407886032ff2254933859.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 4003⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul3⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4352 -ip 43521⤵
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeFilesize
91KB
MD5423eb994ed553294f8a6813619b8da87
SHA1eca6a16ccd13adcfc27bc1041ddef97ec8081255
SHA256050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218
SHA512fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeFilesize
91KB
MD5423eb994ed553294f8a6813619b8da87
SHA1eca6a16ccd13adcfc27bc1041ddef97ec8081255
SHA256050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218
SHA512fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeFilesize
91KB
MD5423eb994ed553294f8a6813619b8da87
SHA1eca6a16ccd13adcfc27bc1041ddef97ec8081255
SHA256050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218
SHA512fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeFilesize
91KB
MD5423eb994ed553294f8a6813619b8da87
SHA1eca6a16ccd13adcfc27bc1041ddef97ec8081255
SHA256050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218
SHA512fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeFilesize
400KB
MD5b0998aa7d5071d33daa5b60b9c3c9735
SHA19365a1ff0c6de244d6f36c8d84072cc916665d3c
SHA2563080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a
SHA512308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeFilesize
400KB
MD5b0998aa7d5071d33daa5b60b9c3c9735
SHA19365a1ff0c6de244d6f36c8d84072cc916665d3c
SHA2563080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a
SHA512308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850
-
C:\Users\Admin\AppData\Roaming\Microsoft\Config.iniFilesize
92B
MD529ce53e2a4a446614ccc8d64d346bde4
SHA139a7aa5cc1124842aa0c25abb16ea94452125cbe
SHA25656225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df
SHA512b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa
-
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbsFilesize
753B
MD504579ddb548ffc9d72153b3e62f0b599
SHA1ae21b987b7bedc545e7d26e1a3804bd43c1faa19
SHA256938066f5e33f0e9f440faf9d7fa44ae989bf85ad876e93d8ca63268146bca274
SHA5129cca65791c323883bdb3d5c5a9b1bac7b5c9a67862a58e90e940b761dfc0c1447b43768a3293fb23f45af539175b67c99c28a98aeb8cd94b62dd8f1a3fecf362
-
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbsFilesize
753B
MD504579ddb548ffc9d72153b3e62f0b599
SHA1ae21b987b7bedc545e7d26e1a3804bd43c1faa19
SHA256938066f5e33f0e9f440faf9d7fa44ae989bf85ad876e93d8ca63268146bca274
SHA5129cca65791c323883bdb3d5c5a9b1bac7b5c9a67862a58e90e940b761dfc0c1447b43768a3293fb23f45af539175b67c99c28a98aeb8cd94b62dd8f1a3fecf362
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exeFilesize
1.2MB
MD552f1e04d971fe716774058d1ca07c34f
SHA1baa3c7483508a02d922b0cbe21961c9df1f564c8
SHA2568e6b0aab896873d9dfd7b03243d731df387f5c60baac0838c7d3a99760da334d
SHA51291eadcc532f390f1658c700a54ba64f46ad3e52dded3051811d3ed91a53be123e415d8f73c34e7b9a10c77b43505f0cb59a1e11a0c58bb897807a07a355c5160
-
C:\Windows\SysWOW64\240572015.txtFilesize
49KB
MD5889056157ff8a5fde79b697a0c95284f
SHA1de61432b9ac885b1756bf59522ee91e4f82a35a4
SHA256da8e881271f44f902348a78aa9a09b74a8eff2b7bab29fe59d9b01654297a438
SHA512964f7f790363dedf0b30c6504ea0e813c268a6fc2c0e3ef3a83756ca012b17265c5fc62c3c17ed792293cdb2bccd8e22aa3b8f2ce5eb3e601862b41d5f04f582
-
C:\Windows\SysWOW64\Ghiya.exeFilesize
400KB
MD5b0998aa7d5071d33daa5b60b9c3c9735
SHA19365a1ff0c6de244d6f36c8d84072cc916665d3c
SHA2563080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a
SHA512308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850
-
C:\Windows\SysWOW64\Ghiya.exeFilesize
400KB
MD5b0998aa7d5071d33daa5b60b9c3c9735
SHA19365a1ff0c6de244d6f36c8d84072cc916665d3c
SHA2563080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a
SHA512308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850
-
C:\Windows\SysWOW64\Ghiya.exeFilesize
400KB
MD5b0998aa7d5071d33daa5b60b9c3c9735
SHA19365a1ff0c6de244d6f36c8d84072cc916665d3c
SHA2563080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a
SHA512308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850
-
memory/212-169-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/212-171-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/212-172-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/2776-160-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/2776-159-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/2776-157-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/4724-183-0x0000000000400000-0x0000000000760000-memory.dmpFilesize
3.4MB
-
memory/4724-133-0x0000000000400000-0x0000000000760000-memory.dmpFilesize
3.4MB
-
memory/4724-135-0x0000000000400000-0x0000000000760000-memory.dmpFilesize
3.4MB
-
memory/4792-178-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/4792-180-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB
-
memory/4792-252-0x0000000010000000-0x00000000101BA000-memory.dmpFilesize
1.7MB