gh0strat | 177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb

Analysis

max time kernel
135s
max time network
266s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-04-2023 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
Size

1.2MB
MD5

a40b2436c9812bb415e88e0e1533019a
SHA1

a874af7951f41ed36d72809e11997eb9c1bbd0ff
SHA256

177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb
SHA512

58ed8a5d8395b73bec28144f4c861e11c67223e294ef1cd8abf43dc3356f92c8d331fd1dc2b7392cb169ebd4745f70a893a38407805bead69b30f3d5f35f8369
SSDEEP

24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJti8:WIwgMEuy+inDfp3/XoCw57XYBwK8

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx vmprotect

Malware Config

Signatures

Detect PurpleFox Rootkit 6 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/1340-83-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/1340-84-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2528-168-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2528-169-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2528-170-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2528-172-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 10 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\7207339.txt	family_gh0strat
behavioral1/memory/1340-83-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/1340-84-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
\??\c:\windows\SysWOW64\7207339.txt	family_gh0strat
\Windows\SysWOW64\7207339.txt	family_gh0strat
\Windows\SysWOW64\7207339.txt	family_gh0strat
behavioral1/memory/2528-168-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2528-169-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2528-170-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2528-172-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops startup file 1 IoCs

Processes:

177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe

Executes dropped EXE 3 IoCs

Processes:

AK47.exeAK47.exeAK74.exe

pid process

520 AK47.exe
976 AK47.exe
1340 AK74.exe

pid	process
520	AK47.exe
976	AK47.exe
1340	AK74.exe

Loads dropped DLL 6 IoCs

Processes:

177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exeAK47.exe

pid	process
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
520	AK47.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1340-81-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/1340-83-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/1340-84-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2528-166-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2528-168-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2528-169-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2528-170-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2528-172-0x0000000010000000-0x00000000101BA000-memory.dmp	upx

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1636-54-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/1636-57-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe	vmprotect
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe	vmprotect
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe

Drops file in System32 directory 4 IoCs

Processes:

AK47.exeAK47.exeAK74.exe

description	ioc	process
File created	C:\Windows\SysWOW64\7207339.txt	AK47.exe
File created	C:\Windows\SysWOW64\7207339.txt	AK47.exe
File created	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File opened for modification	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2964 PING.EXE

pid	process
2964	PING.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe

pid	process
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe

pid process

1636 177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe

pid	process
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe

description	pid	process	target process
PID 1636 wrote to memory of 520	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK47.exe
PID 1636 wrote to memory of 520	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK47.exe
PID 1636 wrote to memory of 520	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK47.exe
PID 1636 wrote to memory of 520	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK47.exe
PID 1636 wrote to memory of 976	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK47.exe
PID 1636 wrote to memory of 976	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK47.exe
PID 1636 wrote to memory of 976	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK47.exe
PID 1636 wrote to memory of 976	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK47.exe
PID 1636 wrote to memory of 1340	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK74.exe
PID 1636 wrote to memory of 1340	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK74.exe
PID 1636 wrote to memory of 1340	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK74.exe
PID 1636 wrote to memory of 1340	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK74.exe
PID 1636 wrote to memory of 1340	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK74.exe
PID 1636 wrote to memory of 1340	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK74.exe
PID 1636 wrote to memory of 1340	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	AK74.exe
PID 1636 wrote to memory of 756	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 756	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 756	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 756	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 920	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 920	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 920	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 920	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1600	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1600	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1600	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1600	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1592	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1592	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1592	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1592	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1256	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1256	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1256	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1256	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 936	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 936	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 936	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 936	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 672	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 672	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 672	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 672	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 768	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 768	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 768	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 768	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1272	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1272	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1272	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1272	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1704	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1704	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1704	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1704	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1924	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1924	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1924	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1924	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1780	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1780	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1780	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1780	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe
PID 1636 wrote to memory of 1512	1636	177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe
"C:\Users\Admin\AppData\Local\Temp\177501cf6dad7ef909b107740a0543f919f62b2ae6aca96b9d7b7da123d202cb.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\AK47.exe
  "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:520
- C:\Users\Admin\AppData\Local\Temp\AK47.exe
  C:\Users\Admin\AppData\Local\Temp\\AK47.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:976
- C:\Users\Admin\AppData\Local\Temp\AK74.exe
  C:\Users\Admin\AppData\Local\Temp\\AK74.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
    3⤵
    PID:2536
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2964
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:920
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1272
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:768
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:672
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1592
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1600
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:936
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1256
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1760
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1924
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1704
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:604
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:692
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:896
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:1780

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:2608

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:2292
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\7207339.txt",MainThread
  2⤵
  PID:2700

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2600
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AK47.exe

Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK47.exe

Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK47.exe

Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK74.exe

Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK74.exe

Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
29ce53e2a4a446614ccc8d64d346bde4

SHA1
39a7aa5cc1124842aa0c25abb16ea94452125cbe

SHA256
56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df

SHA512
b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5b11f38d7dd205030707692ccc04ed18

SHA1
8a508985c3e7b1fe4e90ed2d0d8a8ca083684293

SHA256
ad25edadce20a6fd9896d51e09c5202e104910f4d0754a72d5b172d400b486d0

SHA512
39cf649e13eda958d1a24d9bc78fd1b990f2457f40c09900e6cb60864c4e9784dbd23f7816031de332c43af3ce80e6240c69ee011c83cbb020e82100dfd6b82b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
5b11f38d7dd205030707692ccc04ed18

SHA1
8a508985c3e7b1fe4e90ed2d0d8a8ca083684293

SHA256
ad25edadce20a6fd9896d51e09c5202e104910f4d0754a72d5b172d400b486d0

SHA512
39cf649e13eda958d1a24d9bc78fd1b990f2457f40c09900e6cb60864c4e9784dbd23f7816031de332c43af3ce80e6240c69ee011c83cbb020e82100dfd6b82b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
c79612c6033bb53bedb28b2076adf653

SHA1
2c4bb374b91efb03ceca73a4f172908397c41722

SHA256
8de6740892efc9dcec4502142b1634e8d74fa978d8c8c5cce2e3367d4ce0ec6e

SHA512
d3ad4cd929c978afbccce755fc5d8e65d8106486321b379ce7d11f1849cbf3c3d566c1068efc53de3650fcbe88c1e7b0227a7835f99f07f70e01f891bddc0686

Download Submit
C:\Windows\SysWOW64\Ghiya.exe

Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Windows\SysWOW64\Ghiya.exe

Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Windows\SysWOW64\Ghiya.exe

Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\??\c:\windows\SysWOW64\7207339.txt

Filesize
49KB

MD5
19df2f7b0a33f25327a949b626eadad6

SHA1
fa714a9e15b7fc00049b5626f3235a5e368ab4be

SHA256
d5be6aa1a902c9dfba533c60d92378d535e8743e1351bcb86d93cec7cdadac87

SHA512
6b31b4a94435f109efcb9a63db1b8b2b43f17be29051ab6016741c0964a9f71d3f62d4dd3bbb4250c697096e6166ebbc4b676e2c6f53edab732c817ee8873870

Download Submit
\Users\Admin\AppData\Local\Temp\AK47.exe

Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
\Users\Admin\AppData\Local\Temp\AK47.exe

Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
\Users\Admin\AppData\Local\Temp\AK74.exe

Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
c79612c6033bb53bedb28b2076adf653

SHA1
2c4bb374b91efb03ceca73a4f172908397c41722

SHA256
8de6740892efc9dcec4502142b1634e8d74fa978d8c8c5cce2e3367d4ce0ec6e

SHA512
d3ad4cd929c978afbccce755fc5d8e65d8106486321b379ce7d11f1849cbf3c3d566c1068efc53de3650fcbe88c1e7b0227a7835f99f07f70e01f891bddc0686

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
c79612c6033bb53bedb28b2076adf653

SHA1
2c4bb374b91efb03ceca73a4f172908397c41722

SHA256
8de6740892efc9dcec4502142b1634e8d74fa978d8c8c5cce2e3367d4ce0ec6e

SHA512
d3ad4cd929c978afbccce755fc5d8e65d8106486321b379ce7d11f1849cbf3c3d566c1068efc53de3650fcbe88c1e7b0227a7835f99f07f70e01f891bddc0686

Download Submit
\Windows\SysWOW64\7207339.txt

Filesize
49KB

MD5
19df2f7b0a33f25327a949b626eadad6

SHA1
fa714a9e15b7fc00049b5626f3235a5e368ab4be

SHA256
d5be6aa1a902c9dfba533c60d92378d535e8743e1351bcb86d93cec7cdadac87

SHA512
6b31b4a94435f109efcb9a63db1b8b2b43f17be29051ab6016741c0964a9f71d3f62d4dd3bbb4250c697096e6166ebbc4b676e2c6f53edab732c817ee8873870

Download Submit
\Windows\SysWOW64\7207339.txt

Filesize
49KB

MD5
19df2f7b0a33f25327a949b626eadad6

SHA1
fa714a9e15b7fc00049b5626f3235a5e368ab4be

SHA256
d5be6aa1a902c9dfba533c60d92378d535e8743e1351bcb86d93cec7cdadac87

SHA512
6b31b4a94435f109efcb9a63db1b8b2b43f17be29051ab6016741c0964a9f71d3f62d4dd3bbb4250c697096e6166ebbc4b676e2c6f53edab732c817ee8873870

Download Submit
\Windows\SysWOW64\7207339.txt

Filesize
49KB

MD5
19df2f7b0a33f25327a949b626eadad6

SHA1
fa714a9e15b7fc00049b5626f3235a5e368ab4be

SHA256
d5be6aa1a902c9dfba533c60d92378d535e8743e1351bcb86d93cec7cdadac87

SHA512
6b31b4a94435f109efcb9a63db1b8b2b43f17be29051ab6016741c0964a9f71d3f62d4dd3bbb4250c697096e6166ebbc4b676e2c6f53edab732c817ee8873870

Download Submit
\Windows\SysWOW64\Ghiya.exe

Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1340-84-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/1340-81-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/1340-83-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/1636-86-0x00000000062C0000-0x00000000062E9000-memory.dmp

Filesize
164KB

Download
memory/1636-80-0x0000000003930000-0x0000000003957000-memory.dmp

Filesize
156KB

Download
memory/1636-54-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1636-85-0x00000000043F0000-0x0000000004460000-memory.dmp

Filesize
448KB

Download
memory/1636-98-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/1636-99-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/1636-105-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/1636-106-0x0000000000830000-0x0000000000840000-memory.dmp

Filesize
64KB

Download
memory/1636-57-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2528-166-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2528-168-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2528-169-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2528-170-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2528-172-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download