gh0strat | 3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13-08-2023 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
Size

1.2MB
MD5

e8c8c6b9b5c7dc92022d723e7964d0a7
SHA1

9ecea5d2bc60cf74db84c57489b88ab692b6212e
SHA256

3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd
SHA512

660daedbf02d7df29072d190421409c6edbc364524519f8aead91934eafd2736c1639197b95d6f3658d5f5378e0f6695d3002d77ab60b909420864ec29728516
SSDEEP

24576:9WnukjaDKSnYBzaJbjSoGF9LzpELx3N/nHwhHK28URjX+m:MnTjaD/9v6Vcx9HwNhum

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx vmprotect

Malware Config

Signatures

Detect PurpleFox Rootkit 8 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2536-78-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2536-79-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2456-92-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2536-102-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2456-101-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2980-108-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2980-111-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/2980-118-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 13 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\259428726.txt	family_gh0strat
behavioral1/memory/2536-78-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2536-79-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
\Windows\SysWOW64\259428726.txt	family_gh0strat
\??\c:\windows\SysWOW64\259428726.txt	family_gh0strat
behavioral1/memory/2456-92-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2536-102-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2456-101-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2980-106-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2980-108-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2980-111-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/2980-118-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
\Windows\SysWOW64\259428726.txt	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

Ghiya.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys Ghiya.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	Ghiya.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AK47.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259428726.txt"	AK47.exe

Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

Ghiya.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Ghiya.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Ghiya.exe

Drops startup file 1 IoCs

Processes:

3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe

Executes dropped EXE 6 IoCs

Processes:

AK47.exeAK47.exeAK74.exeGhiya.exeGhiya.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exe

pid process

2796 AK47.exe
2056 AK47.exe
2536 AK74.exe
2456 Ghiya.exe
2980 Ghiya.exe
1620 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

pid	process
2796	AK47.exe
2056	AK47.exe
2536	AK74.exe
2456	Ghiya.exe
2980	Ghiya.exe
1620	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Loads dropped DLL 10 IoCs

Processes:

3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exeAK47.exesvchost.exeGhiya.exeÖ÷¶¯·ÀÓù·þÎñÄ£¿é.exe

pid	process
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2796	AK47.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2068	svchost.exe
2456	Ghiya.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2068	svchost.exe
1620	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2536-75-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2536-78-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2536-79-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2456-92-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2536-102-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2456-101-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2980-106-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2980-108-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2980-111-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/2980-118-0x0000000010000000-0x00000000101BA000-memory.dmp	upx

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2340-54-0x0000000000400000-0x0000000000761000-memory.dmp	vmprotect
behavioral1/memory/2340-55-0x0000000000400000-0x0000000000761000-memory.dmp	vmprotect
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe	vmprotect
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe	vmprotect
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe	vmprotect
behavioral1/memory/2340-135-0x0000000000400000-0x0000000000761000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe

Drops file in System32 directory 7 IoCs

Processes:

AK74.exesvchost.exeAK47.exeAK47.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File opened for modification	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\259428726.txt	AK47.exe
File created	C:\Windows\SysWOW64\259428726.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1748 PING.EXE

pid	process
1748	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe

pid	process
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

Ghiya.exe

pid process

2980 Ghiya.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe

pid process

2340 3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe

pid	process
2980	Ghiya.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

AK74.exeGhiya.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2536	AK74.exe
Token: SeLoadDriverPrivilege	2980	Ghiya.exe
Token: 33	2980	Ghiya.exe
Token: SeIncBasePriorityPrivilege	2980	Ghiya.exe
Token: 33	2980	Ghiya.exe
Token: SeIncBasePriorityPrivilege	2980	Ghiya.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe

pid	process
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exeAK74.exeGhiya.execmd.exesvchost.exe

description	pid	process	target process
PID 2340 wrote to memory of 2796	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK47.exe
PID 2340 wrote to memory of 2796	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK47.exe
PID 2340 wrote to memory of 2796	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK47.exe
PID 2340 wrote to memory of 2796	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK47.exe
PID 2340 wrote to memory of 2056	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK47.exe
PID 2340 wrote to memory of 2056	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK47.exe
PID 2340 wrote to memory of 2056	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK47.exe
PID 2340 wrote to memory of 2056	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK47.exe
PID 2340 wrote to memory of 2536	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK74.exe
PID 2340 wrote to memory of 2536	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK74.exe
PID 2340 wrote to memory of 2536	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK74.exe
PID 2340 wrote to memory of 2536	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK74.exe
PID 2340 wrote to memory of 2536	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK74.exe
PID 2340 wrote to memory of 2536	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK74.exe
PID 2340 wrote to memory of 2536	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	AK74.exe
PID 2536 wrote to memory of 2936	2536	AK74.exe	cmd.exe
PID 2536 wrote to memory of 2936	2536	AK74.exe	cmd.exe
PID 2536 wrote to memory of 2936	2536	AK74.exe	cmd.exe
PID 2536 wrote to memory of 2936	2536	AK74.exe	cmd.exe
PID 2456 wrote to memory of 2980	2456	Ghiya.exe	Ghiya.exe
PID 2456 wrote to memory of 2980	2456	Ghiya.exe	Ghiya.exe
PID 2456 wrote to memory of 2980	2456	Ghiya.exe	Ghiya.exe
PID 2456 wrote to memory of 2980	2456	Ghiya.exe	Ghiya.exe
PID 2456 wrote to memory of 2980	2456	Ghiya.exe	Ghiya.exe
PID 2456 wrote to memory of 2980	2456	Ghiya.exe	Ghiya.exe
PID 2456 wrote to memory of 2980	2456	Ghiya.exe	Ghiya.exe
PID 2936 wrote to memory of 1748	2936	cmd.exe	PING.EXE
PID 2936 wrote to memory of 1748	2936	cmd.exe	PING.EXE
PID 2936 wrote to memory of 1748	2936	cmd.exe	PING.EXE
PID 2936 wrote to memory of 1748	2936	cmd.exe	PING.EXE
PID 2340 wrote to memory of 2740	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	WScript.exe
PID 2340 wrote to memory of 2740	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	WScript.exe
PID 2340 wrote to memory of 2740	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	WScript.exe
PID 2340 wrote to memory of 2740	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	WScript.exe
PID 2340 wrote to memory of 2756	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	WScript.exe
PID 2340 wrote to memory of 2756	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	WScript.exe
PID 2340 wrote to memory of 2756	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	WScript.exe
PID 2340 wrote to memory of 2756	2340	3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe	WScript.exe
PID 2068 wrote to memory of 1620	2068	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2068 wrote to memory of 1620	2068	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2068 wrote to memory of 1620	2068	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
PID 2068 wrote to memory of 1620	2068	svchost.exe	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

C:\Users\Admin\AppData\Local\Temp\3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe
"C:\Users\Admin\AppData\Local\Temp\3aaad36391d35f47a349809ba687043fc95b2d2f71dd0ca7f0d57661bf0c15cd.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\AK47.exe
"C:\Users\Admin\AppData\Local\Temp\AK47.exe"
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2796

C:\Users\Admin\AppData\Local\Temp\AK47.exe
C:\Users\Admin\AppData\Local\Temp\\AK47.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056

C:\Users\Admin\AppData\Local\Temp\AK74.exe
C:\Users\Admin\AppData\Local\Temp\\AK74.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:1748

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
PID:2740

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
2⤵
PID:2756

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259428726.txt",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:2516

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AK47.exe
Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK47.exe
Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK47.exe
Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK74.exe
Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK74.exe
Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
Filesize
92B

MD5
d0c27806f31b93b9fc2f40725c83fe20

SHA1
59b05bb965b9f9670f7b91c70e9e2175f6249f50

SHA256
827d79897a4ae98726ba7df9e70a554976117bfdd7e4867047011e1260b82e8e

SHA512
00755e257773645293e6330aef499a96562f65076f616d539c4dd91b13f6b67d8ebe936881edd0c10b2da3ca67e4a854f3d708c594fba291dab83897d890a4fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
85a7cd2ff28079eff902e71906694ba4

SHA1
331733cb6053324149b45f747248e88c3e541177

SHA256
8f65951e5b2958e7056d0f97e5c1d4f23ecbe1bbc3c4f2bb2ba7fa4de7e66e24

SHA512
ca0865a1270a2525d36d9ee6b1551b12c9a5f592c99b14c5679d11c1d8b468c19ec462ec7001730ddcc0702af6a3d72ce0c1380aa0ecf94a691b80ead4afe2a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
Filesize
753B

MD5
85a7cd2ff28079eff902e71906694ba4

SHA1
331733cb6053324149b45f747248e88c3e541177

SHA256
8f65951e5b2958e7056d0f97e5c1d4f23ecbe1bbc3c4f2bb2ba7fa4de7e66e24

SHA512
ca0865a1270a2525d36d9ee6b1551b12c9a5f592c99b14c5679d11c1d8b468c19ec462ec7001730ddcc0702af6a3d72ce0c1380aa0ecf94a691b80ead4afe2a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.2MB

MD5
cbdbd6aad3c73cabe64feb4ce6f264e4

SHA1
b7b6a2e168db3f5b65f95cbd5df2e44e8cb7a0fd

SHA256
028dc259e2a8223b5ce435b9a3853ca60ba85d8bf9949d146686bb044e176668

SHA512
3226f002f505b0ba15f07e8c5f829e7293912353aca20b93cc3a06a844123f7ae37ea99ae0567bd1a97e2a4421f83e1fe38fc5e6cc651dc78b40a1b5ad450aec

Download Submit
C:\Windows\SysWOW64\Ghiya.exe
Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Windows\SysWOW64\Ghiya.exe
Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Windows\SysWOW64\Ghiya.exe
Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Windows\SysWOW64\Ghiya.exe
Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
\??\c:\windows\SysWOW64\259428726.txt
Filesize
49KB

MD5
cc51cac3472ae7035198e6342584435c

SHA1
0dbfbd8a6d00ad42bf308dbc48dcb1672ce82d18

SHA256
4f26b2922965dcde333c86f1410cb0e79b2300cb015e301f63ed11fd3fb6c69c

SHA512
2c8178a7f214f3c4abcac94d89c348bda771139d609d7238436fd3d5cad7b3508b8105b8186d1e62c73dd2a3a8cd2bf1193b9229d51aa557e807381e639ad357

Download Submit
\Users\Admin\AppData\Local\Temp\AK47.exe
Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
\Users\Admin\AppData\Local\Temp\AK47.exe
Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
\Users\Admin\AppData\Local\Temp\AK74.exe
Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.2MB

MD5
cbdbd6aad3c73cabe64feb4ce6f264e4

SHA1
b7b6a2e168db3f5b65f95cbd5df2e44e8cb7a0fd

SHA256
028dc259e2a8223b5ce435b9a3853ca60ba85d8bf9949d146686bb044e176668

SHA512
3226f002f505b0ba15f07e8c5f829e7293912353aca20b93cc3a06a844123f7ae37ea99ae0567bd1a97e2a4421f83e1fe38fc5e6cc651dc78b40a1b5ad450aec

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
Filesize
1.2MB

MD5
cbdbd6aad3c73cabe64feb4ce6f264e4

SHA1
b7b6a2e168db3f5b65f95cbd5df2e44e8cb7a0fd

SHA256
028dc259e2a8223b5ce435b9a3853ca60ba85d8bf9949d146686bb044e176668

SHA512
3226f002f505b0ba15f07e8c5f829e7293912353aca20b93cc3a06a844123f7ae37ea99ae0567bd1a97e2a4421f83e1fe38fc5e6cc651dc78b40a1b5ad450aec

Download Submit
\Windows\SysWOW64\259428726.txt
Filesize
49KB

MD5
cc51cac3472ae7035198e6342584435c

SHA1
0dbfbd8a6d00ad42bf308dbc48dcb1672ce82d18

SHA256
4f26b2922965dcde333c86f1410cb0e79b2300cb015e301f63ed11fd3fb6c69c

SHA512
2c8178a7f214f3c4abcac94d89c348bda771139d609d7238436fd3d5cad7b3508b8105b8186d1e62c73dd2a3a8cd2bf1193b9229d51aa557e807381e639ad357

Download Submit
\Windows\SysWOW64\259428726.txt
Filesize
49KB

MD5
cc51cac3472ae7035198e6342584435c

SHA1
0dbfbd8a6d00ad42bf308dbc48dcb1672ce82d18

SHA256
4f26b2922965dcde333c86f1410cb0e79b2300cb015e301f63ed11fd3fb6c69c

SHA512
2c8178a7f214f3c4abcac94d89c348bda771139d609d7238436fd3d5cad7b3508b8105b8186d1e62c73dd2a3a8cd2bf1193b9229d51aa557e807381e639ad357

Download Submit
\Windows\SysWOW64\259428726.txt
Filesize
49KB

MD5
cc51cac3472ae7035198e6342584435c

SHA1
0dbfbd8a6d00ad42bf308dbc48dcb1672ce82d18

SHA256
4f26b2922965dcde333c86f1410cb0e79b2300cb015e301f63ed11fd3fb6c69c

SHA512
2c8178a7f214f3c4abcac94d89c348bda771139d609d7238436fd3d5cad7b3508b8105b8186d1e62c73dd2a3a8cd2bf1193b9229d51aa557e807381e639ad357

Download Submit
\Windows\SysWOW64\Ghiya.exe
Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2340-54-0x0000000000400000-0x0000000000761000-memory.dmp

Filesize
3.4MB

Download
memory/2340-125-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/2340-55-0x0000000000400000-0x0000000000761000-memory.dmp

Filesize
3.4MB

Download
memory/2340-137-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/2340-136-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/2340-135-0x0000000000400000-0x0000000000761000-memory.dmp

Filesize
3.4MB

Download
memory/2340-127-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/2456-101-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2456-92-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2536-75-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2536-102-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2536-78-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2536-79-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2980-106-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2980-111-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2980-108-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2980-118-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download