Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 04:05
Static task
static1
Behavioral task
behavioral1
Sample
6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe
Resource
win7-20240221-en
General
-
Target
6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe
-
Size
3.0MB
-
MD5
dbdcba579712bb10c7a344394d555a70
-
SHA1
46f76cc72521de1bf792e1f354e35cadf67a7171
-
SHA256
6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3
-
SHA512
5b788f8aabbbcae5e0105bb899b378669cbfc39b6d49b09c6510b28e3e2941dfb01ce9309eac267a55ad62303aac155bdfed6b24300672ab12e83538a7e2662c
-
SSDEEP
98304:2oo0b+Djihd+BbSiXnnxxwoax6JBAUZL+:zCa7+BusxLJVy
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1924-13-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral1/memory/1924-29-0x0000000000400000-0x0000000000543000-memory.dmp purplefox_rootkit behavioral1/memory/3036-32-0x0000000000400000-0x0000000000543000-memory.dmp purplefox_rootkit behavioral1/memory/2408-33-0x0000000010000000-0x00000000101A0000-memory.dmp purplefox_rootkit behavioral1/memory/2408-53-0x0000000000400000-0x0000000000543000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1924-11-0x0000000000400000-0x0000000000543000-memory.dmp family_gh0strat behavioral1/memory/1924-13-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral1/memory/1924-29-0x0000000000400000-0x0000000000543000-memory.dmp family_gh0strat behavioral1/memory/3036-32-0x0000000000400000-0x0000000000543000-memory.dmp family_gh0strat behavioral1/memory/2408-33-0x0000000010000000-0x00000000101A0000-memory.dmp family_gh0strat behavioral1/memory/2408-53-0x0000000000400000-0x0000000000543000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
Ghiya.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys Ghiya.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
Ghiya.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Ghiya.exe -
Executes dropped EXE 4 IoCs
Processes:
»ª¸ç0528.exeGhiya.exeGhiya.exe1.exepid process 1924 »ª¸ç0528.exe 3036 Ghiya.exe 2408 Ghiya.exe 2464 1.exe -
Loads dropped DLL 2 IoCs
Processes:
6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exepid process 2812 6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe 2812 6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\»ª¸ç0528.exe upx behavioral1/memory/2812-5-0x0000000002270000-0x00000000023B3000-memory.dmp upx behavioral1/memory/1924-11-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral1/memory/1924-29-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral1/memory/3036-32-0x0000000000400000-0x0000000000543000-memory.dmp upx behavioral1/memory/2408-53-0x0000000000400000-0x0000000000543000-memory.dmp upx -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Ghiya.exedescription ioc process File opened (read-only) \??\S: Ghiya.exe File opened (read-only) \??\X: Ghiya.exe File opened (read-only) \??\G: Ghiya.exe File opened (read-only) \??\N: Ghiya.exe File opened (read-only) \??\O: Ghiya.exe File opened (read-only) \??\P: Ghiya.exe File opened (read-only) \??\R: Ghiya.exe File opened (read-only) \??\Q: Ghiya.exe File opened (read-only) \??\T: Ghiya.exe File opened (read-only) \??\U: Ghiya.exe File opened (read-only) \??\B: Ghiya.exe File opened (read-only) \??\E: Ghiya.exe File opened (read-only) \??\J: Ghiya.exe File opened (read-only) \??\K: Ghiya.exe File opened (read-only) \??\M: Ghiya.exe File opened (read-only) \??\Y: Ghiya.exe File opened (read-only) \??\Z: Ghiya.exe File opened (read-only) \??\H: Ghiya.exe File opened (read-only) \??\V: Ghiya.exe File opened (read-only) \??\I: Ghiya.exe File opened (read-only) \??\L: Ghiya.exe File opened (read-only) \??\W: Ghiya.exe -
Drops file in System32 directory 2 IoCs
Processes:
»ª¸ç0528.exedescription ioc process File created C:\Windows\SysWOW64\Ghiya.exe »ª¸ç0528.exe File opened for modification C:\Windows\SysWOW64\Ghiya.exe »ª¸ç0528.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2916 2464 WerFault.exe 1.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Ghiya.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Ghiya.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Ghiya.exe -
Modifies data under HKEY_USERS 12 IoCs
Processes:
Ghiya.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" Ghiya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Ghiya.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Ghiya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Ghiya.exe Key created \REGISTRY\USER\.DEFAULT\Software Ghiya.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum Ghiya.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Ghiya.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Ghiya.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Ghiya.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Ghiya.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft Ghiya.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie Ghiya.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Ghiya.exepid process 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe 2408 Ghiya.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
Ghiya.exepid process 2408 Ghiya.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
»ª¸ç0528.exeGhiya.exedescription pid process Token: SeIncBasePriorityPrivilege 1924 »ª¸ç0528.exe Token: SeLoadDriverPrivilege 2408 Ghiya.exe Token: 33 2408 Ghiya.exe Token: SeIncBasePriorityPrivilege 2408 Ghiya.exe Token: 33 2408 Ghiya.exe Token: SeIncBasePriorityPrivilege 2408 Ghiya.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe1.exepid process 2812 6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe 2812 6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe 2464 1.exe 2464 1.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe»ª¸ç0528.exeGhiya.execmd.exe1.exedescription pid process target process PID 2812 wrote to memory of 1924 2812 6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe »ª¸ç0528.exe PID 2812 wrote to memory of 1924 2812 6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe »ª¸ç0528.exe PID 2812 wrote to memory of 1924 2812 6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe »ª¸ç0528.exe PID 2812 wrote to memory of 1924 2812 6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe »ª¸ç0528.exe PID 1924 wrote to memory of 2548 1924 »ª¸ç0528.exe cmd.exe PID 1924 wrote to memory of 2548 1924 »ª¸ç0528.exe cmd.exe PID 1924 wrote to memory of 2548 1924 »ª¸ç0528.exe cmd.exe PID 1924 wrote to memory of 2548 1924 »ª¸ç0528.exe cmd.exe PID 3036 wrote to memory of 2408 3036 Ghiya.exe Ghiya.exe PID 3036 wrote to memory of 2408 3036 Ghiya.exe Ghiya.exe PID 3036 wrote to memory of 2408 3036 Ghiya.exe Ghiya.exe PID 3036 wrote to memory of 2408 3036 Ghiya.exe Ghiya.exe PID 2548 wrote to memory of 2600 2548 cmd.exe PING.EXE PID 2548 wrote to memory of 2600 2548 cmd.exe PING.EXE PID 2548 wrote to memory of 2600 2548 cmd.exe PING.EXE PID 2548 wrote to memory of 2600 2548 cmd.exe PING.EXE PID 2812 wrote to memory of 2464 2812 6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe 1.exe PID 2812 wrote to memory of 2464 2812 6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe 1.exe PID 2812 wrote to memory of 2464 2812 6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe 1.exe PID 2812 wrote to memory of 2464 2812 6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe 1.exe PID 2464 wrote to memory of 2916 2464 1.exe WerFault.exe PID 2464 wrote to memory of 2916 2464 1.exe WerFault.exe PID 2464 wrote to memory of 2916 2464 1.exe WerFault.exe PID 2464 wrote to memory of 2916 2464 1.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe"C:\Users\Admin\AppData\Local\Temp\6d63304e10db535e95b5fc2dcdb27d85a5a364ed8a9df7e536249586738bb7f3.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\»ª¸ç0528.exeC:\Users\Admin\AppData\Local\Temp\»ª¸ç0528.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\0528~1.EXE > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\1.exeC:\1.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 5723⤵
- Program crash
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\1.exeFilesize
2.0MB
MD5bafb857b13d2ef0c14597e0b714c3ab4
SHA16d89ab8e303db39f5cd55f643fa1449a554bab49
SHA25659656c9826aeb3a543064724e4f091469ac04429c80db9416b389c0f48f47c5f
SHA512c6fd61482b03b3ac6c9a7815825fcc974986c8bf6dfaeb6466ad591c32957f5e6cdbe6aba23f995989a5b3fa180292b54c81c55bfe74e0dddd7a6065936a4043
-
\Users\Admin\AppData\Local\Temp\»ª¸ç0528.exeFilesize
357KB
MD51e7965a5200d61cbfccedf12a04a6076
SHA11c0038a124ccd9ba4f1e1857f15ea32b06cb107d
SHA2566f2da003627c0287fbd5666fbc2e55f15dcbbd536937fa7d5df0b0c0df5fb787
SHA512e6268c7314f48b4e11f3f222243bb326aed62cd3d334fa4f32e7e760063fa2937f3ea1900d90cd2f97a4b5f0cc512b1fe43b28162f5f27d2b7728aee7bc51db3
-
memory/1924-11-0x0000000000400000-0x0000000000543000-memory.dmpFilesize
1.3MB
-
memory/1924-13-0x0000000010000000-0x00000000101A0000-memory.dmpFilesize
1.6MB
-
memory/1924-29-0x0000000000400000-0x0000000000543000-memory.dmpFilesize
1.3MB
-
memory/2408-33-0x0000000010000000-0x00000000101A0000-memory.dmpFilesize
1.6MB
-
memory/2408-53-0x0000000000400000-0x0000000000543000-memory.dmpFilesize
1.3MB
-
memory/2812-5-0x0000000002270000-0x00000000023B3000-memory.dmpFilesize
1.3MB
-
memory/3036-32-0x0000000000400000-0x0000000000543000-memory.dmpFilesize
1.3MB