Malware Analysis Report

2024-09-22 14:48

Sample ID 240619-blfrwavfqr
Target 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe
SHA256 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
Tags
upx gh0strat purplefox persistence rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad

Threat Level: Known bad

The file 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe was found to be: Known bad.

Malicious Activity Summary

upx gh0strat purplefox persistence rat rootkit trojan

Gh0strat

Detect PurpleFox Rootkit

PurpleFox

Gh0st RAT payload

Drops file in Drivers directory

Sets service image path in registry

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks computer location settings

Enumerates connected drives

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 01:13

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 01:13

Reported

2024-06-19 01:16

Platform

win7-20240508-en

Max time kernel

140s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\R: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\V: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\W: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\X: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\I: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\M: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\O: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\T: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\U: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\J: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\L: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\S: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\P: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\Q: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\B: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\E: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\H: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\K: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\N: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe
PID 1868 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe
PID 1868 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe
PID 1868 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe
PID 1868 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3032 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3032 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3032 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe

"C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\37D67A~1.EXE > nul

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
HK 206.238.43.201:8080 tcp

Files

memory/1868-0-0x0000000000400000-0x0000000000547000-memory.dmp

memory/1868-1-0x0000000010000000-0x000000001019F000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe

MD5 bd50ba38259a5c7a2a376ea20c16d895
SHA1 a23cc9f184aa87b8ca1e5fe1589b192d303fe0dd
SHA256 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
SHA512 30ebadd2be0c2095e7221c18a58b0799830e321a94bc5e102f48842c331c0b5743565759a5c2e1c635a7fb5efb03e10b2eaf3da4b9a41dd0bfce16a454d16c66

memory/1868-18-0x0000000000400000-0x0000000000547000-memory.dmp

memory/2748-22-0x0000000000400000-0x0000000000547000-memory.dmp

memory/1868-21-0x0000000002C60000-0x0000000002DA7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 01:13

Reported

2024-06-19 01:16

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\V: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\E: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\L: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\Q: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\R: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\T: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\U: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\X: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\H: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\K: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\N: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\O: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\P: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\B: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\I: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\J: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\M: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\S: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\W: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
File opened (read-only) \??\Y: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe

"C:\Users\Admin\AppData\Local\Temp\37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad.exe"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phija.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\37D67A~1.EXE > nul

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
HK 206.238.43.201:8080 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 201.43.238.206.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3420-0-0x0000000000400000-0x0000000000547000-memory.dmp

memory/3420-1-0x0000000010000000-0x000000001019F000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Phija.exe

MD5 bd50ba38259a5c7a2a376ea20c16d895
SHA1 a23cc9f184aa87b8ca1e5fe1589b192d303fe0dd
SHA256 37d67a422a2c3eac276ec75c6b4600aba1028e244b01a3c9b1e22fbace9dfcad
SHA512 30ebadd2be0c2095e7221c18a58b0799830e321a94bc5e102f48842c331c0b5743565759a5c2e1c635a7fb5efb03e10b2eaf3da4b9a41dd0bfce16a454d16c66

memory/3420-16-0x0000000000400000-0x0000000000547000-memory.dmp

memory/3548-17-0x0000000000400000-0x0000000000547000-memory.dmp

memory/3548-35-0x0000000000400000-0x0000000000547000-memory.dmp