gh0strat | 3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd.exe
Size

8.9MB
MD5

1f9ad8367647ae321e2ab53f221ace48
SHA1

e19db0c1288c81909378852c9130983bc65cfcfb
SHA256

3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd
SHA512

7aa1aa242288397027b690d2816763e37f30b87898e781bff617085d41737cfb0a620d9b690ad1abbef3e5b95d487da2601452595d3efc1d80c2fd953b850d04
SSDEEP

196608:Dl1PkID0eA2EhGE9Fy1GlkkyzLSMo/Mpz0YIpP8L2+7/A1Yt:RFm2EgE9Fy0TOkMp1ImL2k/2Yt

Score

10^/10

gh0strat neshta purplefox discovery evasion persistence rat rootkit spyware stealer themida trojan

Malware Config

Signatures

Detect Neshta payload 5 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023477-2.dat	family_neshta
behavioral2/files/0x000700000002027e-73.dat	family_neshta
behavioral2/memory/2868-169-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2868-172-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2868-175-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detect PurpleFox Rootkit 2 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2040-34-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit
behavioral2/memory/1672-45-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/2040-34-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat
behavioral2/memory/1672-45-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ÉÏ¿¨¶Ë.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Phiya.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Phiya.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ÉÏ¿¨¶Ë.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ÉÏ¿¨¶Ë.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	dadoudou_skd1.8.exe

Executes dropped EXE 6 IoCs

pid	Process
2868	dadoudou_skd1.8.exe
400	dadoudou_skd1.8.exe
2040	SB360.exe
2188	ÉÏ¿¨¶Ë.exe
1672	Phiya.exe
5096	Phiya.exe

Loads dropped DLL 3 IoCs

pid	Process
400	dadoudou_skd1.8.exe
400	dadoudou_skd1.8.exe
400	dadoudou_skd1.8.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dadoudou_skd1.8.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000700000002347f-33.dat	themida
behavioral2/memory/2188-68-0x0000000000300000-0x0000000000E9A000-memory.dmp	themida
behavioral2/memory/2188-70-0x0000000000300000-0x0000000000E9A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ÉÏ¿¨¶Ë.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Phiya.exe
File opened (read-only)	\??\T:	Phiya.exe
File opened (read-only)	\??\Z:	Phiya.exe
File opened (read-only)	\??\E:	Phiya.exe
File opened (read-only)	\??\I:	Phiya.exe
File opened (read-only)	\??\M:	Phiya.exe
File opened (read-only)	\??\O:	Phiya.exe
File opened (read-only)	\??\P:	Phiya.exe
File opened (read-only)	\??\U:	Phiya.exe
File opened (read-only)	\??\V:	Phiya.exe
File opened (read-only)	\??\W:	Phiya.exe
File opened (read-only)	\??\B:	Phiya.exe
File opened (read-only)	\??\L:	Phiya.exe
File opened (read-only)	\??\R:	Phiya.exe
File opened (read-only)	\??\X:	Phiya.exe
File opened (read-only)	\??\Y:	Phiya.exe
File opened (read-only)	\??\G:	Phiya.exe
File opened (read-only)	\??\H:	Phiya.exe
File opened (read-only)	\??\J:	Phiya.exe
File opened (read-only)	\??\K:	Phiya.exe
File opened (read-only)	\??\N:	Phiya.exe
File opened (read-only)	\??\Q:	Phiya.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Phiya.exe	SB360.exe
File opened for modification	C:\Windows\SysWOW64\Phiya.exe	SB360.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2188	ÉÏ¿¨¶Ë.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	dadoudou_skd1.8.exe
File created	C:\Program Files\ddd\dadoudou_skd1.8.exe	3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	dadoudou_skd1.8.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE	dadoudou_skd1.8.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	dadoudou_skd1.8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dadoudou_skd1.8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SB360.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dadoudou_skd1.8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ÉÏ¿¨¶Ë.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4764	cmd.exe
3408	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Phiya.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Phiya.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	Phiya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Phiya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Phiya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Phiya.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Phiya.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	dadoudou_skd1.8.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3408	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe
5096	Phiya.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
5096	Phiya.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2040	SB360.exe
Token: SeLoadDriverPrivilege	5096	Phiya.exe
Token: SeDebugPrivilege	2188	ÉÏ¿¨¶Ë.exe
Token: 33	5096	Phiya.exe
Token: SeIncBasePriorityPrivilege	5096	Phiya.exe
Token: 33	5096	Phiya.exe
Token: SeIncBasePriorityPrivilege	5096	Phiya.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3644	3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd.exe
3644	3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd.exe
400	dadoudou_skd1.8.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 2868	3644	3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd.exe	84
PID 3644 wrote to memory of 2868	3644	3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd.exe	84
PID 3644 wrote to memory of 2868	3644	3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd.exe	84
PID 2868 wrote to memory of 400	2868	dadoudou_skd1.8.exe	85
PID 2868 wrote to memory of 400	2868	dadoudou_skd1.8.exe	85
PID 2868 wrote to memory of 400	2868	dadoudou_skd1.8.exe	85
PID 400 wrote to memory of 4612	400	dadoudou_skd1.8.exe	86
PID 400 wrote to memory of 4612	400	dadoudou_skd1.8.exe	86
PID 400 wrote to memory of 4612	400	dadoudou_skd1.8.exe	86
PID 400 wrote to memory of 1480	400	dadoudou_skd1.8.exe	87
PID 400 wrote to memory of 1480	400	dadoudou_skd1.8.exe	87
PID 400 wrote to memory of 1480	400	dadoudou_skd1.8.exe	87
PID 4612 wrote to memory of 2040	4612	cmd.exe	90
PID 4612 wrote to memory of 2040	4612	cmd.exe	90
PID 4612 wrote to memory of 2040	4612	cmd.exe	90
PID 1480 wrote to memory of 2188	1480	cmd.exe	91
PID 1480 wrote to memory of 2188	1480	cmd.exe	91
PID 1480 wrote to memory of 2188	1480	cmd.exe	91
PID 2040 wrote to memory of 4764	2040	SB360.exe	93
PID 2040 wrote to memory of 4764	2040	SB360.exe	93
PID 2040 wrote to memory of 4764	2040	SB360.exe	93
PID 1672 wrote to memory of 5096	1672	Phiya.exe	94
PID 1672 wrote to memory of 5096	1672	Phiya.exe	94
PID 1672 wrote to memory of 5096	1672	Phiya.exe	94
PID 4764 wrote to memory of 3408	4764	cmd.exe	96
PID 4764 wrote to memory of 3408	4764	cmd.exe	96
PID 4764 wrote to memory of 3408	4764	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd.exe
"C:\Users\Admin\AppData\Local\Temp\3b2c20bfda08e4854ee1822936404eb4080073d4a101d6a1297cf6ecf7056cbd.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Program Files\ddd\dadoudou_skd1.8.exe
  "C:\Program Files\ddd\dadoudou_skd1.8.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\3582-490\dadoudou_skd1.8.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\dadoudou_skd1.8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c start C:\Users\Admin\AppData\Local\Temp\\SB360.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4612
    - - C:\Users\Admin\AppData\Local\Temp\SB360.exe
        
        C:\Users\Admin\AppData\Local\Temp\\SB360.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\SB360.exe > nul
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3408
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c start C:\Users\Admin\AppData\Local\Temp\\ÉÏ¿¨¶Ë.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Users\Admin\AppData\Local\Temp\ÉÏ¿¨¶Ë.exe
        
        C:\Users\Admin\AppData\Local\Temp\\ÉÏ¿¨¶Ë.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188

C:\Windows\SysWOW64\Phiya.exe
C:\Windows\SysWOW64\Phiya.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\Phiya.exe
  C:\Windows\SysWOW64\Phiya.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe

Filesize
9.4MB

MD5
322302633e36360a24252f6291cdfc91

SHA1
238ed62353776c646957efefc0174c545c2afa3d

SHA256
31da9632f5d25806b77b617d48da52a14afc574bbe1653120f97705284ea566c

SHA512
5a1f7c44ce7f5036bffc18ebac39e2bf70e6f35fa252617d665b26448f4c4473adfa115467b7e2d9b7068823e448f74410cdcdfef1ac1c09021e051921787373

Download Submit
C:\Program Files\ddd\dadoudou_skd1.8.exe

Filesize
8.3MB

MD5
19c6b4bd8d9963b05ebf55a829a048d9

SHA1
16e5c75e74f1aa7cd5cc70d336f65c5d5f07a9e3

SHA256
e17205c47fed992a15c0b5e4520601a6aae94075c4b7d7902fe6192345d65545

SHA512
aab1ebf2033d1a7db2ca0928f9e38e8a5a78b86d4ac409c62b7047bf73ea4ee6560e937d30cbfa584e7dfc7ea1889eb59e883c44c5dac9cfd09322c2f91c7ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\dadoudou_skd1.8.exe

Filesize
8.2MB

MD5
e3583f6b5670ebec804bf2e7aa3cd325

SHA1
94b8fc19bcb0cb7c4267ecba71d3166c9fdd90de

SHA256
5afd815d7ad1bba7510f591d789e8efe10802a37a5e579d6ee9e7a26161c7524

SHA512
10607de92cadd9f200ae57180a10bc497fbb8a96004ed5eaad37ce2e5e76bf90ab6fef229401a584e4fd97ccb820930f0e464307d1ad2ec96ca397e7292eda03

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.1MB

MD5
97c8fe752e354b2945e4c593a87e4a8b

SHA1
03ab4c91535ecf14b13e0258f3a7be459a7957f9

SHA256
820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

SHA512
af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
56KB

MD5
d63851f89c7ad4615565ca300e8b8e27

SHA1
1c9a6c1ce94581f85be0e99e2d370384b959578f

SHA256
0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

SHA512
623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB360.exe

Filesize
1.3MB

MD5
81250dab88064c74cef402a33d906934

SHA1
ce063f39ccd18b5a9a1c0be221cd9f3bec557729

SHA256
3690b1a6c63b925b6f34a84e86befcb816c99e8d9bb06611520262310aeaa5f2

SHA512
497f8e9c57f8a45afc4b131a95ca6a1a897fad55773ac49aa0d47efd642518c0d028b59c9e54aa3b12551c1e0c99fa6e78f71f0fe5a9748d8f14b007e3e1cbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÉÏ¿¨¶Ë.exe

Filesize
6.4MB

MD5
7fd0a3aa60c35d5eba5249f354216e02

SHA1
50eb2680fb4d1de48e542fbaea16aa85bdfd924f

SHA256
9392e25660fc55b43f03dfe57312ec0e6c540322640234caff8032f325050a72

SHA512
de5ad23ce99bf61595b436f0ca23179a3e577751dc2a91192f863329a38bae92c1e0ca85cd6f1ac548145cac1714b7a6b667e5891bde9d729a3a774fc4fa7551

Download Submit
memory/400-12-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/400-27-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/400-22-0x0000000002060000-0x0000000002074000-memory.dmp

Filesize
80KB

Download
memory/1672-45-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download
memory/2040-34-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download
memory/2188-92-0x0000000005A10000-0x0000000005A86000-memory.dmp

Filesize
472KB

Download
memory/2188-107-0x0000000006280000-0x0000000006824000-memory.dmp

Filesize
5.6MB

Download
memory/2188-68-0x0000000000300000-0x0000000000E9A000-memory.dmp

Filesize
11.6MB

Download
memory/2188-86-0x0000000005960000-0x000000000599A000-memory.dmp

Filesize
232KB

Download
memory/2188-88-0x00000000059C0000-0x00000000059DA000-memory.dmp

Filesize
104KB

Download
memory/2188-42-0x0000000000300000-0x0000000000E9A000-memory.dmp

Filesize
11.6MB

Download
memory/2188-94-0x0000000005C30000-0x0000000005CC2000-memory.dmp

Filesize
584KB

Download
memory/2188-70-0x0000000000300000-0x0000000000E9A000-memory.dmp

Filesize
11.6MB

Download
memory/2188-121-0x0000000005FD0000-0x0000000006082000-memory.dmp

Filesize
712KB

Download
memory/2188-155-0x0000000009550000-0x0000000009558000-memory.dmp

Filesize
32KB

Download
memory/2188-156-0x0000000009E00000-0x0000000009E38000-memory.dmp

Filesize
224KB

Download
memory/2188-157-0x0000000009600000-0x000000000960E000-memory.dmp

Filesize
56KB

Download
memory/2188-171-0x0000000000300000-0x0000000000E9A000-memory.dmp

Filesize
11.6MB

Download
memory/2868-169-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2868-172-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2868-175-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download