gh0strat | c1103842cdc46be114dff25ae7e3b59e2a014133945d68eaffe02e84b2078b02

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sogou_pinyin_guanwang.exe
Size

181.2MB
MD5

42b9b4f540a534b0b7db83e9aba9d90d
SHA1

57b56ba1dd6f9cf41c181c631f8cf829bab80607
SHA256

c1103842cdc46be114dff25ae7e3b59e2a014133945d68eaffe02e84b2078b02
SHA512

8983df90e6952725b54495516dd328760f9c9e37162589a55c16db2986063d9e0644f47157e9786a473f9da9bb37a5ac74fcbd818493443d17536e1abbc424eb
SSDEEP

3145728:A/kfnZZRUWXNShZNxlb3oeUFRGp/K3GgUCoQKAQ6h398AWXNOQ14BDndvdXi37Dk:jnTLXwXNf4eUSJK39U8KAQ6hN8AW9H1m

Score

10^/10

gh0strat purplefox discovery rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 1 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2180-39236-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2180-39236-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	sogou_pinyin_guanwang.exe

Executes dropped EXE 14 IoCs

pid	Process
2180	cxizpasuqff.exe
3064	cxizpasuqff.exe
3144	cxizpasuqff.exe
1316	cxizpasuqff.exe
23652	cxizpasuqff.exe
30660	cxizpasuqff.exe
5440	cxizpasuqff.exe
5376	cxizpasuqff.exe
22396	cxizpasuqff.exe
18416	cxizpasuqff.exe
38344	Phija.exe
36444	cxizpasuqff.exe
71652	Phija.exe
82368	Phija.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	cxizpasuqff.exe
File opened (read-only)	\??\J:	cxizpasuqff.exe
File opened (read-only)	\??\K:	cxizpasuqff.exe
File opened (read-only)	\??\S:	cxizpasuqff.exe
File opened (read-only)	\??\T:	cxizpasuqff.exe
File opened (read-only)	\??\B:	cxizpasuqff.exe
File opened (read-only)	\??\L:	cxizpasuqff.exe
File opened (read-only)	\??\O:	cxizpasuqff.exe
File opened (read-only)	\??\P:	cxizpasuqff.exe
File opened (read-only)	\??\U:	cxizpasuqff.exe
File opened (read-only)	\??\G:	cxizpasuqff.exe
File opened (read-only)	\??\N:	cxizpasuqff.exe
File opened (read-only)	\??\Q:	cxizpasuqff.exe
File opened (read-only)	\??\R:	cxizpasuqff.exe
File opened (read-only)	\??\W:	cxizpasuqff.exe
File opened (read-only)	\??\Y:	cxizpasuqff.exe
File opened (read-only)	\??\E:	cxizpasuqff.exe
File opened (read-only)	\??\H:	cxizpasuqff.exe
File opened (read-only)	\??\M:	cxizpasuqff.exe
File opened (read-only)	\??\V:	cxizpasuqff.exe
File opened (read-only)	\??\X:	cxizpasuqff.exe
File opened (read-only)	\??\Z:	cxizpasuqff.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Phija.exe	cxizpasuqff.exe
File opened for modification	C:\Windows\SysWOW64\Phija.exe	cxizpasuqff.exe
File created	C:\Windows\SysWOW64\Phija.exe	cxizpasuqff.exe
File opened for modification	C:\Windows\SysWOW64\Phija.exe	cxizpasuqff.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 62 IoCs

pid	Process
2180	cxizpasuqff.exe
3064	cxizpasuqff.exe
3144	cxizpasuqff.exe
2180	cxizpasuqff.exe
3064	cxizpasuqff.exe
3144	cxizpasuqff.exe
1316	cxizpasuqff.exe
30660	cxizpasuqff.exe
5440	cxizpasuqff.exe
5440	cxizpasuqff.exe
5440	cxizpasuqff.exe
22396	cxizpasuqff.exe
5440	cxizpasuqff.exe
5376	cxizpasuqff.exe
38344	Phija.exe
5376	cxizpasuqff.exe
38344	Phija.exe
5440	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
71652	Phija.exe
71652	Phija.exe
82368	Phija.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe
18416	cxizpasuqff.exe
5376	cxizpasuqff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
47784	23652	WerFault.exe	93
47752	1316	WerFault.exe	91
47844	30660	WerFault.exe	95
5396	23652	WerFault.exe	93
51328	22396	WerFault.exe	115
63960	36444	WerFault.exe	120
76980	36444	WerFault.exe	120
103660	82368	WerFault.exe	130

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxizpasuqff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phija.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxizpasuqff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxizpasuqff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxizpasuqff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxizpasuqff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxizpasuqff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sogou_pinyin_guanwang.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
77236	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cxizpasuqff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	cxizpasuqff.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe
5376	cxizpasuqff.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3064	cxizpasuqff.exe
Token: SeIncBasePriorityPrivilege	2180	cxizpasuqff.exe
Token: SeIncBasePriorityPrivilege	3144	cxizpasuqff.exe
Token: SeIncBasePriorityPrivilege	5440	cxizpasuqff.exe
Token: 33	5376	cxizpasuqff.exe
Token: SeIncBasePriorityPrivilege	5376	cxizpasuqff.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 2180	3144	sogou_pinyin_guanwang.exe	84
PID 3144 wrote to memory of 2180	3144	sogou_pinyin_guanwang.exe	84
PID 3144 wrote to memory of 2180	3144	sogou_pinyin_guanwang.exe	84
PID 3144 wrote to memory of 4532	3144	sogou_pinyin_guanwang.exe	86
PID 3144 wrote to memory of 4532	3144	sogou_pinyin_guanwang.exe	86
PID 3144 wrote to memory of 4532	3144	sogou_pinyin_guanwang.exe	86
PID 4532 wrote to memory of 3064	4532	sogou_pinyin_guanwang.exe	87
PID 4532 wrote to memory of 3064	4532	sogou_pinyin_guanwang.exe	87
PID 4532 wrote to memory of 3064	4532	sogou_pinyin_guanwang.exe	87
PID 4532 wrote to memory of 1236	4532	sogou_pinyin_guanwang.exe	88
PID 4532 wrote to memory of 1236	4532	sogou_pinyin_guanwang.exe	88
PID 4532 wrote to memory of 1236	4532	sogou_pinyin_guanwang.exe	88
PID 1236 wrote to memory of 3144	1236	sogou_pinyin_guanwang.exe	89
PID 1236 wrote to memory of 3144	1236	sogou_pinyin_guanwang.exe	89
PID 1236 wrote to memory of 3144	1236	sogou_pinyin_guanwang.exe	89
PID 1236 wrote to memory of 216	1236	sogou_pinyin_guanwang.exe	90
PID 1236 wrote to memory of 216	1236	sogou_pinyin_guanwang.exe	90
PID 1236 wrote to memory of 216	1236	sogou_pinyin_guanwang.exe	90
PID 216 wrote to memory of 1316	216	sogou_pinyin_guanwang.exe	91
PID 216 wrote to memory of 1316	216	sogou_pinyin_guanwang.exe	91
PID 216 wrote to memory of 1316	216	sogou_pinyin_guanwang.exe	91
PID 216 wrote to memory of 3280	216	sogou_pinyin_guanwang.exe	92
PID 216 wrote to memory of 3280	216	sogou_pinyin_guanwang.exe	92
PID 216 wrote to memory of 3280	216	sogou_pinyin_guanwang.exe	92
PID 3280 wrote to memory of 23652	3280	sogou_pinyin_guanwang.exe	93
PID 3280 wrote to memory of 23652	3280	sogou_pinyin_guanwang.exe	93
PID 3280 wrote to memory of 23652	3280	sogou_pinyin_guanwang.exe	93
PID 3280 wrote to memory of 23668	3280	sogou_pinyin_guanwang.exe	94
PID 3280 wrote to memory of 23668	3280	sogou_pinyin_guanwang.exe	94
PID 3280 wrote to memory of 23668	3280	sogou_pinyin_guanwang.exe	94
PID 23668 wrote to memory of 30660	23668	sogou_pinyin_guanwang.exe	95
PID 23668 wrote to memory of 30660	23668	sogou_pinyin_guanwang.exe	95
PID 23668 wrote to memory of 30660	23668	sogou_pinyin_guanwang.exe	95
PID 23668 wrote to memory of 6884	23668	sogou_pinyin_guanwang.exe	96
PID 23668 wrote to memory of 6884	23668	sogou_pinyin_guanwang.exe	96
PID 23668 wrote to memory of 6884	23668	sogou_pinyin_guanwang.exe	96
PID 6884 wrote to memory of 4168	6884	sogou_pinyin_guanwang.exe	108
PID 6884 wrote to memory of 4168	6884	sogou_pinyin_guanwang.exe	108
PID 6884 wrote to memory of 4168	6884	sogou_pinyin_guanwang.exe	108
PID 4168 wrote to memory of 5440	4168	sogou_pinyin_guanwang.exe	111
PID 4168 wrote to memory of 5440	4168	sogou_pinyin_guanwang.exe	111
PID 4168 wrote to memory of 5440	4168	sogou_pinyin_guanwang.exe	111
PID 4168 wrote to memory of 5400	4168	sogou_pinyin_guanwang.exe	112
PID 4168 wrote to memory of 5400	4168	sogou_pinyin_guanwang.exe	112
PID 4168 wrote to memory of 5400	4168	sogou_pinyin_guanwang.exe	112
PID 5400 wrote to memory of 5376	5400	sogou_pinyin_guanwang.exe	113
PID 5400 wrote to memory of 5376	5400	sogou_pinyin_guanwang.exe	113
PID 5400 wrote to memory of 5376	5400	sogou_pinyin_guanwang.exe	113
PID 5400 wrote to memory of 5288	5400	sogou_pinyin_guanwang.exe	114
PID 5400 wrote to memory of 5288	5400	sogou_pinyin_guanwang.exe	114
PID 5400 wrote to memory of 5288	5400	sogou_pinyin_guanwang.exe	114
PID 5288 wrote to memory of 22396	5288	sogou_pinyin_guanwang.exe	115
PID 5288 wrote to memory of 22396	5288	sogou_pinyin_guanwang.exe	115
PID 5288 wrote to memory of 22396	5288	sogou_pinyin_guanwang.exe	115
PID 5288 wrote to memory of 22368	5288	sogou_pinyin_guanwang.exe	116
PID 5288 wrote to memory of 22368	5288	sogou_pinyin_guanwang.exe	116
PID 5288 wrote to memory of 22368	5288	sogou_pinyin_guanwang.exe	116
PID 22368 wrote to memory of 18416	22368	sogou_pinyin_guanwang.exe	117
PID 22368 wrote to memory of 18416	22368	sogou_pinyin_guanwang.exe	117
PID 22368 wrote to memory of 18416	22368	sogou_pinyin_guanwang.exe	117
PID 22368 wrote to memory of 26904	22368	sogou_pinyin_guanwang.exe	118
PID 22368 wrote to memory of 26904	22368	sogou_pinyin_guanwang.exe	118
PID 22368 wrote to memory of 26904	22368	sogou_pinyin_guanwang.exe	118
PID 26904 wrote to memory of 36444	26904	sogou_pinyin_guanwang.exe	120

C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
"C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe
  "C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
  "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe
    "C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
    "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe
      "C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
      "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1316
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 484
        6⤵
        Program crash
        
        PID:47752
    - - C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3280
      - C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe"
        6⤵
        Executes dropped EXE
        
        PID:23652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 23652 -s 484
        7⤵
        Program crash
        
        PID:47784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 23652 -s 492
        7⤵
        Program crash
        
        PID:5396
      - C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:23668
        
        C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:30660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 30660 -s 484
        8⤵
        Program crash
        
        PID:47844
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        7⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6884
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\CXIZPA~1.EXE > nul
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:77236
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        9⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe"
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        10⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5288
        
        C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:22396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 22396 -s 484
        12⤵
        Program crash
        
        PID:51328
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        11⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:22368
        
        C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:18416
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        12⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:26904
        
        C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe"
        13⤵
        Executes dropped EXE
        
        PID:36444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 36444 -s 484
        14⤵
        Program crash
        
        PID:63960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 36444 -s 492
        14⤵
        Program crash
        
        PID:76980
        
        C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sogou_pinyin_guanwang.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:8240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1316 -ip 1316
1⤵
PID:47308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 23652 -ip 23652
1⤵
PID:47448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 30660 -ip 30660
1⤵
PID:47504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 23652 -ip 23652
1⤵
PID:432

C:\Windows\SysWOW64\Phija.exe
C:\Windows\SysWOW64\Phija.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:38344
- C:\Windows\SysWOW64\Phija.exe
  C:\Windows\SysWOW64\Phija.exe -acsi
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:71652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 22396 -ip 22396
1⤵
PID:70168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 36444 -ip 36444
1⤵
PID:70820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 36444 -ip 36444
1⤵
PID:51760

C:\Windows\SysWOW64\Phija.exe
C:\Windows\SysWOW64\Phija.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:82368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 82368 -s 484
  2⤵
  - Program crash
  PID:103660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\H9dktaBeOIgh1.exe

Filesize
7.7MB

MD5
fcb567580061e72a4fc2f0546c1a16e3

SHA1
e1067931d0a684aad46b65545c9908e93e970747

SHA256
c6dd859819a7e14728cdc3c14fb1e00d94f905b26655fc56c99a0f428cc737ec

SHA512
637020414a2d9f8940cee8665f70bc3e6ebdbdb3676d3a70483c9a32dee917ef5f6db75150f11543f5949fa27fa42420d5e97c6a09338778840caa5c82fad188

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxizpasuqff.exe

Filesize
27.5MB

MD5
5d36204cd16f8081f1711b3910dc6907

SHA1
8eddb28bd6fca46be221e30008153f8f27aa9c09

SHA256
b100cb0d2b60c6caf1ff8e607967f4508c0c7b001f2a45b09fc916a3235dd968

SHA512
302b61b1dd23ce94b8773609c2258ca8503d0f22154c1c7780219981c39bcaa679c68a0d3e32ad4018a27ff2d0000f24151128b3ea716cb88614d9b2a3982f38

Download Submit
memory/1316-65963-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/1316-39267-0x0000000076C60000-0x0000000076E75000-memory.dmp

Filesize
2.1MB

Download
memory/1316-43142-0x0000000075EA0000-0x0000000076040000-memory.dmp

Filesize
1.6MB

Download
memory/1316-46544-0x0000000076B50000-0x0000000076BCA000-memory.dmp

Filesize
488KB

Download
memory/2180-39224-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/2180-39225-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/2180-39236-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download
memory/2180-39229-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/2180-4147-0x0000000075EA0000-0x0000000076040000-memory.dmp

Filesize
1.6MB

Download
memory/2180-39222-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/2180-39227-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/2180-7294-0x0000000076B50000-0x0000000076BCA000-memory.dmp

Filesize
488KB

Download
memory/2180-4497-0x00000000045E0000-0x0000000004789000-memory.dmp

Filesize
1.7MB

Download
memory/2180-15-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/2180-17-0x0000000076C60000-0x0000000076E75000-memory.dmp

Filesize
2.1MB

Download
memory/3064-39223-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/3064-39230-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/3064-1410-0x0000000076C60000-0x0000000076E75000-memory.dmp

Filesize
2.1MB

Download
memory/3064-39234-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/3064-16994-0x0000000076B50000-0x0000000076BCA000-memory.dmp

Filesize
488KB

Download
memory/3064-12427-0x0000000075EA0000-0x0000000076040000-memory.dmp

Filesize
1.6MB

Download
memory/3064-39232-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/3064-39231-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/3144-20518-0x0000000075EA0000-0x0000000076040000-memory.dmp

Filesize
1.6MB

Download
memory/3144-10250-0x0000000076C60000-0x0000000076E75000-memory.dmp

Filesize
2.1MB

Download
memory/3144-39242-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/3144-39226-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/3144-39243-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/3144-39247-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/3144-39235-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/3144-25351-0x0000000076B50000-0x0000000076BCA000-memory.dmp

Filesize
488KB

Download
memory/5440-65969-0x0000000076C60000-0x0000000076E75000-memory.dmp

Filesize
2.1MB

Download
memory/5440-69843-0x0000000075EA0000-0x0000000076040000-memory.dmp

Filesize
1.6MB

Download
memory/5440-71852-0x0000000076B50000-0x0000000076BCA000-memory.dmp

Filesize
488KB

Download
memory/5440-82914-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/5440-81513-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/5440-79038-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download
memory/22396-79039-0x0000000076C60000-0x0000000076E75000-memory.dmp

Filesize
2.1MB

Download
memory/23652-43414-0x0000000076C60000-0x0000000076E75000-memory.dmp

Filesize
2.1MB

Download
memory/30660-63657-0x0000000076B50000-0x0000000076BCA000-memory.dmp

Filesize
488KB

Download
memory/30660-65964-0x0000000000400000-0x0000000001F88000-memory.dmp

Filesize
27.5MB

Download