gh0strat | 89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e

Analysis

max time kernel
105s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
Size

1.2MB
MD5

3dd58b4c0d665cf77f4c74a9201d9217
SHA1

ffd7d0def133fafb49de232815d1521e1c54d707
SHA256

89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e
SHA512

18f39cc07348d794e7bb6b0ada81c50f1f6437a0ec1a7d6a0cd556f5e97ec769c4003f6748ab702a26a7545d2ea9c7b1dfdb39437b28d849c331c3e1e0ba9815
SSDEEP

24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtil:WIwgMEuy+inDfp3/XoCw57XYBwKl

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx vmprotect

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/3156-31-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/3156-30-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/4008-39-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/4008-38-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/3816-45-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/3816-53-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/3816-54-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral1/files/0x0009000000024017-17.dat	family_gh0strat
behavioral1/memory/3156-31-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/3156-30-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/4008-39-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/4008-38-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/3816-45-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/3816-53-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral1/memory/3816-54-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Ghiya.exe

Server Software Component: Terminal Services DLL 1 TTPs 2 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240624484.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240626828.txt"	AK47.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Ghiya.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	svchcst.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe

Executes dropped EXE 12 IoCs

pid	Process
3520	AK47.exe
456	AK47.exe
3156	AK74.exe
4008	Ghiya.exe
3816	Ghiya.exe
2984	svchcst.exe
4204	AK47.exe
3676	AK47.exe
4348	AK74.exe
2532	Ghiya.exe
4744	Ghiya.exe
1632	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Loads dropped DLL 4 IoCs

pid	Process
3520	AK47.exe
5036	svchost.exe
3676	AK47.exe
1632	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

VMProtect packed file 11 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/432-0-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/432-1-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/files/0x000800000002401e-61.dat	vmprotect
behavioral1/memory/2984-107-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/432-112-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/432-115-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/432-118-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/432-122-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/432-125-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/432-128-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral1/memory/432-131-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\240624484.txt	AK47.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File created	C:\Windows\SysWOW64\240626828.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\240624484.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File created	C:\Windows\SysWOW64\240626828.txt	AK47.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3156-31-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/3156-30-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/3156-28-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/4008-36-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/4008-39-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/4008-38-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/3816-45-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/3816-53-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral1/memory/3816-54-0x0000000010000000-0x00000000101BA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4356	cmd.exe
1868	PING.EXE
4380	cmd.exe
976	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1868	PING.EXE
976	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
3816	Ghiya.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3156	AK74.exe
Token: SeLoadDriverPrivilege	3816	Ghiya.exe
Token: SeIncBasePriorityPrivilege	4348	AK74.exe
Token: 33	3816	Ghiya.exe
Token: SeIncBasePriorityPrivilege	3816	Ghiya.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
2984	svchcst.exe
2984	svchcst.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 456	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	89
PID 432 wrote to memory of 456	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	89
PID 432 wrote to memory of 456	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	89
PID 432 wrote to memory of 3520	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	90
PID 432 wrote to memory of 3520	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	90
PID 432 wrote to memory of 3520	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	90
PID 432 wrote to memory of 3156	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	93
PID 432 wrote to memory of 3156	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	93
PID 432 wrote to memory of 3156	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	93
PID 4008 wrote to memory of 3816	4008	Ghiya.exe	97
PID 4008 wrote to memory of 3816	4008	Ghiya.exe	97
PID 4008 wrote to memory of 3816	4008	Ghiya.exe	97
PID 3156 wrote to memory of 4356	3156	AK74.exe	98
PID 3156 wrote to memory of 4356	3156	AK74.exe	98
PID 3156 wrote to memory of 4356	3156	AK74.exe	98
PID 432 wrote to memory of 3592	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	101
PID 432 wrote to memory of 3592	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	101
PID 432 wrote to memory of 3592	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	101
PID 432 wrote to memory of 748	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	100
PID 432 wrote to memory of 748	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	100
PID 432 wrote to memory of 748	432	89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe	100
PID 2832 wrote to memory of 2984	2832	cmd.exe	104
PID 2832 wrote to memory of 2984	2832	cmd.exe	104
PID 2832 wrote to memory of 2984	2832	cmd.exe	104
PID 2984 wrote to memory of 4204	2984	svchcst.exe	107
PID 2984 wrote to memory of 4204	2984	svchcst.exe	107
PID 2984 wrote to memory of 4204	2984	svchcst.exe	107
PID 2984 wrote to memory of 3676	2984	svchcst.exe	108
PID 2984 wrote to memory of 3676	2984	svchcst.exe	108
PID 2984 wrote to memory of 3676	2984	svchcst.exe	108
PID 4356 wrote to memory of 1868	4356	cmd.exe	106
PID 4356 wrote to memory of 1868	4356	cmd.exe	106
PID 4356 wrote to memory of 1868	4356	cmd.exe	106
PID 2984 wrote to memory of 4348	2984	svchcst.exe	109
PID 2984 wrote to memory of 4348	2984	svchcst.exe	109
PID 2984 wrote to memory of 4348	2984	svchcst.exe	109
PID 4348 wrote to memory of 4380	4348	AK74.exe	111
PID 4348 wrote to memory of 4380	4348	AK74.exe	111
PID 4348 wrote to memory of 4380	4348	AK74.exe	111
PID 2532 wrote to memory of 4744	2532	Ghiya.exe	112
PID 2532 wrote to memory of 4744	2532	Ghiya.exe	112
PID 2532 wrote to memory of 4744	2532	Ghiya.exe	112
PID 4380 wrote to memory of 976	4380	cmd.exe	114
PID 4380 wrote to memory of 976	4380	cmd.exe	114
PID 4380 wrote to memory of 976	4380	cmd.exe	114
PID 5036 wrote to memory of 1632	5036	svchost.exe	117
PID 5036 wrote to memory of 1632	5036	svchost.exe	117
PID 5036 wrote to memory of 1632	5036	svchost.exe	117

C:\Users\Admin\AppData\Local\Temp\89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe
"C:\Users\Admin\AppData\Local\Temp\89bf6046751f7d84961c8d1a65657b07c3fd56c8485e600e99868a92d8a8291e.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432
- C:\Users\Admin\AppData\Local\Temp\AK47.exe
  "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:456
- C:\Users\Admin\AppData\Local\Temp\AK47.exe
  C:\Users\Admin\AppData\Local\Temp\\AK47.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3520
- C:\Users\Admin\AppData\Local\Temp\AK74.exe
  C:\Users\Admin\AppData\Local\Temp\\AK74.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1868
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:748
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3592

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:5080

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240624484.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1632

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\AK47.exe
    "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:4204
- - C:\Users\Admin\AppData\Local\Temp\AK47.exe
    C:\Users\Admin\AppData\Local\Temp\\AK47.exe
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:3676
- - C:\Users\Admin\AppData\Local\Temp\AK74.exe
    C:\Users\Admin\AppData\Local\Temp\\AK74.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:4380
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:976

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AK47.exe

Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK74.exe

Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
29ce53e2a4a446614ccc8d64d346bde4

SHA1
39a7aa5cc1124842aa0c25abb16ea94452125cbe

SHA256
56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df

SHA512
b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
7e3e7846313d3683ef8083bc30df2811

SHA1
91809d40e3e607a8a3b202aab6e4b0cd70a7a2fd

SHA256
069ed69f78676228a62efb8891b484afa2a995758bc7d7f30d3209cb56c1e186

SHA512
a1c26d2abd5c3faac302bebdb9402df11fb5402364683cfd01662908cdf9f91f438167800fc8ff7705d6a5a2b89fd3ab8ee0b517b73b79614327ae3dba8228ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
7a3743a8b5bdd5453bc4b146abc6162b

SHA1
da4af1e688e11f4cb0951f430590c363635a40d6

SHA256
6e21f62c4c81c52a46c134c0f053b61bf2ef9d9635d4ee7ad500d9aef245acf3

SHA512
67510aabf68ac076fd9e558048b255fe10ad6475b80995f53c0095d38a5275ff8f8d64694fac1dd530967541e0d1633efe078378678a1533f1a7f504680188ab

Download Submit
C:\Windows\SysWOW64\240624484.txt

Filesize
49KB

MD5
8d0aab368af4b76e758595c892df236e

SHA1
a90618f3a5275ee320f7786628c4dfbc81b0e919

SHA256
c22dea984fc2ed5f3f3b80d77c969fa632858abcc53e411629fa34bacbb4168c

SHA512
34ac0a9e93f49584a17a48687e36686fd9d9dc6a87907005e3612f8393efb573580e6c0ffa7af95b1317fc4c95209980410dded3bb36b5276d32a561d2c099e5

Download Submit
C:\Windows\SysWOW64\ini.ini

Filesize
45B

MD5
120f7879c835573b5b2109b1f58b5c7e

SHA1
17d0dfcbc0263d4738648b712ec1a5f9eba5f503

SHA256
956f4c2157db753bcafc0df1d0765ca59fc62bf209337c757cefdb5e190e91b6

SHA512
b098cd84fcd8ada29186e7ff4c6ab2a04f63b39c5579785e6bda4b7ca0398283508b7731c5f5a3548d9686eb17d4018654a379d9c78fb226adc8cde0980b00fc

Download Submit
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/432-125-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/432-128-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/432-122-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/432-118-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/432-115-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/432-112-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/432-0-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/432-131-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/432-1-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2984-107-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3156-30-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/3156-28-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/3156-31-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/3816-54-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/3816-53-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/3816-45-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/4008-38-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/4008-39-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/4008-36-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download