Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2023 11:26
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
General
-
Target
tmp.exe
-
Size
2.6MB
-
MD5
3601472d942d7a893e015cbea6a2931b
-
SHA1
b57bf034b799265bbdc5ca6e269645fc2159c411
-
SHA256
f6087b5b38afaa2ea8da58c002ae713c100566b8c0545f051bd97e8c0d3e67e5
-
SHA512
8908796d8da86ec09b4688949ca2089eac111146359d531243294028bb6c97189355b4a440cc329346dd737e563ce48441015d0a0f85d83330bedfc19a9d2dc2
-
SSDEEP
49152:WCwsbCANnKXferL7Vwe/Gg0P+WhGwTC+D:hws2ANnKXOaeOgmhGwTC4
Malware Config
Extracted
gh0strat
159.75.0.162
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3876-152-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3876-153-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3984-160-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3984-161-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4560-173-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4560-176-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4560-178-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 14 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\240581109.txt family_gh0strat C:\Windows\SysWOW64\240581109.txt family_gh0strat \??\c:\windows\SysWOW64\240581109.txt family_gh0strat behavioral2/memory/3876-152-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3876-153-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3984-160-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3984-161-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4560-173-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4560-176-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4560-178-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4536-199-0x0000000010000000-0x0000000010015000-memory.dmp family_gh0strat C:\Windows\SysWOW64\240581109.txt family_gh0strat behavioral2/memory/4536-207-0x0000000000400000-0x00000000004D6000-memory.dmp family_gh0strat C:\Windows\SysWOW64\240581109.txt family_gh0strat -
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
tmp.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List tmp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile tmp.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications tmp.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\tmp.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp.exe:*:enabled:@shell32.dll,-1" tmp.exe -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatfor.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
R.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240581109.txt" R.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatfor.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatfor.exe -
Executes dropped EXE 6 IoCs
Processes:
R.exeN.exeTXPlatfor.exeTXPlatfor.exeHD_tmp.exeRemote Data.exepid process 2240 R.exe 3876 N.exe 3984 TXPlatfor.exe 4560 TXPlatfor.exe 4536 HD_tmp.exe 4624 Remote Data.exe -
Loads dropped DLL 4 IoCs
Processes:
R.exesvchost.exesvchost.exeRemote Data.exepid process 2240 R.exe 4056 svchost.exe 3688 svchost.exe 4624 Remote Data.exe -
Processes:
resource yara_rule behavioral2/memory/3876-150-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3876-152-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3876-153-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3984-158-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3984-160-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3984-161-0x0000000010000000-0x00000000101B6000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe upx C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe upx behavioral2/memory/4536-172-0x0000000000400000-0x00000000004D6000-memory.dmp upx behavioral2/memory/4560-173-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4560-176-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4560-178-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4536-207-0x0000000000400000-0x00000000004D6000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HD_tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HD_tmp.exe" HD_tmp.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
HD_tmp.exedescription ioc process File opened (read-only) \??\T: HD_tmp.exe File opened (read-only) \??\U: HD_tmp.exe File opened (read-only) \??\V: HD_tmp.exe File opened (read-only) \??\Y: HD_tmp.exe File opened (read-only) \??\K: HD_tmp.exe File opened (read-only) \??\L: HD_tmp.exe File opened (read-only) \??\S: HD_tmp.exe File opened (read-only) \??\X: HD_tmp.exe File opened (read-only) \??\B: HD_tmp.exe File opened (read-only) \??\E: HD_tmp.exe File opened (read-only) \??\O: HD_tmp.exe File opened (read-only) \??\J: HD_tmp.exe File opened (read-only) \??\N: HD_tmp.exe File opened (read-only) \??\R: HD_tmp.exe File opened (read-only) \??\F: HD_tmp.exe File opened (read-only) \??\H: HD_tmp.exe File opened (read-only) \??\I: HD_tmp.exe File opened (read-only) \??\Q: HD_tmp.exe File opened (read-only) \??\W: HD_tmp.exe File opened (read-only) \??\Z: HD_tmp.exe File opened (read-only) \??\G: HD_tmp.exe File opened (read-only) \??\M: HD_tmp.exe File opened (read-only) \??\P: HD_tmp.exe -
Drops file in System32 directory 7 IoCs
Processes:
N.exesvchost.exeR.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatfor.exe N.exe File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe N.exe File created C:\Windows\SysWOW64\Remote Data.exe svchost.exe File created C:\Windows\SysWOW64\240581109.txt R.exe File opened for modification C:\Windows\SysWOW64\ini.ini R.exe File created C:\Windows\SysWOW64\Remote Data.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Remote Data.exe svchost.exe -
Drops file in Program Files directory 1 IoCs
Processes:
tmp.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3764 4056 WerFault.exe svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
HD_tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 HD_tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz HD_tmp.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
tmp.exeHD_tmp.exepid process 4588 tmp.exe 4588 tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatfor.exepid process 4560 TXPlatfor.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
HD_tmp.exepid process 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe 4536 HD_tmp.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
N.exeHD_tmp.exeTXPlatfor.exedescription pid process Token: SeIncBasePriorityPrivilege 3876 N.exe Token: SeDebugPrivilege 4536 HD_tmp.exe Token: SeLoadDriverPrivilege 4560 TXPlatfor.exe Token: 33 4560 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 4560 TXPlatfor.exe Token: 33 4560 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 4560 TXPlatfor.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
tmp.exepid process 4588 tmp.exe 4588 tmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.exeN.exeTXPlatfor.exeHD_tmp.exedescription pid process target process PID 4588 wrote to memory of 2240 4588 tmp.exe R.exe PID 4588 wrote to memory of 2240 4588 tmp.exe R.exe PID 4588 wrote to memory of 2240 4588 tmp.exe R.exe PID 4588 wrote to memory of 3876 4588 tmp.exe N.exe PID 4588 wrote to memory of 3876 4588 tmp.exe N.exe PID 4588 wrote to memory of 3876 4588 tmp.exe N.exe PID 3876 wrote to memory of 1988 3876 N.exe cmd.exe PID 3876 wrote to memory of 1988 3876 N.exe cmd.exe PID 3876 wrote to memory of 1988 3876 N.exe cmd.exe PID 3984 wrote to memory of 4560 3984 TXPlatfor.exe TXPlatfor.exe PID 3984 wrote to memory of 4560 3984 TXPlatfor.exe TXPlatfor.exe PID 3984 wrote to memory of 4560 3984 TXPlatfor.exe TXPlatfor.exe PID 4588 wrote to memory of 4536 4588 tmp.exe HD_tmp.exe PID 4588 wrote to memory of 4536 4588 tmp.exe HD_tmp.exe PID 4588 wrote to memory of 4536 4588 tmp.exe HD_tmp.exe PID 4536 wrote to memory of 600 4536 HD_tmp.exe winlogon.exe PID 4536 wrote to memory of 600 4536 HD_tmp.exe winlogon.exe PID 4536 wrote to memory of 600 4536 HD_tmp.exe winlogon.exe PID 4536 wrote to memory of 600 4536 HD_tmp.exe winlogon.exe PID 4536 wrote to memory of 600 4536 HD_tmp.exe winlogon.exe PID 4536 wrote to memory of 600 4536 HD_tmp.exe winlogon.exe PID 4536 wrote to memory of 688 4536 HD_tmp.exe lsass.exe PID 4536 wrote to memory of 688 4536 HD_tmp.exe lsass.exe PID 4536 wrote to memory of 688 4536 HD_tmp.exe lsass.exe PID 4536 wrote to memory of 688 4536 HD_tmp.exe lsass.exe PID 4536 wrote to memory of 688 4536 HD_tmp.exe lsass.exe PID 4536 wrote to memory of 688 4536 HD_tmp.exe lsass.exe PID 4536 wrote to memory of 792 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 792 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 792 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 792 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 792 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 792 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 804 4536 HD_tmp.exe fontdrvhost.exe PID 4536 wrote to memory of 804 4536 HD_tmp.exe fontdrvhost.exe PID 4536 wrote to memory of 804 4536 HD_tmp.exe fontdrvhost.exe PID 4536 wrote to memory of 804 4536 HD_tmp.exe fontdrvhost.exe PID 4536 wrote to memory of 804 4536 HD_tmp.exe fontdrvhost.exe PID 4536 wrote to memory of 804 4536 HD_tmp.exe fontdrvhost.exe PID 4536 wrote to memory of 812 4536 HD_tmp.exe fontdrvhost.exe PID 4536 wrote to memory of 812 4536 HD_tmp.exe fontdrvhost.exe PID 4536 wrote to memory of 812 4536 HD_tmp.exe fontdrvhost.exe PID 4536 wrote to memory of 812 4536 HD_tmp.exe fontdrvhost.exe PID 4536 wrote to memory of 812 4536 HD_tmp.exe fontdrvhost.exe PID 4536 wrote to memory of 812 4536 HD_tmp.exe fontdrvhost.exe PID 4536 wrote to memory of 912 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 912 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 912 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 912 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 912 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 912 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 968 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 968 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 968 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 968 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 968 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 968 4536 HD_tmp.exe svchost.exe PID 4536 wrote to memory of 380 4536 HD_tmp.exe dwm.exe PID 4536 wrote to memory of 380 4536 HD_tmp.exe dwm.exe PID 4536 wrote to memory of 380 4536 HD_tmp.exe dwm.exe PID 4536 wrote to memory of 380 4536 HD_tmp.exe dwm.exe PID 4536 wrote to memory of 380 4536 HD_tmp.exe dwm.exe PID 4536 wrote to memory of 380 4536 HD_tmp.exe dwm.exe PID 4536 wrote to memory of 392 4536 HD_tmp.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Modifies firewall policy service
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe3⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul4⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.15⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exeC:\Users\Admin\AppData\Local\Temp\HD_tmp.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4056 -ip 40562⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 6122⤵
- Program crash
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Windows\SysWOW64\Remote Data.exe"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240581109.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
2.3MB
MD5f3fcee194f797b21f69703101eeb5baf
SHA1dfdb48959c2be3b91db7565593f83b54f0bf7d66
SHA256a7a1f343d710552699247c9dddc60c904e5a8db2fbfc5731f7f6c7a7f0f0cdf2
SHA512481b607923310ce925d27c13b2608056262417d8f8bc11dbde74a085006e71562d2a62eca972bb063b4e9813da7e4fc621c2c24130241123fab5ddf5dd2c5bd4
-
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exeFilesize
292KB
MD569de15d2eb57853fcdaf6e3db1b628e8
SHA1770a0b604db41c290478cee74f082b713fe3a9c8
SHA2564bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971
SHA5128b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753
-
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exeFilesize
292KB
MD569de15d2eb57853fcdaf6e3db1b628e8
SHA1770a0b604db41c290478cee74f082b713fe3a9c8
SHA2564bbf651b356b764108e90b16bf0e9ec16750ff50f7d9442ccb99be724f4e7971
SHA5128b851d1784d83bea610d86cc756232280f22445ded33fdbbc4ea4c65aec4fdf4d6af8536e7c2fc0e0fca8779f6712ea38d73490e096148325b0be6dcbbbcd753
-
C:\Users\Admin\AppData\Local\Temp\N.exeFilesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
C:\Users\Admin\AppData\Local\Temp\N.exeFilesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
C:\Users\Admin\AppData\Local\Temp\R.exeFilesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
C:\Users\Admin\AppData\Local\Temp\R.exeFilesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
C:\Windows\SysWOW64\240581109.txtFilesize
899KB
MD58e5f395b9a71094d9950a3b22187e76a
SHA1cfe1c46f42a89c981130b72ec60b949818e6e1b4
SHA256c891e464207f2f4b9da60e8374cbd16755eb5b7f679753ddf1298f0ddf103936
SHA51235b2c2925582a43ea1cc95726eb66760a7e92b30394b3cc9713416b000db459b0524e9c36de38d278dd10e5b87052fc575001770cdecd0c1d2ced35f89c80684
-
C:\Windows\SysWOW64\240581109.txtFilesize
899KB
MD58e5f395b9a71094d9950a3b22187e76a
SHA1cfe1c46f42a89c981130b72ec60b949818e6e1b4
SHA256c891e464207f2f4b9da60e8374cbd16755eb5b7f679753ddf1298f0ddf103936
SHA51235b2c2925582a43ea1cc95726eb66760a7e92b30394b3cc9713416b000db459b0524e9c36de38d278dd10e5b87052fc575001770cdecd0c1d2ced35f89c80684
-
C:\Windows\SysWOW64\240581109.txtFilesize
899KB
MD58e5f395b9a71094d9950a3b22187e76a
SHA1cfe1c46f42a89c981130b72ec60b949818e6e1b4
SHA256c891e464207f2f4b9da60e8374cbd16755eb5b7f679753ddf1298f0ddf103936
SHA51235b2c2925582a43ea1cc95726eb66760a7e92b30394b3cc9713416b000db459b0524e9c36de38d278dd10e5b87052fc575001770cdecd0c1d2ced35f89c80684
-
C:\Windows\SysWOW64\240581109.txtFilesize
899KB
MD58e5f395b9a71094d9950a3b22187e76a
SHA1cfe1c46f42a89c981130b72ec60b949818e6e1b4
SHA256c891e464207f2f4b9da60e8374cbd16755eb5b7f679753ddf1298f0ddf103936
SHA51235b2c2925582a43ea1cc95726eb66760a7e92b30394b3cc9713416b000db459b0524e9c36de38d278dd10e5b87052fc575001770cdecd0c1d2ced35f89c80684
-
C:\Windows\SysWOW64\Remote Data.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
C:\Windows\SysWOW64\Remote Data.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
C:\Windows\SysWOW64\TXPlatfor.exeFilesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
C:\Windows\SysWOW64\TXPlatfor.exeFilesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
C:\Windows\SysWOW64\TXPlatfor.exeFilesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
\??\c:\windows\SysWOW64\240581109.txtFilesize
899KB
MD58e5f395b9a71094d9950a3b22187e76a
SHA1cfe1c46f42a89c981130b72ec60b949818e6e1b4
SHA256c891e464207f2f4b9da60e8374cbd16755eb5b7f679753ddf1298f0ddf103936
SHA51235b2c2925582a43ea1cc95726eb66760a7e92b30394b3cc9713416b000db459b0524e9c36de38d278dd10e5b87052fc575001770cdecd0c1d2ced35f89c80684
-
memory/1988-191-0x000000007F1F0000-0x000000007F1FC000-memory.dmpFilesize
48KB
-
memory/1988-198-0x000000007F1F0000-0x000000007F1FC000-memory.dmpFilesize
48KB
-
memory/3876-153-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3876-152-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3876-150-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3984-161-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3984-160-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3984-158-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4056-204-0x000000007F0A0000-0x000000007F0AC000-memory.dmpFilesize
48KB
-
memory/4056-205-0x000000007F0A0000-0x000000007F0AC000-memory.dmpFilesize
48KB
-
memory/4536-207-0x0000000000400000-0x00000000004D6000-memory.dmpFilesize
856KB
-
memory/4536-172-0x0000000000400000-0x00000000004D6000-memory.dmpFilesize
856KB
-
memory/4536-199-0x0000000010000000-0x0000000010015000-memory.dmpFilesize
84KB
-
memory/4560-173-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4560-176-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4560-178-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4588-179-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/4588-182-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/4588-180-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/4588-181-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/4588-219-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/4588-228-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/4588-241-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/4588-243-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/4588-252-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB
-
memory/4588-253-0x000000007FE40000-0x000000007FE4C000-memory.dmpFilesize
48KB