Analysis
-
max time kernel
138s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
23/08/2023, 05:59
Static task
static1
Behavioral task
behavioral1
Sample
81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
Resource
win7-20230712-en
General
-
Target
81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
-
Size
13.6MB
-
MD5
d69c7e8a72ac1862676f3b1dad3b040f
-
SHA1
f25b9fad59131babc9581d769921e160cb340366
-
SHA256
81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f
-
SHA512
37d996749076277bde69c0b513711703472d0b14979024bd8eaf91f5352ab1483c9c25ea3677c7109d3a23ebf2318edbea17332c99faa2fe999a7616c6d228c8
-
SSDEEP
393216:m7aA9iNATLFrUaE+gsevy5nU9uffWER6o4wX:OkNCLFrRXgjy5nU9ufjR6k
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2008-63-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2008-61-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2008-77-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/612-82-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2904-90-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2904-93-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2904-100-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2596-110-0x0000000004B60000-0x0000000005794000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 15 IoCs
resource yara_rule behavioral1/memory/2008-62-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2008-63-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2008-61-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/612-71-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2008-77-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/612-82-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/files/0x001c000000015d16-87.dat family_gh0strat behavioral1/memory/2904-90-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2904-93-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/files/0x001c000000015d16-96.dat family_gh0strat behavioral1/files/0x001c000000015d16-95.dat family_gh0strat behavioral1/memory/2904-100-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2596-110-0x0000000004B60000-0x0000000005794000-memory.dmp family_gh0strat behavioral1/files/0x001c000000015d16-213.dat family_gh0strat behavioral1/files/0x001c000000015d16-218.dat family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259423157.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 6 IoCs
pid Process 2008 svchost.exe 612 TXPlatforn.exe 2904 TXPlatforn.exe 2860 svchos.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2108 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 10 IoCs
pid Process 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 612 TXPlatforn.exe 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2860 svchos.exe 2260 svchost.exe 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2588 svchost.exe 2588 svchost.exe 2108 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
resource yara_rule behavioral1/memory/2008-59-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2008-62-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2008-63-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2008-61-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/612-71-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2008-77-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/612-82-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2904-90-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2904-93-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2904-100-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2596-110-0x0000000004B60000-0x0000000005794000-memory.dmp upx behavioral1/memory/2736-115-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-118-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-121-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-124-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-126-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-130-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-133-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-151-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-164-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-172-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-174-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-177-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-179-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-182-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-185-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-188-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-190-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-192-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-194-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-196-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-198-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-200-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-202-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-205-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-207-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2736-212-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\259423157.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification \??\c:\windows\HPSocket4C.dll HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe File created \??\c:\windows\HPSocket4C.dll HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3016 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2904 TXPlatforn.exe -
Suspicious behavior: MapViewOfSection 27 IoCs
pid Process 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2008 svchost.exe Token: SeLoadDriverPrivilege 2904 TXPlatforn.exe Token: SeDebugPrivilege 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe Token: 33 2904 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2904 TXPlatforn.exe Token: 33 2904 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2904 TXPlatforn.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2596 wrote to memory of 2008 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 28 PID 2596 wrote to memory of 2008 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 28 PID 2596 wrote to memory of 2008 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 28 PID 2596 wrote to memory of 2008 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 28 PID 2596 wrote to memory of 2008 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 28 PID 2596 wrote to memory of 2008 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 28 PID 2596 wrote to memory of 2008 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 28 PID 2008 wrote to memory of 2848 2008 svchost.exe 30 PID 2008 wrote to memory of 2848 2008 svchost.exe 30 PID 2008 wrote to memory of 2848 2008 svchost.exe 30 PID 2008 wrote to memory of 2848 2008 svchost.exe 30 PID 612 wrote to memory of 2904 612 TXPlatforn.exe 31 PID 612 wrote to memory of 2904 612 TXPlatforn.exe 31 PID 612 wrote to memory of 2904 612 TXPlatforn.exe 31 PID 612 wrote to memory of 2904 612 TXPlatforn.exe 31 PID 612 wrote to memory of 2904 612 TXPlatforn.exe 31 PID 612 wrote to memory of 2904 612 TXPlatforn.exe 31 PID 612 wrote to memory of 2904 612 TXPlatforn.exe 31 PID 2596 wrote to memory of 2860 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 33 PID 2596 wrote to memory of 2860 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 33 PID 2596 wrote to memory of 2860 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 33 PID 2596 wrote to memory of 2860 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 33 PID 2848 wrote to memory of 3016 2848 cmd.exe 36 PID 2848 wrote to memory of 3016 2848 cmd.exe 36 PID 2848 wrote to memory of 3016 2848 cmd.exe 36 PID 2848 wrote to memory of 3016 2848 cmd.exe 36 PID 2596 wrote to memory of 2736 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 37 PID 2596 wrote to memory of 2736 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 37 PID 2596 wrote to memory of 2736 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 37 PID 2596 wrote to memory of 2736 2596 81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 37 PID 2736 wrote to memory of 376 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 5 PID 2736 wrote to memory of 376 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 5 PID 2736 wrote to memory of 376 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 5 PID 2736 wrote to memory of 376 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 5 PID 2736 wrote to memory of 376 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 5 PID 2736 wrote to memory of 376 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 5 PID 2736 wrote to memory of 376 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 5 PID 2736 wrote to memory of 388 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 4 PID 2736 wrote to memory of 388 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 4 PID 2736 wrote to memory of 388 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 4 PID 2736 wrote to memory of 388 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 4 PID 2736 wrote to memory of 388 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 4 PID 2736 wrote to memory of 388 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 4 PID 2736 wrote to memory of 388 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 4 PID 2736 wrote to memory of 424 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3 PID 2736 wrote to memory of 424 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3 PID 2736 wrote to memory of 424 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3 PID 2736 wrote to memory of 424 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3 PID 2736 wrote to memory of 424 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3 PID 2736 wrote to memory of 424 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3 PID 2736 wrote to memory of 424 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 3 PID 2736 wrote to memory of 468 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2 PID 2736 wrote to memory of 468 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2 PID 2736 wrote to memory of 468 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2 PID 2736 wrote to memory of 468 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2 PID 2736 wrote to memory of 468 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2 PID 2736 wrote to memory of 468 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2 PID 2736 wrote to memory of 468 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 2 PID 2736 wrote to memory of 484 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 1 PID 2736 wrote to memory of 484 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 1 PID 2736 wrote to memory of 484 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 1 PID 2736 wrote to memory of 484 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 1 PID 2736 wrote to memory of 484 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 1 PID 2736 wrote to memory of 484 2736 HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe 1
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:484
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:676
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵PID:848
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:276
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1076
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:536
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:960
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:804
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1176
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:760
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:596
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵PID:2016
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1120
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:824
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:2516
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi3⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"2⤵PID:2960
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"2⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2260
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"2⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259423157.txt",MainThread3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108
-
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:424
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:388
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-15024054308906887281488968818-399177287996953393-11804891751891380056370260600"2⤵PID:2956
-
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:376
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:492
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe"C:\Users\Admin\AppData\Local\Temp\81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul4⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.15⤵
- Runs ping.exe
PID:3016
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe3⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exeC:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\HD_81DD38EF1B5FCC2F50F7A22C27F83FA6FD8AD7E1621B554AF1F696C4FE705D1F.EXE
Filesize11.9MB
MD56eff11a79838756628a2d397831f228d
SHA1df31f63af313a1c986ba13fa21def1e5f6b31d49
SHA2566672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3
SHA51278265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83
-
C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
Filesize11.9MB
MD56eff11a79838756628a2d397831f228d
SHA1df31f63af313a1c986ba13fa21def1e5f6b31d49
SHA2566672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3
SHA51278265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83
-
C:\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
Filesize11.9MB
MD56eff11a79838756628a2d397831f228d
SHA1df31f63af313a1c986ba13fa21def1e5f6b31d49
SHA2566672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3
SHA51278265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83
-
Filesize
1.7MB
MD536cd7c2f720111cd4ef41e3b5f0db256
SHA12bd2af69331c5408eeaf23fddd505c58650cdaa9
SHA25623d9db3453f1434a943f3945e0546a7fefad5b75bc04dd7b8f7899172b10f1ff
SHA5128216b4065b23c8475ad3e5badcabe1dc91fc3eaf5e504bc0ed0a60658067bc5526310594cb7374715f5ffdf5bb5d858bb6e0c7c86445eb5a64939268e2056b17
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
Filesize
50KB
MD5c8c8ff11e8ab024234441d9d8536c433
SHA128a9f4f25191d13b38e6919e7107963468ed2720
SHA256cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320
SHA51203e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e
-
\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
Filesize11.9MB
MD56eff11a79838756628a2d397831f228d
SHA1df31f63af313a1c986ba13fa21def1e5f6b31d49
SHA2566672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3
SHA51278265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83
-
\Users\Admin\AppData\Local\Temp\HD_81dd38ef1b5fcc2f50f7a22c27f83fa6fd8ad7e1621b554af1f696c4fe705d1f.exe
Filesize11.9MB
MD56eff11a79838756628a2d397831f228d
SHA1df31f63af313a1c986ba13fa21def1e5f6b31d49
SHA2566672a5c1b29e07ce14b756e58e8efa6cc914864568674bcf4a910cccaacb73d3
SHA51278265a88bbf8bbab2163b6c2a2cf1ebc2c4596ad9568c77208123cf99aac03bf58511d19d8d41bfe484f91c9fa4ff563ed4cda162ee0ec18e60f8a8cc8284c83
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD5c8c8ff11e8ab024234441d9d8536c433
SHA128a9f4f25191d13b38e6919e7107963468ed2720
SHA256cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320
SHA51203e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e
-
Filesize
50KB
MD5c8c8ff11e8ab024234441d9d8536c433
SHA128a9f4f25191d13b38e6919e7107963468ed2720
SHA256cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320
SHA51203e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e
-
Filesize
50KB
MD5c8c8ff11e8ab024234441d9d8536c433
SHA128a9f4f25191d13b38e6919e7107963468ed2720
SHA256cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320
SHA51203e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e
-
Filesize
50KB
MD5c8c8ff11e8ab024234441d9d8536c433
SHA128a9f4f25191d13b38e6919e7107963468ed2720
SHA256cc653810b728259c11f415dfb61b6710b430c02c297149de51129b0465634320
SHA51203e2befe6538313ac5f95e534501cea67146e172c11b16d1988114625f6bd52e866ac633025307c7545575a7dac97c5fd88e5b3814b80d132c5a24e2630d709e
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d