gh0strat | dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
Size

2.6MB
MD5

d88d8b6b592a17e97ae13fd3f03de064
SHA1

b8b1fd7baf6823fce0096a259fb06b9df190572b
SHA256

dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a
SHA512

7ac5cf32b3f3bf654451cddbf2cfe01fa9f0c600abcdd9891aefc4316f5f00f687a811046f9b46c57464c3a1566af1f387b24b52c41969ef9f00605e9c20d8ac
SSDEEP

49152:HxTc2H2tFvduySyk6fUjuUGD0690O7XnrFgind0M9aQFoF:Ncy2LkD6fUXfWrFBd0M9aQFoF

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2020-19-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2020-17-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2664-38-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2668-39-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2668-44-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2020-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2664-29-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2020-19-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2020-17-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2664-38-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2668-39-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2668-44-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2020-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2664-29-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 5 IoCs

Processes:

RVN.exeHD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exeTXPlatforn.exeTXPlatforn.exe

pid process

2020 RVN.exe
1952 HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
1208
2664 TXPlatforn.exe
2668 TXPlatforn.exe

pid	process
2020	RVN.exe
1952	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
1208
2664	TXPlatforn.exe
2668	TXPlatforn.exe

Loads dropped DLL 5 IoCs

Processes:

dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exeTXPlatforn.exe

pid	process
2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
1284
2664	TXPlatforn.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2020-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2020-19-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2020-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2664-38-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2668-39-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2668-44-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2020-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2664-29-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705467df79adda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a3f5468fb69c6458cafabc54d58b1a40000000002000000000010660000000100002000000058b0e480ff21f21f7960990c778bd79f2a119f70bca0d2271bf4c633ebe4c161000000000e80000000020000200000003f8d988196df81a437c0043247ab55695fe41a27d25e62f87bd66c21b4ddf5a5900000009cefbec51fd5c52645fe93741a355327be27dc8ca8690e891e42143fd0e5113283a84bfee8a994e3033dd868353ea6cca7319896c9b7682a787c994f06514a2c112b35961a25d5d60036b2c606f54fc5f58d61076aad7d5f7fc9f1d6808fbb5a53eb93514a0d7beb51f3cabd7b414f69b9de7275b72ecaed5ec6d92a1bd5aecdcf106b2694c85f82785e6d79e8733c374000000006201f3378145e966c6a7f374e5f18717bcf96d0f558c6f48fcdef36918daef4870ab95b8a40259bbb76b81a03453cf4541be8dc8dd9159068f6809b46fe95c5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005a3f5468fb69c6458cafabc54d58b1a40000000002000000000010660000000100002000000029f7cb5bd42b839c80b2041ee6a93aad1f8b2b3a965f7bb5fddaaf956ed59018000000000e80000000020000200000004102657e192675834c847f19490e447518bf7e9ae60797be9e7f7e5c27ae7103200000001dc8617d8cf1f6d0e46cd8f451d4f9e488e28ef371c3c884d7dfbb62aea13ffe40000000b27bb6b03fb0b6c4d92fab8cbbea2e83f1aa21ff024e16de02a1663c569541867b1f8588563c317e81ab1f5e5bfc8bfb225cc0a404fedd06d002526aaa96cf94	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422676023"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{085ED101-196D-11EF-815A-6A55B5C6A64E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2464 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe

pid process

2244 dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

2668 TXPlatforn.exe

pid	process
2464	PING.EXE

pid	process
2668	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RVN.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2020	RVN.exe
Token: SeLoadDriverPrivilege	2668	TXPlatforn.exe
Token: 33	2668	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2668	TXPlatforn.exe
Token: 33	2668	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2668	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2708 iexplore.exe

pid	process
2708	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exeiexplore.exeIEXPLORE.EXE

pid	process
2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
2708	iexplore.exe
2708	iexplore.exe
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE
2540	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exeRVN.exeTXPlatforn.execmd.exeHD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exeiexplore.exe

description	pid	process	target process
PID 2244 wrote to memory of 2020	2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	RVN.exe
PID 2244 wrote to memory of 2020	2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	RVN.exe
PID 2244 wrote to memory of 2020	2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	RVN.exe
PID 2244 wrote to memory of 2020	2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	RVN.exe
PID 2244 wrote to memory of 2020	2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	RVN.exe
PID 2244 wrote to memory of 2020	2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	RVN.exe
PID 2244 wrote to memory of 2020	2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	RVN.exe
PID 2244 wrote to memory of 1952	2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
PID 2244 wrote to memory of 1952	2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
PID 2244 wrote to memory of 1952	2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
PID 2244 wrote to memory of 1952	2244	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
PID 2020 wrote to memory of 2692	2020	RVN.exe	cmd.exe
PID 2020 wrote to memory of 2692	2020	RVN.exe	cmd.exe
PID 2020 wrote to memory of 2692	2020	RVN.exe	cmd.exe
PID 2020 wrote to memory of 2692	2020	RVN.exe	cmd.exe
PID 2664 wrote to memory of 2668	2664	TXPlatforn.exe	TXPlatforn.exe
PID 2664 wrote to memory of 2668	2664	TXPlatforn.exe	TXPlatforn.exe
PID 2664 wrote to memory of 2668	2664	TXPlatforn.exe	TXPlatforn.exe
PID 2664 wrote to memory of 2668	2664	TXPlatforn.exe	TXPlatforn.exe
PID 2664 wrote to memory of 2668	2664	TXPlatforn.exe	TXPlatforn.exe
PID 2664 wrote to memory of 2668	2664	TXPlatforn.exe	TXPlatforn.exe
PID 2664 wrote to memory of 2668	2664	TXPlatforn.exe	TXPlatforn.exe
PID 2692 wrote to memory of 2464	2692	cmd.exe	PING.EXE
PID 2692 wrote to memory of 2464	2692	cmd.exe	PING.EXE
PID 2692 wrote to memory of 2464	2692	cmd.exe	PING.EXE
PID 2692 wrote to memory of 2464	2692	cmd.exe	PING.EXE
PID 1952 wrote to memory of 2708	1952	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	iexplore.exe
PID 1952 wrote to memory of 2708	1952	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	iexplore.exe
PID 1952 wrote to memory of 2708	1952	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	iexplore.exe
PID 1952 wrote to memory of 2148	1952	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	cmd.exe
PID 1952 wrote to memory of 2148	1952	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	cmd.exe
PID 1952 wrote to memory of 2148	1952	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	cmd.exe
PID 2708 wrote to memory of 2540	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2540	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2540	2708	iexplore.exe	IEXPLORE.EXE
PID 2708 wrote to memory of 2540	2708	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
"C:\Users\Admin\AppData\Local\Temp\dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:2464

C:\Users\Admin\AppData\Local\Temp\HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
C:\Users\Admin\AppData\Local\Temp\HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://qm.qq.com/cgi-bin/qm/qr?_wv=1027&k=TIvB-2dO6fldENXVat7aPue8CD7YtpXE&authKey=kSwJGE6SjSVbS4ZeoqT4gr80UY7OoUD6zolCfuBuaiZOmJrw4Ko6xTLxJ314w89X&noverify=0&group_code=709241594
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:2148

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
6a16cbb137fd97d7c664d9d85f05b274

SHA1
23c618a73748a9a4313d2954c24684434cd85014

SHA256
573f0abb21626cb9305150c984f129d9bd765ee7361aad905fd7f2529f0e209a

SHA512
7490ae68053058081c9c8942a40913bc549d64f5d1b1d4b6bb3bdbb1d474cf74ecab0dc158210d23424d3b26f85669c8448352c0cee2cc9ac89e2b8ceffea735

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a3f4bf1393256a287dc0b067e3f27fcb

SHA1
e3f2c00fcb4fe4b4a35fe5b4515e42488bc7b23d

SHA256
9ffd089cbf74f06a0894a0642e9e234a3466a5d6fad088def75f3245ba1195bb

SHA512
4269bddbe32fbfe6dddb9e11619cdb79cddb1daca84c4ebf0c54863d487619aca5c7356dd6e0d375c1d85f4dd9e6377805445f897d013a8b8d09b952a502b9aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e447990ed1ccbfe5e36bd447f5427618

SHA1
c1ab2573658da6c9bdc9ca67d4cde64429b33e27

SHA256
cad9b036f52af7a62c204e80359e9c3c1fbd0c2018f9aa862d6b91e4c4060c5c

SHA512
d893cd17dd18afa636625ce55f09f0dd96322a6f65f1378ab0c8162b113143de884f4621b960849487057ed82d7b70b5b32a22be6a0b10aa17ffeb661676550b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
69a3108397aa0b790416078ce8ad5fd9

SHA1
6acd839fbe869c15b13e1ce11508e92b08d79984

SHA256
da55e8ebdb44ae951324cc2a86e6b7a1018d0c462d409e0992fb98d0ca3c1e12

SHA512
6dbfc18075547d35ee14030f522cfd56e3a889151e67b07c91eb7e97fd7e6d32a877f38fd55cbf23a5c76cfab27a42b5c305c1dab407d0890b9a55fc25170103

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45cf2c29d840ed1cacabdd0cf2aa1138

SHA1
82db2a5759da1206f381d4e6c87ecca918451fbf

SHA256
53c654fd2a33857a13f35f2c80ebd144f39bdc0ce549eb84dc4e167904f73d96

SHA512
364de30ac44b3baf5adf5a19edc7dd580dc5351a361e32de8e498d077824314b51bff62b9619864c6a2b0c49dac12c361c92326625e5f4a6ed487716a13c7641

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
450fda20a60fe626bc9d13d5e6c5b091

SHA1
9ea7c0e4a33ecba58341aae3417d5f691c43a9a8

SHA256
4a4445dc8954354d07e6983bfe7093746ca89c0c3215bceb694cbdca5b78b19a

SHA512
35ab04814ef9a64ab1ad4ca7dfe9fcaa655ef7bdd0fa5f1766cba4ad10323fdd1a96ba45b1e79e741035e0416a552cadde952e97e902279772434e37db52600e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
313d7190290ef722fa74a9d3b839672c

SHA1
d9b39ed718d8d112354ea07445bf9bd43fe46a0f

SHA256
43b77aac707a49c1d6601ff23e8bbad0785ba8700f2a061b91e1779ebd3f00ed

SHA512
8d016de396f4b02335aad264f2cee4b4bd3162fe610d1b9360c46a48c940c063e64ca2c355a952a916d4bc7fcaaa7e62c6b6a6e071ac8020f2ba56c8413011f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3874760c2dda5e6928d6d96a7e18ee3f

SHA1
b716a2c91d03a7d54824aa98db7517100f973a34

SHA256
828e082b0e92efb30ed854c359accead24aad102387fb05ef034bf75b7fe25e7

SHA512
dad60987f19f3001e320a5f1702cb4d602eea0ba55d3952fc0d1e17bc1c734fc2b55eaa816745fab46078b6ff8f6c922a72bd92d43e7aecf2939c24ab4123600

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0cfc3b0e8b1a2f3c1372e642c2621445

SHA1
705a1de5e08d580d9a4687380941b0f8e38b3fff

SHA256
f7767bfae62f02f272763679b0e23ea54f7c9f4758263331c9164497ad077222

SHA512
fb2c5c1a7287aaad7fe9ed85a0983e7aa41e1ebb85b7d604188e3bd46c9f7ae78b402fdb1af68283794f4d9e6e64ea098c592da6ec2eeaa49ac1b00d66069cdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e108f254aa135d8b187d773d9e7fac6f

SHA1
f0bede3e92c5153afc13651dc4b3225824983c32

SHA256
f9c6d409b03678ff413e9f04b3316b7145ccb18f0b12e7d51350c5e58573fddf

SHA512
cd41329e9bc0f1cca1013815792ac1236e783960606851e6f6ec648e15b85d7186dbc25bed29cb246a4141a1ea4d6a3a721aa92393fd8ba8eba46a4ac30c1e8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bea2987fd0c0ccc9310193ab2a07240a

SHA1
040c6d0f72455ed2eb881f680e57dc128746493c

SHA256
bb5cd1a86d6d127d59be3c92f424b987a9bccf68a10f91dfdf3ddaafd330bf32

SHA512
ad6964d3893cf353641ea390316c902b5d9096a0b33afa42b35ad9efc26d6b204cfad22f17de2f9d0c60762be078b1d77a18189af9abc193c486ef7e30f893f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aeccbe8fb3464c913ba7cfd6b929ed05

SHA1
46d58d2fdd2d6b8ee2340038205619397c82c271

SHA256
47c55264724a8ddcfdb20a5276a225411dfc5559a037fd7fb02ee3b14ffc5b35

SHA512
8cd21ebcf873ee3f5ce17176ef6133078d7370152670c98ba8be4d8bc21e0d65aff4996c07ee612153b1e0ba8e04c85f2506d3f70b41cb1e3928b1154da1c2bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
597da9c9e25d984bb388c7688817741c

SHA1
061eab6c7b4c8fb80348157ce45c860659de0fb0

SHA256
3390d9b4be3badd495183f327e2e56032d010b3ca30bfc720de4ccd289d16815

SHA512
fde88171f4fa06ec57a71c510921199354551744430b80006e36284d95c202af9fe46469106cb38b5348853f06fd0685085b8f8eac3d09e43db8002cf2c2eb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6356.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
756KB

MD5
1de1f5d320577ea30a8e8535cabc0e37

SHA1
7eab68525be999494410a768c98e97659844c181

SHA256
1ccd26ea7771855951d62df3cc0d8fc6a9e367e110b0e869aad8e2655dfdc2f1

SHA512
87cd217cd856f397adfcc371e4c5715159c7c8d8a401e8e82acbc864c4d0d87d67f5c714b45507c17a6327054d97c56cc1f2cbc33c2d9487474e80195be0ff2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe

Filesize
1.8MB

MD5
3a687964f0bb879900f24e6a7e076f0d

SHA1
f3a9c5949d9c7de982871f3522c9263c2299b420

SHA256
814a8bec5a9359e5564ab78cbdb66c2f1fe4ce39e109b252e75d9fd5f278c410

SHA512
eb1826c80c37b62a749023a9947a8c2c5b2354a105574157533d9ae4db4469a8e7c9704bbacd270e0a037d9f1eae389d9f7885048f68bd3f3efbd091e8325dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6481.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar66C9.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
memory/1952-69-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2020-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2020-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2020-19-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2020-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2664-38-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2664-29-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2668-39-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2668-44-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download