gh0strat | dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
Size

2.6MB
MD5

d88d8b6b592a17e97ae13fd3f03de064
SHA1

b8b1fd7baf6823fce0096a259fb06b9df190572b
SHA256

dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a
SHA512

7ac5cf32b3f3bf654451cddbf2cfe01fa9f0c600abcdd9891aefc4316f5f00f687a811046f9b46c57464c3a1566af1f387b24b52c41969ef9f00605e9c20d8ac
SSDEEP

49152:HxTc2H2tFvduySyk6fUjuUGD0690O7XnrFgind0M9aQFoF:Ncy2LkD6fUXfWrFBd0M9aQFoF

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 10 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/2200-23-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2200-27-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1284-32-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1284-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/1284-35-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2200-22-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2200-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3780-12-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3780-9-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3780-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2200-23-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2200-27-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1284-32-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1284-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/1284-35-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2200-22-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2200-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3780-12-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3780-9-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3780-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 4 IoCs

Processes:

RVN.exeHD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exeTXPlatforn.exeTXPlatforn.exe

pid process

3780 RVN.exe
1912 HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
2200 TXPlatforn.exe
1284 TXPlatforn.exe

pid	process
3780	RVN.exe
1912	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
2200	TXPlatforn.exe
1284	TXPlatforn.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2200-23-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2200-27-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1284-32-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1284-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/1284-35-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2200-22-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2200-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2200-19-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3780-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3780-9-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3780-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3780-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1668 PING.EXE

pid	process
1668	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exemsedge.exemsedge.exemsedge.exe

pid	process
3480	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
3480	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
232	msedge.exe
232	msedge.exe
3628	msedge.exe
3628	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

1284 TXPlatforn.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

3628 msedge.exe
3628 msedge.exe
3628 msedge.exe
3628 msedge.exe

pid	process
1284	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RVN.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3780	RVN.exe
Token: SeLoadDriverPrivilege	1284	TXPlatforn.exe
Token: 33	1284	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1284	TXPlatforn.exe
Token: 33	1284	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	1284	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe

pid process

3480 dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exeRVN.exeTXPlatforn.execmd.exeHD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exemsedge.exe

description	pid	process	target process
PID 3480 wrote to memory of 3780	3480	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	RVN.exe
PID 3480 wrote to memory of 3780	3480	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	RVN.exe
PID 3480 wrote to memory of 3780	3480	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	RVN.exe
PID 3480 wrote to memory of 1912	3480	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
PID 3480 wrote to memory of 1912	3480	dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
PID 3780 wrote to memory of 3288	3780	RVN.exe	cmd.exe
PID 3780 wrote to memory of 3288	3780	RVN.exe	cmd.exe
PID 3780 wrote to memory of 3288	3780	RVN.exe	cmd.exe
PID 2200 wrote to memory of 1284	2200	TXPlatforn.exe	TXPlatforn.exe
PID 2200 wrote to memory of 1284	2200	TXPlatforn.exe	TXPlatforn.exe
PID 2200 wrote to memory of 1284	2200	TXPlatforn.exe	TXPlatforn.exe
PID 3288 wrote to memory of 1668	3288	cmd.exe	PING.EXE
PID 3288 wrote to memory of 1668	3288	cmd.exe	PING.EXE
PID 3288 wrote to memory of 1668	3288	cmd.exe	PING.EXE
PID 1912 wrote to memory of 3628	1912	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	msedge.exe
PID 1912 wrote to memory of 3628	1912	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	msedge.exe
PID 1912 wrote to memory of 5016	1912	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	cmd.exe
PID 1912 wrote to memory of 5016	1912	HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe	cmd.exe
PID 3628 wrote to memory of 3588	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 3588	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 4176	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 232	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 232	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 60	3628	msedge.exe	msedge.exe
PID 3628 wrote to memory of 60	3628	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
"C:\Users\Admin\AppData\Local\Temp\dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:1668

C:\Users\Admin\AppData\Local\Temp\HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
C:\Users\Admin\AppData\Local\Temp\HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://qm.qq.com/cgi-bin/qm/qr?_wv=1027&k=TIvB-2dO6fldENXVat7aPue8CD7YtpXE&authKey=kSwJGE6SjSVbS4ZeoqT4gr80UY7OoUD6zolCfuBuaiZOmJrw4Ko6xTLxJ314w89X&noverify=0&group_code=709241594
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff54ad46f8,0x7fff54ad4708,0x7fff54ad4718
4⤵
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,10871343583445586172,18361056550936205772,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
4⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,10871343583445586172,18361056550936205772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10871343583445586172,18361056550936205772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:1
4⤵
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10871343583445586172,18361056550936205772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
4⤵
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,10871343583445586172,18361056550936205772,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3104 /prefetch:8
4⤵
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10871343583445586172,18361056550936205772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
4⤵
PID:2484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10871343583445586172,18361056550936205772,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
4⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,10871343583445586172,18361056550936205772,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
3⤵
PID:5016

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9ed96d190076ebf8a94b0d545aba0b7

SHA1
67b430d0af736a2427f3d26244027ebc6dd0e8a0

SHA256
4414a4555a850f736e71457ed95a7f56e716b1c369b30e0bc7197f3865f44adc

SHA512
8346a6a661b7e648eb439215b852e55f22095f0a22cc24f57d55a13dec99225cb2e926cf1eb012b3ae13b661eb58b8f4c27de6907a1409595f6cdca4547707ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
204f4db0cebc7ff860b8a7e6f67a184f

SHA1
3ff46e9ed8177f51bbcf4e67b6624071bfc6d186

SHA256
ea0571198aaccc03cfe852a51e5ed591eeca786c98fb9c95ada48af90304f258

SHA512
7a54db837f05a53461fbc41aa19fb04b5e160e3aa43151f443bc20a109c10e71aec8f3e3d9a3e4ee8fc7f328137516f1992c2b8b81c3e1beed8363f0b4b4358d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
777b2564b2e9955513a9873057fd6744

SHA1
e2b1514335218ebfceb4a524aa5b3adbfa5ef643

SHA256
f044250e2d57c5342fc1cdbfac525f2d8a9e4e9cbb0ef8f9c687d96b3cb35461

SHA512
a34c44aad54c4abf15b9c4dff6f7f97b93203b0c0c977e7f0253cca8233cf837ec81344d314d8aba5a92c827156927708a3f0d7749242b914b1ad1b912320bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
756KB

MD5
1de1f5d320577ea30a8e8535cabc0e37

SHA1
7eab68525be999494410a768c98e97659844c181

SHA256
1ccd26ea7771855951d62df3cc0d8fc6a9e367e110b0e869aad8e2655dfdc2f1

SHA512
87cd217cd856f397adfcc371e4c5715159c7c8d8a401e8e82acbc864c4d0d87d67f5c714b45507c17a6327054d97c56cc1f2cbc33c2d9487474e80195be0ff2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_dfefe53dd6751ebb9b207f43cea8a2d6520f22f66edd171dc83a03ec8e8ca46a.exe

Filesize
1.8MB

MD5
3a687964f0bb879900f24e6a7e076f0d

SHA1
f3a9c5949d9c7de982871f3522c9263c2299b420

SHA256
814a8bec5a9359e5564ab78cbdb66c2f1fe4ce39e109b252e75d9fd5f278c410

SHA512
eb1826c80c37b62a749023a9947a8c2c5b2354a105574157533d9ae4db4469a8e7c9704bbacd270e0a037d9f1eae389d9f7885048f68bd3f3efbd091e8325dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
\??\pipe\LOCAL\crashpad_3628_PQQALNVGSSKXDRHN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1284-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1284-35-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1284-32-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1912-60-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2200-19-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2200-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2200-22-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2200-27-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2200-23-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3780-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3780-9-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3780-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3780-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download