Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 11:48
Static task
static1
Behavioral task
behavioral1
Sample
a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe
Resource
win7-20240221-en
General
-
Target
a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe
-
Size
2.4MB
-
MD5
d39ac7b4e8ab5542cabe722ea6e3b095
-
SHA1
547eeec20f6724568c11fd9371b1336d8e312410
-
SHA256
a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17
-
SHA512
e9843b5de54f69a7d6f32f9cc292ab6cdbead4e89d0e4880fe5f172eaa71b25f1e972e7b4f3a3da99ce7115dacb7612a2af3098b05bbd6d523a9fa5d6e392df1
-
SSDEEP
24576:MQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVMgrnGsAJuH0:MQZAdVyVT9n/Gg0P+WhohgrGlN
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/1264-8-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1264-12-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1264-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1428-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2276-37-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2276-33-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/1428-32-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2276-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2276-80-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 10 IoCs
resource yara_rule behavioral1/memory/1264-8-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1264-12-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1264-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1428-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/files/0x000700000001424e-39.dat family_gh0strat behavioral1/memory/2276-37-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2276-33-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/1428-32-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2276-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2276-80-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 6 IoCs
pid Process 1264 svchost.exe 1428 TXPlatforn.exe 2276 TXPlatforn.exe 1772 svchos.exe 3004 HD_a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 1192 Process not Found -
Loads dropped DLL 5 IoCs
pid Process 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 1428 TXPlatforn.exe 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 1772 svchos.exe 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe -
resource yara_rule behavioral1/memory/1264-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1264-8-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1264-12-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1264-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1428-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2276-37-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2276-33-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/1428-32-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2276-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2276-80-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\259400116.txt svchos.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002222071f0975184cba7bea5df9f84fb4000000000200000000001066000000010000200000008b4f21a539a2ff9abf1071ea599210f90e9114bc6cc4150bffa09e3d5ba4bbb1000000000e8000000002000020000000fd8e5dcd003104b547dc5059b16aae9b24492e6c99a5e680b06b95b88ce1448f20000000ac97d25fcc00cd4e5f0730e6224e876a98b7b80e87b9c6ab945887907b8d34eb400000000296d7c3373cc7118e612fe87fb45c998b82ef5bde149fff24d0f4dd2990c467a63ebb63cbf0772fdbbd1e59421c54318d786335fa664c58953cbc573b4ac85e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d7be6cd0adda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002222071f0975184cba7bea5df9f84fb400000000020000000000106600000001000020000000051bf3eb90b21d8283fd552e1808a1585e0e4ae5fa9adb42b4773e6fb4513ef7000000000e8000000002000020000000c5d0afcbf85c58326b40db397abb8eaa3e28678662714bf2c5f45633e53023eb9000000030bbb1f91fbbcaef327f876981883c848f53667b0bdcaf01d3dd88f9d81184bb58fee909bee2a060d9eb8ce170fb658a601b5942cbe5a42d1b19773055ab57c9488a728174cd4b5536157c3645108d266aa521089299906685648b07ca585f0de253a5b05db0d986aa083814bc1c98d1e1a3f14dcc59bd0235211b09cd3b5f6093eda8ccee0c23c263162aba4aa07b6040000000b21f05ab573ebe191180a1342f84def1c955a84118dac23bf342563c7deee3e48a08ac2f9b3e50bcd9fcf428501a8b85c2f75224eaee36e9bde9f910a788b64e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9247F081-19C3-11EF-B1CF-5A791E92BC44} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422713192" iexplore.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2472 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2276 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1264 svchost.exe Token: SeLoadDriverPrivilege 2276 TXPlatforn.exe Token: 33 2276 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2276 TXPlatforn.exe Token: 33 2276 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2276 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2936 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 2936 iexplore.exe 2936 iexplore.exe 1776 IEXPLORE.EXE 1776 IEXPLORE.EXE 1776 IEXPLORE.EXE 1776 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1264 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 28 PID 2156 wrote to memory of 1264 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 28 PID 2156 wrote to memory of 1264 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 28 PID 2156 wrote to memory of 1264 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 28 PID 2156 wrote to memory of 1264 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 28 PID 2156 wrote to memory of 1264 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 28 PID 2156 wrote to memory of 1264 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 28 PID 1428 wrote to memory of 2276 1428 TXPlatforn.exe 31 PID 1428 wrote to memory of 2276 1428 TXPlatforn.exe 31 PID 1428 wrote to memory of 2276 1428 TXPlatforn.exe 31 PID 1428 wrote to memory of 2276 1428 TXPlatforn.exe 31 PID 1428 wrote to memory of 2276 1428 TXPlatforn.exe 31 PID 1428 wrote to memory of 2276 1428 TXPlatforn.exe 31 PID 1428 wrote to memory of 2276 1428 TXPlatforn.exe 31 PID 1264 wrote to memory of 1856 1264 svchost.exe 30 PID 1264 wrote to memory of 1856 1264 svchost.exe 30 PID 1264 wrote to memory of 1856 1264 svchost.exe 30 PID 1264 wrote to memory of 1856 1264 svchost.exe 30 PID 2156 wrote to memory of 1772 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 32 PID 2156 wrote to memory of 1772 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 32 PID 2156 wrote to memory of 1772 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 32 PID 2156 wrote to memory of 1772 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 32 PID 1856 wrote to memory of 2472 1856 cmd.exe 34 PID 1856 wrote to memory of 2472 1856 cmd.exe 34 PID 1856 wrote to memory of 2472 1856 cmd.exe 34 PID 1856 wrote to memory of 2472 1856 cmd.exe 34 PID 2156 wrote to memory of 3004 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 35 PID 2156 wrote to memory of 3004 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 35 PID 2156 wrote to memory of 3004 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 35 PID 2156 wrote to memory of 3004 2156 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 35 PID 3004 wrote to memory of 2936 3004 HD_a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 36 PID 3004 wrote to memory of 2936 3004 HD_a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 36 PID 3004 wrote to memory of 2936 3004 HD_a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 36 PID 2936 wrote to memory of 1776 2936 iexplore.exe 38 PID 2936 wrote to memory of 1776 2936 iexplore.exe 38 PID 2936 wrote to memory of 1776 2936 iexplore.exe 38 PID 2936 wrote to memory of 1776 2936 iexplore.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe"C:\Users\Admin\AppData\Local\Temp\a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2472
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1772
-
-
C:\Users\Admin\AppData\Local\Temp\HD_a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exeC:\Users\Admin\AppData\Local\Temp\HD_a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://pc.weixin.qq.com/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1776
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2276
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_9B8670363F58B4643EB28A4A03EE9887
Filesize471B
MD5426e4b161c1c9804680b00a25028a6cc
SHA1d99f9c1c4b8610d07bc49869a9bc831bc68f3c90
SHA25638463a02f842f634b4d4308447bb25865cab3b7d2c5b77fb245d0b2dd6ea9cb9
SHA5122b0ca2842397d1a27b8b432598353b9e706957d8b906f5a5436945e89bf5516fa80aef3862155cee5856c9b6c1d0d93cce7943cf4b75f0304990fe0cc6febd63
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize252B
MD5696b580905da16f6722df8a2b4caabe4
SHA11ed0a0759de1263e56e6aeb1332a8e9c0ea458ef
SHA2569721742b70df0003defa34600b688fc3131fff6ab245877ee59127e42cfe6d7b
SHA512094b59aedb837e08452be673a0fb13d5ea4c03fb8a6371096701e6cdaa8b4a019d7f0b11e81e5965fba8b610c6c21bac06934ed0cb9c3b3570bcccb03ce092a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5703ed01921364a7371146346b3e7dd25
SHA1463f9281311ade159128888178f8a721a9d4c55a
SHA256e0be96a9ae0726f47b880c8bf6fefd33bafd9b73a52c7c3af0be9d187a14fe40
SHA5125194b0144084d5956483a2cdadf34f0d9c66955fc1a556bc842e0b0456751429aaaf63404d0f042468ca508184b81a1147de084c23696a4cd6f1107c6ff2b41e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD510cb3d9ed487f5e48345da9a8b1152b3
SHA105631db795cdc40e6f9f1cf2ccc06833d2d4b4fb
SHA256be659679a9d0c28f21dbf4bfde86ccedff7f497d5c1478b689227ebf9d27106a
SHA512759532da168f6bb5ced3c80522ac84dd1766f033184f43bafcbacd3c3761f339cd2e0cbdc0e41dfeb792bfcea09dbe78fe891116f526b185af839e342f5b2409
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e6ec92920c9b8d5f2d582b0a1b14b3ea
SHA1b549f6a470a79aa6497a95c9f5b4895f8623d50b
SHA2568528f9df92a2949e8d5c7e8310382486c72125471e896466861850b67f57f141
SHA512406a12270fc35a0bb3e4a84dc016021ec1c0422c21a20085600593004a59fba3ff933478ece690aaa3a0e11591eea0cddb2acf21b20ae1e92cf602cdb307e5cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c1a1a05f03dfcd2816813c3a937bc31b
SHA1704bb98d35dcc0c719d0f2d8c61e6ea1283e4829
SHA2569e84805e3337fae5aedbe1e8202d07ea20338d74d91c7e659223331db946d1de
SHA5124b72570ae52bec9bc808bac6783dfc644bb7e1f5a2376357241c7a943371d21d04cd1d2278fd75d791dcbb1311c8279d7e0b4547476ab56163fbe36c1695287c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a4f8f62502b2bdc1a21450683f0d1343
SHA147a3a0dac28fe4f38fed3a5d9be5cf51796202ce
SHA256adb3f9b36f1a2c7a85b3c6ec8c0605a3d1c69a358e2602ffff55cf7771511443
SHA512bfb41817b2c22e48ffd09e69e3fb43dd16c197e54d0ca86a0f77e46b2348b3d3176c824c8566316e718c569805f3c523c24d8074158806133a48c6bc8b630bee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5001c458205000f9f7996a57204dd5d5a
SHA175a7d852312ceecbec6be90d48d09938d2c5482c
SHA2561e7ab74ad4bf2f3e353d7ece5aba112840bce77bb4af6ed1aba9240b2e940abb
SHA512bcf68863194c8b285b92f01b0a2f56e478f52584afe031183584b3a2347ecbe4a78af894cf9ad056abcee742ea78c99728b566caeac014d955e8eaa25a106894
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a4179c08b2f38e8048fb9dafcf41edb6
SHA1ba6ea1e5ddb725a747c100770f515f0f2a6903fe
SHA2562763ea2836aa4f5669b32d42be09bdbfc90783414c68159ea40f4fbbd317afc1
SHA512504e526da371667f455897f4a9fb6f006e4666e2cdbfc5f4ccf6ab1a37e7d79261687352158e77228b089fb0e92ce1899ece695490996e95c3928ad597f7ea60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f50fc110216a169fa2614590d5a9aaa5
SHA1d6a3e4284fd839d83f22df733cf513d06c53df7d
SHA256caa36d41dadee0fabf3950bebbd6c1734a63a3f2167a6cbf24361b45cbe34baf
SHA51266bda12c9ddc58fe9d84c470cd5bb82d648faed97195ee98b53b29f34c055820c825785a30fc44f4f94ac2ae426bd8081c423223a8bc186c569995720da73b2e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ab6e990aad8ba81a7226c115f808d421
SHA1973029b450e65a808a5f7addb4cd2a0b21c42dce
SHA256b14da32852f8fcc693eed99e3a3dba90b4dfc1dfeabd1eb8ba7e9c6c8b31e51a
SHA512c3fc4684bfc3398f6cc91e065d2d07997800990766dea486be5d4c84e671bf81dfd008c5871c2ce49fa283332c897572d156bb2034480e5b0b0e67922683e55c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53ddf68a7d33ba5ab930bf99063750d34
SHA143b640cd6c5268a232839874a11965f82cc2d36d
SHA25633b487294c3194bcdf92bc73db0d06f58c768990566c32958a0bafb73b578494
SHA512828c600fd561fbcb36b98801b584d76fc8e1cb39402dc3382dee53b49101e99cc23a95e6519db5b4614b282e593e35a22262368be507f16085bcdc3f0ba93013
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53fa9638b6022e89bd0d2d54fcf8104e9
SHA1ed2d3f0fe3f200b83c74c3769ea7a7e4fd70e5ff
SHA25637b0417b8af76534c52436a82bcb5e3cf1a431a5ab5f8ddc50a67077a89f06ed
SHA512f69989207bbbd9a2e366caf2590a7e3f73bdf628b707d48c0c6769b941f8b7052d22404eeb9b043149d5aec672ba75aab3c043b39cfb9cc19fde386dd348c16a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b6e46af59a5997cd6d7e72df3b8a0676
SHA13c508efab9783b19ad3d96311c4f3cf0b54985f5
SHA2562bb0f3e508189ac85eb1f55a04e9c59c8adcf79bd3a7ec193b6963c32d29eb36
SHA51252f59a4c0890479f9f9cc45c30ce31457ef4ee82fb2ed711b027195ba1b3e8ecc4c59db75b2c6ab03ad4e7b313e2467d4187aff6235288793120fc1762461583
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5df534eb2366a7405b465394d7bdb9475
SHA1899f758ab692600417caadb07c50fbd6bb236740
SHA25618913cde051da01ea6ca5806400dbc2851cb59e2e31f32fb9158d4638a5df2ec
SHA5124b6e9d05ad42822516e03b18a9c873a2d51469fda25f4693c924861c44632f56240436ac881845b8607fe9edc545ccf5820e0756c55bb4545407f11aa69213be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dfcd126e0db01f781bbe5ce33249dfc0
SHA134d70cfb12ae3fa1fc0def70a46f13b875247ff8
SHA2564fb692635095f4289d58256dcc93e9d551206ac37da75c69077fafd6af7ff219
SHA5122a995539a94b8ddaa7a8fabff94bc31c33ab85c22348fbb0cfa6e18b6013c4cf943771d72bf3d395dd0823cb4bef918e7b5c802cb63cb28945caa75f3ecb6a20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d03f8bb8575855c2d1518c4e56439809
SHA1074ed34306c5b8b3789278a2d5290d838f4f97a3
SHA2560dcf08f7169d1c57e7f19f859d70b52811420cdf82ab5350b1bc393238fe0096
SHA512eb61a0d51d4d44b1da7f877b6499f38ce2d823f5866c16419c096c99a0cd958eaed7a5e2986551515b6e088b7d3b6d867cae8ac19e0766dbdf31027a4620c09b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f7a04821ea31ca78ef5bd62e5975d270
SHA1a19ea8a6594359163cab4b8fa2474fb16b1e2a3e
SHA256bdf4a3acb94f85fc0afbb2c911346d816c71629c1163a3cbc1223fccc434d29c
SHA512ab07670df18f918d842b6554ea8480c6e3f7d8fc17baf034debf2d2650170df60ee361e706b0b37c035bb320ce209251d2ce18f5f1b921c74fa69b2e73170711
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5399859a196d6fc8e9115d79cf6f3464b
SHA165f141b20ca814a257e9e1c27af423031f4796f1
SHA256a636ad692e651a99281c83bb3b41c10c3295468d74440b21f97db83358eb454c
SHA5128102db2be75d1c93633354cc3a9b8a1c320ce51cdc4d40f75e93b7a8f8ed6c67d93f18e92fee373d9fc77f7e7c4d173ba7a2f2c28fcc6a43400b04d0cf1d80fc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5833f3db769611a0874ad9d87166a7f75
SHA13203a7530d2c64c382313a91087cacd217f76679
SHA256c13d32d8e8d44f395a2994fef6f21f043f46d8777fc04fbb7d544fb692b78f13
SHA51267a62b2e58ac7f3a0377d06d3ce2ab42fd5b582a7561c2aed5b31a81ab8892e6e1a79172386aa0ca9d9657f362de0544b15987b2e8f2dabf09a0a961e53d41f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c6a850ec546d79b6fd01c56f9eeadff3
SHA11ec54ac6eb79664c8bb5f2f231faa62a0e20796c
SHA25696dae23838147ad9554009c0321fe5cdfefb35e30cc15861112bb58d6ade9fb9
SHA5123ee5c809b3f78b64cb27f4fbd26bf6ac9dcacc704454a14ed4c1539f9da068e9423987bb0488ef998bb18784523df66e21f280066a5c964ce57e889b9fbecee3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d3e458408d4c61bae4c0d4c104cc6d03
SHA10f430a67723b307552a80fad55d6c94d096dcf31
SHA256695eb7bea548e91eafeaf12ba6248c24dacf917b86f95b4b377deabe59520b03
SHA5122403404e65412376014ef73f3ddb71e0a4c758168bd1d83e656d13c0cad45713d628ecb09ec4d7783f4a8fb57112c020ceda7976d7a32746be6096ebbe265b8b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5e2e8ca22fc46359192acc4230dfcab20
SHA1e6cbc71b301f581a208596c5956191b5edd93a5f
SHA2563615211f0b6ba7ba002aa079fed50c4277fd4cc46e33b8ea0f089cb9986bd09e
SHA512b9d6b9b1a2b7a7a6eaf913f68da6a219774feb03483cb8560b81d24e3934d413b293630dc34cc695a64347fbb3cf8707cfeb6e500be8aa82b49da5864d151aad
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
1.8MB
MD587919ebacea9637066993702ef5a6f3e
SHA1b2c951370953b765d387921748d3b6d00f6fbe37
SHA25639ec600754399afb01ffa56cf8fe5d4d994becb64913d9671b267156e66b48f6
SHA512c64b9ea3ff7be3888ce4ec41d0805cc334d2d13bc27a4cd0826f4cd5585a68ba4767a3786ca9dece12bab00a3efb389dd026d4e71b7675ee128c54263d9a7358
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
\Users\Admin\AppData\Local\Temp\HD_a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe
Filesize647KB
MD5776fdc0e7331d3d16a6e2eeb956a52b8
SHA11960568f4f7d47966e9ce5e3d6fd646b129fe322
SHA256caaa46d47506f6503156f4ada2543981741250468a63d54bc6a937818372f9c4
SHA512e53e244770c249622968133b8b217c5084d8cd55dba2a047dd1317deef080c04afa96ee2c51a8cf77ea9449e5d0d322e043ab88773c42c3677f9ed1db1557b8a
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD55c3c9239fde3e24b070a9dab0e6b747e
SHA1165ec44205f71bc511a23330301197b4b82fc4bc
SHA2562d1a68a7766554bd52ce72582284c4a25f4edec938dafb205633aa0e29d85309
SHA512d1f6dc7f7d99e465c27d012e5a729b19c690756c370eddb26d686a0bfbb12b850471ed2fd9fa9950579d92ee2a7365de48bb2a43af2a7a880f037eb4e207d52b