Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 11:48
Static task
static1
Behavioral task
behavioral1
Sample
a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe
Resource
win7-20240221-en
General
-
Target
a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe
-
Size
2.4MB
-
MD5
d39ac7b4e8ab5542cabe722ea6e3b095
-
SHA1
547eeec20f6724568c11fd9371b1336d8e312410
-
SHA256
a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17
-
SHA512
e9843b5de54f69a7d6f32f9cc292ab6cdbead4e89d0e4880fe5f172eaa71b25f1e972e7b4f3a3da99ce7115dacb7612a2af3098b05bbd6d523a9fa5d6e392df1
-
SSDEEP
24576:MQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVMgrnGsAJuH0:MQZAdVyVT9n/Gg0P+WhohgrGlN
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2028-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2028-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2028-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1440-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1440-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1440-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1440-26-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4828-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4828-33-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4828-37-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4828-38-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 12 IoCs
resource yara_rule behavioral2/memory/2028-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2028-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2028-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1440-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1440-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1440-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1440-26-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x0007000000023439-27.dat family_gh0strat behavioral2/memory/4828-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4828-33-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4828-37-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4828-38-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240611281.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe -
Executes dropped EXE 24 IoCs
pid Process 2028 svchost.exe 1440 TXPlatforn.exe 3712 svchos.exe 4828 TXPlatforn.exe 1428 HD_a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 5000 msedge.exe 1964 svchost.exe 3100 TXPlatforn.exe 1604 svchos.exe 2672 TXPlatforn.exe 2256 HD_msedge.exe 3512 HD_msedge.exe 2564 HD_msedge.exe 628 HD_msedge.exe 3528 HD_msedge.exe 3504 HD_msedge.exe 1452 HD_msedge.exe 3304 HD_msedge.exe 4276 HD_msedge.exe 4836 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe 4984 HD_msedge.exe 1356 HD_msedge.exe 5168 HD_msedge.exe 5712 HD_msedge.exe -
Loads dropped DLL 4 IoCs
pid Process 3712 svchos.exe 1604 svchos.exe 2412 svchost.exe 4836 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/2028-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2028-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2028-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2028-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1440-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1440-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1440-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1440-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1440-26-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4828-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4828-33-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4828-37-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4828-38-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName HD_msedge.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File created C:\Windows\SysWOW64\240603953.txt svchos.exe File created C:\Windows\SysWOW64\240611281.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1808 3712 WerFault.exe 86 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HD_msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HD_msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3460 PING.EXE 3012 PING.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1176 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 1176 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 5000 msedge.exe 5000 msedge.exe 628 HD_msedge.exe 628 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 1428 identity_helper.exe 1428 identity_helper.exe 5712 HD_msedge.exe 5712 HD_msedge.exe 5712 HD_msedge.exe 5712 HD_msedge.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4828 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2028 svchost.exe Token: SeLoadDriverPrivilege 4828 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 1964 svchost.exe Token: 33 4828 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4828 TXPlatforn.exe Token: 33 4828 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4828 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe 2256 HD_msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1176 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 1176 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 5000 msedge.exe 5000 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1176 wrote to memory of 2028 1176 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 83 PID 1176 wrote to memory of 2028 1176 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 83 PID 1176 wrote to memory of 2028 1176 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 83 PID 2028 wrote to memory of 636 2028 svchost.exe 85 PID 2028 wrote to memory of 636 2028 svchost.exe 85 PID 2028 wrote to memory of 636 2028 svchost.exe 85 PID 1176 wrote to memory of 3712 1176 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 86 PID 1176 wrote to memory of 3712 1176 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 86 PID 1176 wrote to memory of 3712 1176 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 86 PID 1440 wrote to memory of 4828 1440 TXPlatforn.exe 87 PID 1440 wrote to memory of 4828 1440 TXPlatforn.exe 87 PID 1440 wrote to memory of 4828 1440 TXPlatforn.exe 87 PID 636 wrote to memory of 3460 636 cmd.exe 92 PID 636 wrote to memory of 3460 636 cmd.exe 92 PID 636 wrote to memory of 3460 636 cmd.exe 92 PID 1176 wrote to memory of 1428 1176 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 96 PID 1176 wrote to memory of 1428 1176 a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 96 PID 1428 wrote to memory of 5000 1428 HD_a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 101 PID 1428 wrote to memory of 5000 1428 HD_a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 101 PID 1428 wrote to memory of 5000 1428 HD_a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe 101 PID 5000 wrote to memory of 1964 5000 msedge.exe 102 PID 5000 wrote to memory of 1964 5000 msedge.exe 102 PID 5000 wrote to memory of 1964 5000 msedge.exe 102 PID 1964 wrote to memory of 3016 1964 svchost.exe 104 PID 1964 wrote to memory of 3016 1964 svchost.exe 104 PID 1964 wrote to memory of 3016 1964 svchost.exe 104 PID 5000 wrote to memory of 1604 5000 msedge.exe 105 PID 5000 wrote to memory of 1604 5000 msedge.exe 105 PID 5000 wrote to memory of 1604 5000 msedge.exe 105 PID 3100 wrote to memory of 2672 3100 TXPlatforn.exe 106 PID 3100 wrote to memory of 2672 3100 TXPlatforn.exe 106 PID 3100 wrote to memory of 2672 3100 TXPlatforn.exe 106 PID 5000 wrote to memory of 2256 5000 msedge.exe 110 PID 5000 wrote to memory of 2256 5000 msedge.exe 110 PID 2256 wrote to memory of 3512 2256 HD_msedge.exe 112 PID 2256 wrote to memory of 3512 2256 HD_msedge.exe 112 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 PID 2256 wrote to memory of 2564 2256 HD_msedge.exe 114 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe"C:\Users\Admin\AppData\Local\Temp\a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:3460
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3712 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 4563⤵
- Program crash
PID:1808
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exeC:\Users\Admin\AppData\Local\Temp\HD_a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pc.weixin.qq.com/3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul5⤵PID:3016
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:3012
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe4⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2256 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ff96db446f8,0x7ff96db44708,0x7ff96db447185⤵
- Executes dropped EXE
PID:3512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2052,14175924189067975913,2030853680749913002,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:25⤵
- Executes dropped EXE
PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,14175924189067975913,2030853680749913002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,14175924189067975913,2030853680749913002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:85⤵
- Executes dropped EXE
PID:3528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2052,14175924189067975913,2030853680749913002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2052,14175924189067975913,2030853680749913002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:1452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2052,14175924189067975913,2030853680749913002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2052,14175924189067975913,2030853680749913002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,14175924189067975913,2030853680749913002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 /prefetch:85⤵PID:3680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,14175924189067975913,2030853680749913002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2052,14175924189067975913,2030853680749913002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2052,14175924189067975913,2030853680749913002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:1356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2052,14175924189067975913,2030853680749913002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:5168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2052,14175924189067975913,2030853680749913002,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5712
-
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3712 -ip 37121⤵PID:1768
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
PID:2672
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:1976
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240611281.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4836
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5020
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
Filesize
4.9MB
MD58e514e7e4844d662b2066712a5ca548c
SHA1fe01c218e9ef0301b147bba2a4f33dc3e1cac7c5
SHA2562d3e794144647da284a4831bd1d628fa7be30ee48f0021974eff9f81a264f646
SHA51268913ae31033655d74798c616cb36ce8d11c8f6914aff6f377baa84f525f964acca9de06c648bf86228d8bd962b12d79802b06ff000d65c8fc6169dff92bc791
-
Filesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
Filesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
Filesize
6KB
MD5a8627f96cf9c2d1c922922185783b920
SHA14e08abf1c6df862f44945707ed5f005213f40770
SHA25687ff968fff2b976159037e2973aac0978b7411563b8a5a63bba3c57f6c89f27f
SHA51235f1fc6f3fc58ace6edeb7cb1f13a44b864a91e037988d49f5926e28817ffd41e10a8d8f8f86d528ae71455e5ad04ddb7aee8ab3bf95de7d3fe9fb18caf5a3e6
-
Filesize
5KB
MD57a0584bbf621f54e0fef8f5b5f2509d9
SHA18584db714491e0d522b03025e5caf317ce1aaab4
SHA256968951594646254b5c432847bbe83fbb92f20312d9e698383e6e36f3f9f346eb
SHA51281adb2f6ab86d7074e76c54897d65b5fb2526b6681fadc841195be8747338e17719aba4f7a4e958c4d369bf7c865e80e5a2917ecec81767bac9e5407ca4f132c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5601905be03ab3fb9990da93362d821b5
SHA11be1ff932a4e07ee899b526e00f1d2757b7b447d
SHA2564239b9e06dbd4cd986d7a4c1ecc4da9a927fdd3452de4383872c619a6496c9d5
SHA512fda84587783828d4dbfaff853f8923e8fd22f2a21d30b9d5c293f0a9453ac98f4a31d5b9ec1df23702cabcece49b650333e52f60e2738f8a58cb1a0a50ab06b1
-
Filesize
1.8MB
MD587919ebacea9637066993702ef5a6f3e
SHA1b2c951370953b765d387921748d3b6d00f6fbe37
SHA25639ec600754399afb01ffa56cf8fe5d4d994becb64913d9671b267156e66b48f6
SHA512c64b9ea3ff7be3888ce4ec41d0805cc334d2d13bc27a4cd0826f4cd5585a68ba4767a3786ca9dece12bab00a3efb389dd026d4e71b7675ee128c54263d9a7358
-
C:\Users\Admin\AppData\Local\Temp\HD_a0e16b3a0b14ec290721eb4a77b45fcb95d3ad980b8418cde67e818c8bc9ce17.exe
Filesize647KB
MD5776fdc0e7331d3d16a6e2eeb956a52b8
SHA11960568f4f7d47966e9ce5e3d6fd646b129fe322
SHA256caaa46d47506f6503156f4ada2543981741250468a63d54bc6a937818372f9c4
SHA512e53e244770c249622968133b8b217c5084d8cd55dba2a047dd1317deef080c04afa96ee2c51a8cf77ea9449e5d0d322e043ab88773c42c3677f9ed1db1557b8a
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD55c3c9239fde3e24b070a9dab0e6b747e
SHA1165ec44205f71bc511a23330301197b4b82fc4bc
SHA2562d1a68a7766554bd52ce72582284c4a25f4edec938dafb205633aa0e29d85309
SHA512d1f6dc7f7d99e465c27d012e5a729b19c690756c370eddb26d686a0bfbb12b850471ed2fd9fa9950579d92ee2a7365de48bb2a43af2a7a880f037eb4e207d52b
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641