gh0strat | e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
Size

3.3MB
MD5

534dc27fc6e0fadae9e578b7ba252eb1
SHA1

ec2d7aa2b025bdf2b78015539495bdded4789151
SHA256

e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4
SHA512

9a6254d636a39fdae05f05fed952d2a9b65413bf6c08f7a72c5bc9c938118fdb26e6e99b3209b8988340a09dd1af5c7370465e1095048e119ad03ff6f06cf868
SSDEEP

49152:ECwsbCANnKXferL7Vwe/Gg0P+WhelDCom:Hws2ANnKXOaeOgmhelmom

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2628-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2628-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2716-42-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2716-41-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2716-43-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2716-45-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2716-48-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 8 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\259402190.txt	family_gh0strat
behavioral1/memory/2628-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2628-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2716-42-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2716-41-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2716-43-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2716-45-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2716-48-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatfor.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

R.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259402190.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatfor.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 7 IoCs

Processes:

R.exeN.exeTXPlatfor.exeHD_e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exeTXPlatfor.exeRemote Data.exe

pid	process
1968	R.exe
2628	N.exe
2792	TXPlatfor.exe
2712	HD_e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
2716	TXPlatfor.exe
1208
2756	Remote Data.exe

Loads dropped DLL 9 IoCs

Processes:

e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exeR.exesvchost.exeTXPlatfor.exeRemote Data.exe

pid	process
2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
1968	R.exe
3044	svchost.exe
2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
2792	TXPlatfor.exe
1208
3044	svchost.exe
2756	Remote Data.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2628-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2628-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2628-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2716-42-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2716-39-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2716-41-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2716-43-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2716-45-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2716-48-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

Processes:

svchost.exeN.exeR.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\259402190.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000004380ec36de08e071e97a17007931c35cbc42e7cf84d92a1c1f28e2d1a8a71959000000000e8000000002000020000000430e81642b0734126496a20bc6eb5d49be70b8e258e4367ae50bed779290e6af90000000a625f22ec3c9dc7a5cfc745ad18d35670ede3016a6bc51ee3d019cd5354ee92e6a45119a01f98174219e2ca470cb0aaf5611e0e44372b0144b29074ecbf432778979ac192bf2527c53bc904c01fd3d66e78b49826e088ece6e5df2d1088c914ec8fc4757b3a22efa9a89a6a9e1bdf0247c6a9ee152c71d0556e9b36d54613ed293d6c47b637ccecac62b8429358ada7140000000618757513e2abd4a522878be1e340023f959f89c6f12b7d2147d7e35d5be8b47db9715c13d2c2b50419662757d4d8347030c49a5ba34dc24cd50b27af203dc35	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 301ff443caaeda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6DC45051-1ABD-11EF-AA6D-D62CE60191A1} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000b91086379e0f536c74fdb2456698cb4619d6083464d0ea23e12297a4a5299b35000000000e80000000020000200000007cddfbee9ab180a81dee3522bfec9f85d6340cf9920101653436036d453dc901200000009c10c54abfafcb9589f6dcb1b5251c1c9c409a6a3091ad326069d933a5ed2713400000006d95e8c3735074690d213e17aa69b3858868ab109e989b5b3cda5040474211f41858654f64007e9a7b4bd9fa43190f5fcf2fef4b5210dca182b73b829ffc0c77	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422820504"	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2688 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe

pid process

2116 e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatfor.exe

pid process

2716 TXPlatfor.exe

pid	process
2688	PING.EXE

pid	process
2716	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

N.exeTXPlatfor.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2628	N.exe
Token: SeLoadDriverPrivilege	2716	TXPlatfor.exe
Token: 33	2716	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2716	TXPlatfor.exe
Token: 33	2716	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2716	TXPlatfor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2876 iexplore.exe

pid	process
2876	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exeiexplore.exeIEXPLORE.EXE

pid	process
2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
2876	iexplore.exe
2876	iexplore.exe
1244	IEXPLORE.EXE
1244	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exeN.exeTXPlatfor.execmd.exesvchost.exeHD_e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exeiexplore.exe

description	pid	process	target process
PID 2116 wrote to memory of 1968	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	R.exe
PID 2116 wrote to memory of 1968	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	R.exe
PID 2116 wrote to memory of 1968	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	R.exe
PID 2116 wrote to memory of 1968	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	R.exe
PID 2116 wrote to memory of 2628	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	N.exe
PID 2116 wrote to memory of 2628	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	N.exe
PID 2116 wrote to memory of 2628	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	N.exe
PID 2116 wrote to memory of 2628	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	N.exe
PID 2116 wrote to memory of 2628	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	N.exe
PID 2116 wrote to memory of 2628	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	N.exe
PID 2116 wrote to memory of 2628	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	N.exe
PID 2628 wrote to memory of 2772	2628	N.exe	cmd.exe
PID 2628 wrote to memory of 2772	2628	N.exe	cmd.exe
PID 2628 wrote to memory of 2772	2628	N.exe	cmd.exe
PID 2628 wrote to memory of 2772	2628	N.exe	cmd.exe
PID 2116 wrote to memory of 2712	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	HD_e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
PID 2116 wrote to memory of 2712	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	HD_e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
PID 2116 wrote to memory of 2712	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	HD_e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
PID 2116 wrote to memory of 2712	2116	e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	HD_e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
PID 2792 wrote to memory of 2716	2792	TXPlatfor.exe	TXPlatfor.exe
PID 2792 wrote to memory of 2716	2792	TXPlatfor.exe	TXPlatfor.exe
PID 2792 wrote to memory of 2716	2792	TXPlatfor.exe	TXPlatfor.exe
PID 2792 wrote to memory of 2716	2792	TXPlatfor.exe	TXPlatfor.exe
PID 2792 wrote to memory of 2716	2792	TXPlatfor.exe	TXPlatfor.exe
PID 2792 wrote to memory of 2716	2792	TXPlatfor.exe	TXPlatfor.exe
PID 2792 wrote to memory of 2716	2792	TXPlatfor.exe	TXPlatfor.exe
PID 2772 wrote to memory of 2688	2772	cmd.exe	PING.EXE
PID 2772 wrote to memory of 2688	2772	cmd.exe	PING.EXE
PID 2772 wrote to memory of 2688	2772	cmd.exe	PING.EXE
PID 2772 wrote to memory of 2688	2772	cmd.exe	PING.EXE
PID 3044 wrote to memory of 2756	3044	svchost.exe	Remote Data.exe
PID 3044 wrote to memory of 2756	3044	svchost.exe	Remote Data.exe
PID 3044 wrote to memory of 2756	3044	svchost.exe	Remote Data.exe
PID 3044 wrote to memory of 2756	3044	svchost.exe	Remote Data.exe
PID 2712 wrote to memory of 2876	2712	HD_e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	iexplore.exe
PID 2712 wrote to memory of 2876	2712	HD_e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	iexplore.exe
PID 2712 wrote to memory of 2876	2712	HD_e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe	iexplore.exe
PID 2876 wrote to memory of 1244	2876	iexplore.exe	IEXPLORE.EXE
PID 2876 wrote to memory of 1244	2876	iexplore.exe	IEXPLORE.EXE
PID 2876 wrote to memory of 1244	2876	iexplore.exe	IEXPLORE.EXE
PID 2876 wrote to memory of 1244	2876	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
"C:\Users\Admin\AppData\Local\Temp\e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Sets DLL path for service in the registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2688
- C:\Users\Admin\AppData\Local\Temp\HD_e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
  C:\Users\Admin\AppData\Local\Temp\HD_e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://pc.weixin.qq.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1244

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:1740

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259402190.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2756

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_9B8670363F58B4643EB28A4A03EE9887

Filesize
471B

MD5
ffc9e31efa3749e9d97a8659cbfe09e6

SHA1
7a4405a3216d131246c49eafe51b41abb60182c6

SHA256
53ae30db94d4d98589695aa5239b6b01b803c343276d8a0a9f2b865e5369f5d5

SHA512
320e1a0da8a70911edbfd96a5e6d67b1cfa7cc6b9bc6f2da91a1d94b43bdebb7bd43a862aed66a5fd1b530390753073180148277dfc3f030a65f7c1e4b9939db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a215a9414cf5621304a5e4481ee9d77

SHA1
f8fdd5ff3086d4d34099ec69d8b15460dc7ae439

SHA256
9eca23b3f0e49bda1911c680f35af7b65a384704b7d568a0f0d5581cb985c678

SHA512
fac1ec6b6f575c2a732e85148e248da8934bf5cbdaa99922ef55485771a630f9b01b53b677d73b387fbbfd6cd4ed08bcaa75e47f8a2e0fc4dcd837ee23e2be5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9eb9d5d2f3164b94e5c48cc202eb793e

SHA1
e961b5ff1e7d4519844bbb1ba19fe162277bb5d4

SHA256
e6a53d70062cac956c278220c89f3c78ebcb99d6718faf1c27b86d426de91468

SHA512
691d689e644cba4f21bae59c3efd73795847469fece7978094dac687af00e6713f974931b3205ea82ec02181cd6b3982dd56adbf32a3c83e97a30a23d480523d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f5698f2591edc9ecae37cc224d1ab4a

SHA1
5c28b845ee17b12741f6f480b304b63e54646f4c

SHA256
696414bc4693592b09e449154d2be7c108f6533aa58ad9b6701ca59c3879420a

SHA512
44b93b4e09e78e71315dbaf3d2906a282a199ae95ce324623340d667008b30fda0d0c66bc69a3bb3c1b1416a4e6b52cef5eb78bf89ebe153068d167aa71f5383

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fba42bfd3500a3dc4496fac1cd71da3d

SHA1
ca21fbf24e1df6cb437f9e04c857e4d374ef7abd

SHA256
363359a137fe5eb4c48ab843dd182687606e6bbea2b7daa3e62bfd89e9b6cc34

SHA512
80d7ea671c2ed59fdf53ac6bb31bd6065a7ac5973b0c5608be1b6f9737c47f01cae7e1a72637ced88aced84228aa4709a0689e0be16e37d3b9be03637e95b025

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
edce66abc041ef973fb8a33fd503e7c3

SHA1
c668a95d50e2fe6912024da09c5122e743e5f1ca

SHA256
3e8186760a6fa38b9f6f99d20d32004b7cda27b4d7bfaea5b1f00e700a76d7e6

SHA512
2d823f843adc2a27461d3801c45efb30ef0929d9cc825d13d64aaaa9695c177a1a41defdaadec0b2cf35bbc72682f3082bc4ec57e7e274283658c4c715a2e764

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4fecfa4bbc885742dcba46bcbae33e68

SHA1
42f81c295a9412bef3b2a5bd9e398adb3872d170

SHA256
81a035a7e56e377502c2ffd998d84249dd0c1e22e915cdc10362c1a0fae403d2

SHA512
f29b697b837055e1a4b0350b2c02ec6ecb2c884a29ba16334f953a60c829ac6b081e15dc736f9cd6fd49839262dd7e87d85cd8d7ed7923cd84c6d6c9c6e1fc86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de0c91d2b86df4fe2821cacd38a529ec

SHA1
344ad4bb88ee921387d1e4c525bab29ba24f4a4e

SHA256
a539903580af49a32cf52a255d37dc4a8cce652099d5d67a83fe01d2035e33be

SHA512
c1864d0f5fdc79e030c410a070e8960745567750ab845ec8203bc48c88636e8a9fb1e1188c1e96bdb9e363fd793cef87a744d188a9715d52161f4f180f9a5757

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be5fc89fae29208df72736cf5dc106ca

SHA1
f62218479f676087aa2afdfe7f8236a307fdf443

SHA256
f5fc14fbed59784dda03855a02d8fbdfa97c61b45631d321df67aa51e95ba813

SHA512
35fa92438f96c635a05dc9ae1074a6d12c67fa7aa61f1efd2998e60eb04578ef2388d7c69b5429b53704897ff956224dc3c9a341a89a0b7f643e94386868de08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a403ef9313fb72ee061d619447d81e62

SHA1
1537f4e4c826233950cd35b660d8c7cda2f84700

SHA256
036d3c5c0e18de3f8b4974e9d72aac2bdcbf68f75be7435b5c201cb3b39318ea

SHA512
2dd213cb1e55bbe2b36b0598746325b8cf367f45b60906cb3369d894d3f6243cc17ee6ff06a11bfdb2626b2d354da43117425ca0f867bf02bd3f3a28b5f4c5ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0c90c8856ee289cbe451359691ddf09

SHA1
d6a89c5351889a2a92d1a70bdcfed758c8d4c769

SHA256
2f76682edeb90c2c3d694240a74ef4bd9669d14d875c752d5d245d84ca8b7ec2

SHA512
8db065ba3980126848dc30f144074d950f0475b5692d317d7c1b67585bdd0112142dc9d429bf3d82f50ac16f0810dc1fdc562af8cd6aa1597f9573bae1be77ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
23fa9b13c84d1ad4749a3d95346c6cd3

SHA1
0fd38b99c69a84b87d08a37920de973d448954d5

SHA256
206d2b3175fb17169c984948c5508deb7b898201f3e26dc786143c69877f149a

SHA512
37e4d69d4fd1cc92819aa13bbdd1b971523323092d2fe143ec79ce3135ac127e61a20efc7a1e44153452fcf66418534cb14dbfc429d939c28e7ed83e936e1912

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3f3ae91687a3d4aa7bbeb20ce384312

SHA1
e144974a0f308ace3a9a9e4cd8f8496116e83c67

SHA256
6750acaa22dcad62a562a5ee64635dcb3644510a40eca99e7487b4c8139f4aba

SHA512
4739f0deec1e2a452fb3e6b7b9412a28b4f8e361c08c84689fc1b03b3809bcac35e7c11c53bd0107d3f1085c07e2758de37ab08c69a824415b8f20005a1f7ffc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_9B8670363F58B4643EB28A4A03EE9887

Filesize
402B

MD5
e2d47c7128d02ca59482c3ee5e941c83

SHA1
03323de557a09e3ab4dff5a0860d20006b2bea9e

SHA256
ca8729e1900408357f3ef1a598344433bc41fb17e9b009a4de713bbb1544db4f

SHA512
d95fc54f64bb853e3c0f6ac7d717a54c233d7c990cb696a183ceb4ec7946e7a4c0bb9538aaa121d552a708be7251c20eb1077715806e6a5c8a199c477f824e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6653.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
2.7MB

MD5
372a9a2d1060b5f7ff3aa37b5acefe82

SHA1
808cafae83c76ab59a48404748170b66f5bd6c44

SHA256
1c1842e702cb832b3c021d2857d2a346cbb98250b6f8d7c4f214a666c1cac0e8

SHA512
a55a10e0c18daadefbe19141915ae9c2ae3d92affb9ecf52ce906039c8ac2cccd54b19417440f388e8dd18a61ca71537723363bef99332c08b299e9f9f1d4288

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6654.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\HD_e75a4799355d4b5288255b071d341089f2556d720c89d2e4dc73f982db7734e4.exe

Filesize
644KB

MD5
e1b51248e9657f48a0daefc3958f7864

SHA1
248878fea5a3b5708c0621ce197d18b42f44f85b

SHA256
d8df1e229becafa07c85a1ea8d7f777f92280720fea9144a5df7176c52795f93

SHA512
c789b3de67a41dbd51a1715b72b3620d8d41299544a2c141105a942e8a24616d2ee7d3337de0b450c0981613f86f46bd9e428505db39ecfb57133f3e5a353b03

Download Submit
\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
\Windows\SysWOW64\259402190.txt

Filesize
899KB

MD5
dbed2ab3f6d33728c5066fc0121be95c

SHA1
d94e82e9226a5cf3ca8d3372b5eac3d7a325927a

SHA256
29422d641757bec4dec618222240c358b9574033cf5dc10322a3c7c1023ac2a1

SHA512
05ba8f704636a9e700549257f20c6b1830977d5dc3e4dbf976a7fb0ad7f76cdc025f9e5a285f0ab3b8198026444626f7fb335bd0af399fec7bafafa4d8ec6717

Download Submit
\Windows\SysWOW64\Remote Data.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2628-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2628-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2628-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2716-42-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2716-39-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2716-41-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2716-43-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2716-45-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2716-48-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download