Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 17:55
Static task
static1
Behavioral task
behavioral1
Sample
dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
Resource
win7-20240419-en
General
-
Target
dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
-
Size
2.6MB
-
MD5
c8b200ca4f616fcc2195c8998a7b1d14
-
SHA1
0877f6e9ae978d76844f1ebb5962de5acc016433
-
SHA256
dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320
-
SHA512
fafea314c28ff53cfcd35f2250087fcfa3fb908f642ff2ebb4baa4312914f8b14f8f89659b701231f9204442add1eae15bd3171b09dc8291decc07e5244b462b
-
SSDEEP
49152:yCwsbCANnKXferL7Vwe/Gg0P+WhbXqIn:Vws2ANnKXOaeOgmhb6In
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/900-20-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/900-19-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/900-23-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4612-29-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4612-28-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3792-35-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3792-43-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3792-45-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 9 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\240605500.txt family_gh0strat behavioral2/memory/900-20-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/900-19-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/900-23-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4612-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4612-28-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3792-35-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3792-43-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3792-45-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatfor.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe -
Sets DLL path for service in the registry 2 TTPs 2 IoCs
Processes:
R.exeR.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240605500.txt" R.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240609484.txt" R.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatfor.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatfor.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation HD_msedge.exe -
Executes dropped EXE 24 IoCs
Processes:
R.exeN.exeTXPlatfor.exeTXPlatfor.exeHD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exemsedge.exeR.exeN.exeTXPlatfor.exeTXPlatfor.exeRemote Data.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exepid process 1164 R.exe 900 N.exe 4612 TXPlatfor.exe 3792 TXPlatfor.exe 4040 HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe 5096 msedge.exe 1996 R.exe 1392 N.exe 3320 TXPlatfor.exe 3896 TXPlatfor.exe 1424 Remote Data.exe 2912 HD_msedge.exe 5024 HD_msedge.exe 4180 HD_msedge.exe 3152 HD_msedge.exe 5016 HD_msedge.exe 3796 HD_msedge.exe 1092 HD_msedge.exe 4468 HD_msedge.exe 1852 HD_msedge.exe 964 HD_msedge.exe 4624 HD_msedge.exe 5268 HD_msedge.exe 5784 HD_msedge.exe -
Loads dropped DLL 4 IoCs
Processes:
R.exesvchost.exeR.exeRemote Data.exepid process 1164 R.exe 380 svchost.exe 1996 R.exe 1424 Remote Data.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/900-20-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/900-19-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/900-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/900-23-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4612-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4612-28-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4612-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3792-35-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3792-43-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3792-45-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe vmprotect behavioral2/memory/4040-46-0x0000000000D10000-0x0000000000D96000-memory.dmp vmprotect -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
HD_msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
HD_msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName HD_msedge.exe -
Drops file in System32 directory 8 IoCs
Processes:
N.exeR.exeR.exesvchost.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatfor.exe N.exe File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe N.exe File created C:\Windows\SysWOW64\240609484.txt R.exe File opened for modification C:\Windows\SysWOW64\ini.ini R.exe File created C:\Windows\SysWOW64\240605500.txt R.exe File opened for modification C:\Windows\SysWOW64\ini.ini R.exe File created C:\Windows\SysWOW64\Remote Data.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Remote Data.exe svchost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exemsedge.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
HD_msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HD_msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exemsedge.exeHD_msedge.exeHD_msedge.exeidentity_helper.exeHD_msedge.exepid process 2548 dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe 2548 dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe 5096 msedge.exe 5096 msedge.exe 3152 HD_msedge.exe 3152 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 1572 identity_helper.exe 1572 identity_helper.exe 5784 HD_msedge.exe 5784 HD_msedge.exe 5784 HD_msedge.exe 5784 HD_msedge.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatfor.exepid process 3792 TXPlatfor.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
N.exeTXPlatfor.exeN.exedescription pid process Token: SeIncBasePriorityPrivilege 900 N.exe Token: SeLoadDriverPrivilege 3792 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 1392 N.exe Token: 33 3792 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 3792 TXPlatfor.exe Token: 33 3792 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 3792 TXPlatfor.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
HD_msedge.exepid process 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
HD_msedge.exepid process 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe 2912 HD_msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exemsedge.exepid process 2548 dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe 2548 dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe 5096 msedge.exe 5096 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exeN.exeTXPlatfor.execmd.exeHD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exemsedge.exeN.exeTXPlatfor.exesvchost.exeHD_msedge.exedescription pid process target process PID 2548 wrote to memory of 1164 2548 dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe R.exe PID 2548 wrote to memory of 1164 2548 dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe R.exe PID 2548 wrote to memory of 1164 2548 dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe R.exe PID 2548 wrote to memory of 900 2548 dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe N.exe PID 2548 wrote to memory of 900 2548 dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe N.exe PID 2548 wrote to memory of 900 2548 dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe N.exe PID 900 wrote to memory of 2032 900 N.exe cmd.exe PID 900 wrote to memory of 2032 900 N.exe cmd.exe PID 900 wrote to memory of 2032 900 N.exe cmd.exe PID 4612 wrote to memory of 3792 4612 TXPlatfor.exe TXPlatfor.exe PID 4612 wrote to memory of 3792 4612 TXPlatfor.exe TXPlatfor.exe PID 4612 wrote to memory of 3792 4612 TXPlatfor.exe TXPlatfor.exe PID 2032 wrote to memory of 3628 2032 cmd.exe PING.EXE PID 2032 wrote to memory of 3628 2032 cmd.exe PING.EXE PID 2032 wrote to memory of 3628 2032 cmd.exe PING.EXE PID 2548 wrote to memory of 4040 2548 dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe PID 2548 wrote to memory of 4040 2548 dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe PID 2548 wrote to memory of 4040 2548 dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe PID 4040 wrote to memory of 5096 4040 HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe msedge.exe PID 4040 wrote to memory of 5096 4040 HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe msedge.exe PID 4040 wrote to memory of 5096 4040 HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe msedge.exe PID 5096 wrote to memory of 1996 5096 msedge.exe R.exe PID 5096 wrote to memory of 1996 5096 msedge.exe R.exe PID 5096 wrote to memory of 1996 5096 msedge.exe R.exe PID 5096 wrote to memory of 1392 5096 msedge.exe N.exe PID 5096 wrote to memory of 1392 5096 msedge.exe N.exe PID 5096 wrote to memory of 1392 5096 msedge.exe N.exe PID 1392 wrote to memory of 1584 1392 N.exe cmd.exe PID 1392 wrote to memory of 1584 1392 N.exe cmd.exe PID 1392 wrote to memory of 1584 1392 N.exe cmd.exe PID 3320 wrote to memory of 3896 3320 TXPlatfor.exe TXPlatfor.exe PID 3320 wrote to memory of 3896 3320 TXPlatfor.exe TXPlatfor.exe PID 3320 wrote to memory of 3896 3320 TXPlatfor.exe TXPlatfor.exe PID 380 wrote to memory of 1424 380 svchost.exe Remote Data.exe PID 380 wrote to memory of 1424 380 svchost.exe Remote Data.exe PID 380 wrote to memory of 1424 380 svchost.exe Remote Data.exe PID 5096 wrote to memory of 2912 5096 msedge.exe HD_msedge.exe PID 5096 wrote to memory of 2912 5096 msedge.exe HD_msedge.exe PID 2912 wrote to memory of 5024 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 5024 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe PID 2912 wrote to memory of 4180 2912 HD_msedge.exe HD_msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
HD_msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe"C:\Users\Admin\AppData\Local\Temp\dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:3628
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exeC:\Users\Admin\AppData\Local\Temp\HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://jq.qq.com/?_wv=1027&k=a1Npzmf53⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe4⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul5⤵PID:1584
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2372
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2912 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd086a46f8,0x7ffd086a4708,0x7ffd086a47185⤵
- Executes dropped EXE
PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2012,9913383112027966885,1541712789528006137,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:25⤵
- Executes dropped EXE
PID:4180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,9913383112027966885,1541712789528006137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,9913383112027966885,1541712789528006137,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:85⤵
- Executes dropped EXE
PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2012,9913383112027966885,1541712789528006137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2012,9913383112027966885,1541712789528006137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:1092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2012,9913383112027966885,1541712789528006137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2012,9913383112027966885,1541712789528006137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,9913383112027966885,1541712789528006137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:85⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,9913383112027966885,1541712789528006137,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2012,9913383112027966885,1541712789528006137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2012,9913383112027966885,1541712789528006137,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2012,9913383112027966885,1541712789528006137,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:5268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2012,9913383112027966885,1541712789528006137,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 /prefetch:25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5784
-
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵PID:3616
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Remote Data.exe"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240605500.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424
-
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3792
-
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Executes dropped EXE
PID:3896
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2260
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2180
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
Filesize
5.5MB
MD56bfa7a8ff554bfa176f9a2e479e556f7
SHA12393b02ddbd432b425b46eb06f0d6c7c33354815
SHA2560d0696666b4a40f9d30920fe7f3b69f3940701f3089f06817a55e30a3edaae1a
SHA51221861ec1491ba253e01905a791afd9c10ef6b9d3ef9aff8872bfd21d1ee98ef2f77fa613207ef158efdf787095819cc217b9dcf6d72467e32b1d017129a52935
-
Filesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
Filesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
Filesize
6KB
MD513a8cab1c2e7ef3023fddd5af4ebd979
SHA19360faab1abd50c53de99993db69e5f1a906e75a
SHA2563dfed8ac72a58c66e8dead9e5262b9a2f1a468d3f668cda2fe96201173cc9776
SHA5126a214b12ae87e1cb72c0f8fd58ebcfe8d5db25df4704bdde58d119bb091e9f275c1a6f13549e91ace428583bd62f9178dac9db638c6b8543e7365277df64e772
-
Filesize
5KB
MD5420d8d923d8a314ba57f92d48218ae27
SHA147bafacf2101427fa98013a98237a9036f15b3a6
SHA256c410826004437aa2b84ed630faaecaa1e5577b8a6682dd2f43337e5745bbf022
SHA512f88a1de8ce563b8ca19ed5a26331dd162c617b065a1b6a680977a2819a3efbec589c8640ca858e0a293021a432f969c1301f8920c26655d45da0bb0b2c5043a3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD50c042d1db201e2706b45d4cbf811ee5a
SHA1397efe80946ce0ca89bc7c8321ea9ea9fe44d374
SHA256e4bd09af01c0460557d0499c93b1c9ad783bc54bf59af2344c7dcd1f09919a9d
SHA512211c82c84568e7bedc00de6ef7c6fc8618ba66a20a0a3bc5061cc1197e158266d4faf555a2df2f17039604bd456840a3106e11b69029f6036abe4f2f964ff750
-
Filesize
2.3MB
MD5232aa6a6aaba5a6c0177a608f5feb2a4
SHA1730689a1fba1d9a7a4568e6ee8c1b0f78e05310d
SHA2565050790a5de5238740494f788f086f53132c98dc4efd539a2eb7668bd43376db
SHA5123ba99df31406f66e37fab5f15f7466ebbeb9f7b0b628511e8818ac507de687ffff11b670f9e89c0847430a725004ea822f550cd5437c69ef3894c3e32a94e28d
-
C:\Users\Admin\AppData\Local\Temp\HD_dbbc5c04662f8c2f42b1346225f60e8eae47f36ba405237f2caaf72ad651e320.exe
Filesize306KB
MD5a628ce62a6c3da2e4b85062be977ac68
SHA178d71dc33db5a37f4ea0c9d2acea86ed438d2fdc
SHA256d32f06b47ba2e4ba0fe9b5ee6be8f6047118c5fa8bb37d130e32999c83c0df71
SHA5123af191268d4a87e3aed00ecf359f53fc7658ee25a718f0b98fe1cf299688acecb91b92591b913feb0eed3d4dbde7d3526137f3e40cb09bf45c556f96f0748cec
-
Filesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
Filesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
Filesize
899KB
MD5363e84eb1c661c6a35636802cde90879
SHA1d25df43302a497be78e63b332bf1f495a170ee06
SHA256874871554263a8a130af5af886fccdb4a172163c677ef0cff082f77294027bd2
SHA512d0509209b4b12bd74628fd4033748a203c2fe69465c515aa6c433d4f5e0204015bf308c3003fc50377042b554a874f4cfd91b26bab1f2cda2963d3f7bbf83684
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
Filesize
44B
MD5a9e8766c39eadd903275a0c8d0fe1417
SHA16723a8850fa34b98b674d08607b787b1d7d382ff
SHA256cf2058c823012ae6d71de9639ba1aefc9664c9d338f9dddacd8607e5c4bdf35b
SHA51295fedf4e7cf88b0291851e17ac0b6050b7ba5edcf27697295e0faa4e696e3e8f259b46ecebb7c821bc41d281457041786c2c7889a8c0f7dca205c1c6ab1fb710
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e