gh0strat | 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe
Size

2.3MB
MD5

d12e3aa9a7ef585aa86d8f0850a33a61
SHA1

ce5815817270b9b4f5d8fe0dbefc9a3635bd1700
SHA256

02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338
SHA512

2958916d49de959adb81970a39099a163edb0d858d059e85032b36499639d3708ad495220307933d924313f2c5c79d9332853da2abd69642cf80dc8d9dfee9cb
SSDEEP

24576:Q09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+21Dfun27YA/qV05N:Q09XJt4HIN2H2tFvduyS4Dmn27DCqb

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 11 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/1624-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1624-12-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1624-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2520-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2520-24-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2532-32-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2532-36-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2532-28-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2532-27-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2532-71-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2532-70-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 11 IoCs

resource	yara_rule
behavioral1/memory/1624-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1624-12-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1624-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2520-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2520-24-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2532-32-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2532-36-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2532-28-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2532-27-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2532-71-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2532-70-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 5 IoCs

pid	Process
1624	RVN.exe
2520	TXPlatforn.exe
2532	TXPlatforn.exe
2408	HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe
1204	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe
2520	TXPlatforn.exe
2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1624-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1624-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1624-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1624-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2520-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2532-25-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2520-24-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2532-32-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2532-36-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2532-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2532-27-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2532-71-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2532-70-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bdf88a34926c18429e103643977bf4ed0000000002000000000010660000000100002000000003f305257a88f63d7c88bf0713f5e381a8dfdeca171c8165972ed4c43902aef2000000000e8000000002000020000000a4b27057cabc9198140acaf0e8fc658d62a091a8922fb392a0a2ba8d93e551dc90000000d72768a4a12d09b445b16710f78cf8fa9040686fd4da8d786120a60afc4cf0a07a444be7ab38337dc4d1bcf65e26df61b0f0a07178135e3b0fabb12f2f6300d8e67584581e2c06b12201567a203c67d9f7b06df244cdd99912fafdcf06344db7f1b18866eebe2d30cfbcfd755bedc0ee938ef292c683e6fcd264602d2d2e63bddbf6cd2fd0e88f2b0c764562c27e3cac40000000e2aaa96f73954302fc98a2d98edab41ee92db08664546b63624527ce902af140f2d45ff5943ba951df2d43ce93469caf1c5b775d4a3a6518d099cf05040b3c9b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7F0B5B61-1ACC-11EF-B671-4AE872E97954} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bdf88a34926c18429e103643977bf4ed000000000200000000001066000000010000200000001e3edcf1349f8d78bc620c3e3a0bc77f7c500f8306fbbcac8ddd5dc5d89b642c000000000e8000000002000020000000e7d16bdb6848a6fb85dc6a40bcf16f00d22a20ed3d6a419a9cee2e7510dc604a20000000a18458bd02dce163a42522a9b1a0f1e727c394f0358776951920b8a56022b0d040000000338259781bb9217a1da399de6468eb0b29f057b550a84b4e5ee2b14eae00ad785345ef8c5679ff0573198f91b0de91044ca4a25653936f348874d43a669e190f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2053b356d9aeda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422826977"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1660	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2532	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1624	RVN.exe
Token: SeLoadDriverPrivilege	2532	TXPlatforn.exe
Token: 33	2532	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2532	TXPlatforn.exe
Token: 33	2532	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2532	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1280	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe
2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe
1280	iexplore.exe
1280	iexplore.exe
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 1624	2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe	28
PID 2460 wrote to memory of 1624	2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe	28
PID 2460 wrote to memory of 1624	2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe	28
PID 2460 wrote to memory of 1624	2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe	28
PID 2460 wrote to memory of 1624	2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe	28
PID 2460 wrote to memory of 1624	2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe	28
PID 2460 wrote to memory of 1624	2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe	28
PID 1624 wrote to memory of 2632	1624	RVN.exe	30
PID 1624 wrote to memory of 2632	1624	RVN.exe	30
PID 1624 wrote to memory of 2632	1624	RVN.exe	30
PID 1624 wrote to memory of 2632	1624	RVN.exe	30
PID 2520 wrote to memory of 2532	2520	TXPlatforn.exe	31
PID 2520 wrote to memory of 2532	2520	TXPlatforn.exe	31
PID 2520 wrote to memory of 2532	2520	TXPlatforn.exe	31
PID 2520 wrote to memory of 2532	2520	TXPlatforn.exe	31
PID 2520 wrote to memory of 2532	2520	TXPlatforn.exe	31
PID 2520 wrote to memory of 2532	2520	TXPlatforn.exe	31
PID 2520 wrote to memory of 2532	2520	TXPlatforn.exe	31
PID 2460 wrote to memory of 2408	2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe	32
PID 2460 wrote to memory of 2408	2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe	32
PID 2460 wrote to memory of 2408	2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe	32
PID 2460 wrote to memory of 2408	2460	02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe	32
PID 2632 wrote to memory of 1660	2632	cmd.exe	34
PID 2632 wrote to memory of 1660	2632	cmd.exe	34
PID 2632 wrote to memory of 1660	2632	cmd.exe	34
PID 2632 wrote to memory of 1660	2632	cmd.exe	34
PID 2408 wrote to memory of 1280	2408	HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe	35
PID 2408 wrote to memory of 1280	2408	HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe	35
PID 2408 wrote to memory of 1280	2408	HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe	35
PID 1280 wrote to memory of 2656	1280	iexplore.exe	37
PID 1280 wrote to memory of 2656	1280	iexplore.exe	37
PID 1280 wrote to memory of 2656	1280	iexplore.exe	37
PID 1280 wrote to memory of 2656	1280	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe
"C:\Users\Admin\AppData\Local\Temp\02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\RVN.exe
  C:\Users\Admin\AppData\Local\Temp\\RVN.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1660
- C:\Users\Admin\AppData\Local\Temp\HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe
  C:\Users\Admin\AppData\Local\Temp\HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://pc.weixin.qq.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1280 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2656

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_9B8670363F58B4643EB28A4A03EE9887

Filesize
471B

MD5
ffc9e31efa3749e9d97a8659cbfe09e6

SHA1
7a4405a3216d131246c49eafe51b41abb60182c6

SHA256
53ae30db94d4d98589695aa5239b6b01b803c343276d8a0a9f2b865e5369f5d5

SHA512
320e1a0da8a70911edbfd96a5e6d67b1cfa7cc6b9bc6f2da91a1d94b43bdebb7bd43a862aed66a5fd1b530390753073180148277dfc3f030a65f7c1e4b9939db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
cbe7e2c45b389c4072e72f4054d7dc06

SHA1
8fef57ed1a3508666b861462184e638db2a836dd

SHA256
2d0db3020d79bcecc7f0b727107371ac0c649fc26cc3018ff13af7d549563599

SHA512
6a1566145ad198c7658e523931401496bb0bd034be94b2cc37f97b3d2f9aa8e9ed93a81dcd02621ef4b009a019713281850d2e1f7f0febc204276f048311e185

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9312591e47d4577fbd0eae0777540ab8

SHA1
536fb0c4142c5676cfc95c665c7b78811f1f9704

SHA256
1d0c438fdaff750d642dde1f41767c1cc2615e9e39d66858e1ac321bac7ee5de

SHA512
f5299d7eb1125f4f529b04de46ec5dbdd69cd6a58500967a6b387320e75b12578fff6299c23b5514cd83c7349e72ecd74de756551505f2fb2c110e95fe6afe15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e878b28fbfe6d38f3cc470b9858608eb

SHA1
8b2788202d224415df5a8d63bac2cfce2e542294

SHA256
b7b5aaffa77c28c5dfa73e1289b267a28dbecc15ba081b8d78e9fee25dda0e02

SHA512
0da48956614cf91043dcc85f3cbc15a72a28c8b0c1c6694a457a430d78a937deb159691f3162250d30a33a5e658052b397f991ed26bb383ff10b1b8dbf45241e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c3dc1bdedd7a1cc3e997fd6a8c63673

SHA1
2435f7d69389f19db35b4cc5d36052897ce75a89

SHA256
643b2c8141c5e2e57f7bb80019afe084a9a67fca5b1134be8562ff7838f54bd4

SHA512
0d108708d409ffd3c949d1357553992a49893a1a438bedeb0ab2edb5539eb4841165ed49c4a55af6b6518f1bced0b4a383535b9bf1ef53d2c5086895f41fdc28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
902c5f7c45853a83c29c17e518888b61

SHA1
71457db0616453967cad7c69be42017d9381e9ce

SHA256
98a66450b114fef0aae9e345a224af693c4fd304e2205d04fdf313133734e2cf

SHA512
cf4b83897e4eaf664b5a213c77d9a41d599323f0512a2a1f55ac5b1f5e6238d622b4d4de3cf04be40e592123c2a708cc1cb00271c9bd9c3fc7ff901f0f1e0f95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bfda4d9a4a5229603b7464a05863d2b1

SHA1
7796558d668fef57c52ef1f795c6406e8de4291b

SHA256
22d4e6ce15a1cb5a67c93a518ab1ee4ed8c769c024a20a5e52d55c2b48386653

SHA512
78b6c4718bb461ce7928dad4fd708782c8079259b73055329e4e77f2581449438bf413d678f1504bfe5aaa383dc916b176ff61bfce5c6e5a0a939dffd31a2646

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07677a671f81bd4d6af2b404d5b0c593

SHA1
0b6e32adb4726b235ad604a566b16c3379bcb97c

SHA256
ff0a370d7d321ba7b914c4f3571df3c848a31fcb06ddc4778daeee51fbb662d2

SHA512
47fed91c7fafad2dc5f7a3f3dccd570ee17d7edff79fe630b23ea6e9a7141dc00d442d6ca0551ace8bd6b6c714db3875acdbf912568c0021f4e2f7df61ad29e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
553eff07b3b49bf8743621b77a769a15

SHA1
1c1df9ea5fe23dd553eacea9656fb1045ad7078a

SHA256
1a8a6532adeeff95e60a381c73d95303b3423a8e0e767fa09d51aad013eea130

SHA512
bf4830bb607f6568f4f693afb5711d63c409eaae665d384ab5cc1f6ad1fb25b956a1f7d15a3b3a63bc615c49328dad58e1c3a96ff4c5f18f483c7fdcd9c72350

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
131edcdaf2c4ebed49f156db577afc28

SHA1
7c60b92ccb12c7a2270d0dcf4ed3b5b97802a406

SHA256
e23f24ecf18144382e25840aaeeeafb5be790203a9ad3b789b6cd6d15f71f383

SHA512
cd6e1a1cf6b6caefe5b1d2dcd2873b98e6eaede9f2358e7284d2e46b8e2ab9c7df8af029e95a83be205eb1c411e412d7959e31dd093ded4517cc34fe10cc3fa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5843663fdbb7664caa58d1ab632da544

SHA1
88580ca93ac7a63874dc0b204d6ffa7bf1c0f04f

SHA256
a41fcf4bdc28a666771156d0467642173bd917042f98782b85c92cf7ffc1b663

SHA512
4452ec82bb469ea5a10e77adcd0f0531a9a782309e1ea04a6e3614ce5d6a98cdff6ea03aaecd4d714dcdc363d63924e2efbbfa1c889262731501428a31499c50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c6afc91b6b0273322bfd3acf1dbf69d2

SHA1
39fd5650eecce46951a83cb1648f6bf87fd65857

SHA256
cd92fc7e46bb4fd7bf84fbb87ee09de48d3eb019a21bd88c5a681f97653d435f

SHA512
5ab07697aab7d5cf32eaed0c8639dcb56049ae42a05aae68e732d793ab85e00b109c35c00f398016608f017fc93ae9bc8971a0e8cd3ebc4e483dcedd29787b37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b6bb61ebe481a9e9295b4587e348a69c

SHA1
7539403c7e57dbfaf143397ac17bd630b6672cd1

SHA256
dba8670a27ae5f7f04ec61784edc9c24389a1435070a939365e93bc0880f780b

SHA512
4cb30a3ad776c790f49ecb80a97d9c9ef0ae03ddd7b946b3a5fe0722314324ca3539397fc7be9e63efcd658ae67e403aed796ed3891165d3d841595e40cc8d7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b0926049fb2da0387daae9c56738df80

SHA1
9086ffc9cd600fe5059366b39646c286a287198c

SHA256
939eddef03a138a3aeef9ab3e5ec3f4b8849a1f51ec82aa84e31c1797cabe0ff

SHA512
c131ee5f309a1d42f90f7ff7d46d216f5b272d256708b6f5b6233d515e1ee37a3ec5b22ec4a10ec69057cc8d9dd616a22a8214f9d3b913f67022714117ece2f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a27a64329442b515afde4a463bf9b123

SHA1
82984a2ff2921f111dc2162a838b9a60d573d676

SHA256
25accf902864d8145cb6dbbfd315b5783bf679918d5f15accee04099e4d5a09c

SHA512
fa9c2f69b2c90e00c629225a2c82665d505a59dae79c5c342abecb01a875185971679abd805b8b4609f8519d969629b2d57627d7f545433a20a0c6e3edf73ea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
25d60260b38e227188e8512351ea1f31

SHA1
9745758a0490a053042d0b48ac424e70f90cf973

SHA256
6e79128a35aff2b44e93a727714a9d671bb736b57fd771aee992b42177a2712e

SHA512
e447cfbc05a598641128fc266d5ab3d1793e6b4ef110b44f198024de247ce5bee9c287f573e4ef8ba475ccdf8e37f354e7ba8af4d277ddd140a1ba25c93f5f32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43b287a4dc9eec68513f4995ec99001a

SHA1
226d653a1c0ca164fea1f96a944096f46d59a0d9

SHA256
1b796bdc7e393abd982f76bb9e51039bf3b82ad39808eec5fbf6eee9bf059d43

SHA512
0dc15f0d305a5f8be268205afdd857ca346fafadd5bf77f4fa7d76273c49d32040056c8645f15bac9d4684d0d0fdfbecdbf7604f23143e7ac8554cf4886424e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de052feb638d4f90999f3fc39c76f274

SHA1
fe3d1ecbbf131609f56e08143a3b4bbc632d5cd5

SHA256
833a43ce4b3f9395117d6d7245b8f685781e6431084d6588cda2efd8672afa14

SHA512
16c3854d2e9e6691856545e58d677b703108a15eba5da815d12984238d8a45036113d71a134e488e65a15013f86e3d1dd51e3cad2144f8154b799dee56ac7e08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c3b7f64989d7a4bfcf289044e1f7aee2

SHA1
fcd73f8a047cb220eea4cc16ae2fd578f2cc85cf

SHA256
b34449e433c6e43b166c6278c6f826238451767f14417e21a52e2c154acafe95

SHA512
d106c0710b5d362a2b480af6070ff58610a81608ebe12b38b12a2df4889e3fadadad700d1945c1d7ea4bd7642aef7f12bd12efffa52c80c26b9585906e7bb79d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a13c0d52804e1852dfd4197c51c23c17

SHA1
18cefbbe91ac324f236cbc10fe9cb79f1d2f8775

SHA256
1424b1ffaa0edc74e6f277163c046bdc563987363c0e6964f584d3eaa22ade77

SHA512
fc187e692cc3af67c0996ac04388620f0971a2e162dbf6b0c444bbd3d161cb3e2eed4182338382d550a64187b2be19d03f66f532c36494968fdc26cb0874c007

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c39b4e11dd411134d171260ec0c54a2c

SHA1
68a1783139d3397645ca149910700d2606a37926

SHA256
3654d0b9022b49696f0537ae36cbd3c2b6613557422e811006db34ad7d087bb2

SHA512
336145e6b19f3190117de307be2cfb0ab1920e45453cbc400f448552978ac612a6c45625247b02073e18c418adb6fcec4d819292984496c65a2c2c3a2e64d4d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b812a30c034bbcf88533bac7508aa517

SHA1
59507b0b3f6d8f4009d8dc85a48ba00bb95f2092

SHA256
1de3b937eabf9289ac08a16c7f91d7e4d1761ead140bf3fbcd0156b6e06d3a33

SHA512
9bef25f043d40fc5d3a4b42e899e0928e45fdde50601e5d98a3f3d41988120765fdcd4cbd54d18714c33f888579dbb39e3277b78bcc8afaf6dfecfd70fbad3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD201.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe

Filesize
644KB

MD5
66eb21741ecfc2a8a53a24d65ec7a40a

SHA1
6d70532a0b9a1012da004bb78461fff8d9845253

SHA256
64cd27f902fdf3e74c2ed74f7640ec000441ef46daffa20416da582e751b18a8

SHA512
47289021ab9543a30a2ab647f42619cba048be9c03f4b8c6fbc888bb7167c0cd8868e482114874c0b6c8f02dc48b6e87d22b1c4f04e53a0d20b62897199955be

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.7MB

MD5
fb1d8296569bcb3582d0c85c6cdd8aaf

SHA1
c92ebe86c07f3bdfbfff40cd531bf95b98d33771

SHA256
cf3aafcd22549318d89c4dca8f0f1febe69cd8018803476f6d9e8e1ccf0a03c0

SHA512
1810fbb2ca21db4370ebbd53e6c8ea9aa50c748b4878191dd963391c0577b5da12c480b57a5e67510c4c1713b9b10f5076138e10eff5a7a7cf41e33eb6331f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD202.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD331.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
memory/1624-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1624-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1624-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1624-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2520-24-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2520-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2532-32-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2532-36-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2532-25-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2532-28-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2532-27-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2532-71-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2532-70-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download