Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 19:24
Static task
static1
Behavioral task
behavioral1
Sample
02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe
Resource
win7-20240221-en
General
-
Target
02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe
-
Size
2.3MB
-
MD5
d12e3aa9a7ef585aa86d8f0850a33a61
-
SHA1
ce5815817270b9b4f5d8fe0dbefc9a3635bd1700
-
SHA256
02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338
-
SHA512
2958916d49de959adb81970a39099a163edb0d858d059e85032b36499639d3708ad495220307933d924313f2c5c79d9332853da2abd69642cf80dc8d9dfee9cb
-
SSDEEP
24576:Q09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+21Dfun27YA/qV05N:Q09XJt4HIN2H2tFvduyS4Dmn27DCqb
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4276-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4276-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4276-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/712-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/712-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/712-28-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3044-27-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/712-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3044-34-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3044-53-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3044-77-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/4276-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4276-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4276-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/712-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/712-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/712-28-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3044-27-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/712-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3044-34-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3044-53-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3044-77-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation HD_msedge.exe -
Executes dropped EXE 21 IoCs
Processes:
RVN.exeTXPlatforn.exeTXPlatforn.exeHD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exemsedge.exeRVN.exeTXPlatforn.exeTXPlatforn.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exepid process 4276 RVN.exe 712 TXPlatforn.exe 3044 TXPlatforn.exe 1488 HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe 3200 msedge.exe 5012 RVN.exe 4532 TXPlatforn.exe 4080 TXPlatforn.exe 4416 HD_msedge.exe 1404 HD_msedge.exe 772 HD_msedge.exe 1056 HD_msedge.exe 1612 HD_msedge.exe 944 HD_msedge.exe 544 HD_msedge.exe 2512 HD_msedge.exe 1880 HD_msedge.exe 4524 HD_msedge.exe 4292 HD_msedge.exe 1116 HD_msedge.exe 4780 HD_msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4276-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4276-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4276-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4276-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/712-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/712-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/712-28-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3044-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/712-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/712-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3044-34-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3044-53-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3044-77-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
HD_msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
HD_msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName HD_msedge.exe -
Drops file in System32 directory 2 IoCs
Processes:
RVN.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 7 IoCs
Processes:
msedge.exe02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
HD_msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HD_msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exemsedge.exeHD_msedge.exeHD_msedge.exeidentity_helper.exeHD_msedge.exepid process 4820 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe 4820 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe 3200 msedge.exe 3200 msedge.exe 1056 HD_msedge.exe 1056 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 2912 identity_helper.exe 2912 identity_helper.exe 4780 HD_msedge.exe 4780 HD_msedge.exe 4780 HD_msedge.exe 4780 HD_msedge.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 3044 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
RVN.exeTXPlatforn.exeRVN.exedescription pid process Token: SeIncBasePriorityPrivilege 4276 RVN.exe Token: SeLoadDriverPrivilege 3044 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 5012 RVN.exe Token: 33 3044 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 3044 TXPlatforn.exe Token: 33 3044 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 3044 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
HD_msedge.exepid process 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
HD_msedge.exepid process 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe 4416 HD_msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exemsedge.exepid process 4820 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe 4820 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe 3200 msedge.exe 3200 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exeRVN.exeTXPlatforn.execmd.exeHD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exemsedge.exeRVN.exeTXPlatforn.exeHD_msedge.execmd.exedescription pid process target process PID 4820 wrote to memory of 4276 4820 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe RVN.exe PID 4820 wrote to memory of 4276 4820 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe RVN.exe PID 4820 wrote to memory of 4276 4820 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe RVN.exe PID 4276 wrote to memory of 1992 4276 RVN.exe cmd.exe PID 4276 wrote to memory of 1992 4276 RVN.exe cmd.exe PID 4276 wrote to memory of 1992 4276 RVN.exe cmd.exe PID 712 wrote to memory of 3044 712 TXPlatforn.exe TXPlatforn.exe PID 712 wrote to memory of 3044 712 TXPlatforn.exe TXPlatforn.exe PID 712 wrote to memory of 3044 712 TXPlatforn.exe TXPlatforn.exe PID 4820 wrote to memory of 1488 4820 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe PID 4820 wrote to memory of 1488 4820 02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe PID 1992 wrote to memory of 2960 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 2960 1992 cmd.exe PING.EXE PID 1992 wrote to memory of 2960 1992 cmd.exe PING.EXE PID 1488 wrote to memory of 3200 1488 HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe msedge.exe PID 1488 wrote to memory of 3200 1488 HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe msedge.exe PID 1488 wrote to memory of 3200 1488 HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe msedge.exe PID 3200 wrote to memory of 5012 3200 msedge.exe RVN.exe PID 3200 wrote to memory of 5012 3200 msedge.exe RVN.exe PID 3200 wrote to memory of 5012 3200 msedge.exe RVN.exe PID 5012 wrote to memory of 4672 5012 RVN.exe cmd.exe PID 5012 wrote to memory of 4672 5012 RVN.exe cmd.exe PID 5012 wrote to memory of 4672 5012 RVN.exe cmd.exe PID 4532 wrote to memory of 4080 4532 TXPlatforn.exe TXPlatforn.exe PID 4532 wrote to memory of 4080 4532 TXPlatforn.exe TXPlatforn.exe PID 4532 wrote to memory of 4080 4532 TXPlatforn.exe TXPlatforn.exe PID 3200 wrote to memory of 4416 3200 msedge.exe HD_msedge.exe PID 3200 wrote to memory of 4416 3200 msedge.exe HD_msedge.exe PID 4416 wrote to memory of 1404 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 1404 4416 HD_msedge.exe HD_msedge.exe PID 4672 wrote to memory of 2020 4672 cmd.exe PING.EXE PID 4672 wrote to memory of 2020 4672 cmd.exe PING.EXE PID 4672 wrote to memory of 2020 4672 cmd.exe PING.EXE PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe PID 4416 wrote to memory of 772 4416 HD_msedge.exe HD_msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
HD_msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe"C:\Users\Admin\AppData\Local\Temp\02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exeC:\Users\Admin\AppData\Local\Temp\HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pc.weixin.qq.com/3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xdc,0x100,0x104,0xb4,0x108,0x7ffb425846f8,0x7ffb42584708,0x7ffb425847185⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2096,6786049253938763018,910381705019542738,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:25⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,6786049253938763018,910381705019542738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,6786049253938763018,910381705019542738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:85⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2096,6786049253938763018,910381705019542738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2096,6786049253938763018,910381705019542738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2096,6786049253938763018,910381705019542738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2096,6786049253938763018,910381705019542738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,6786049253938763018,910381705019542738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,6786049253938763018,910381705019542738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2096,6786049253938763018,910381705019542738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2096,6786049253938763018,910381705019542738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2096,6786049253938763018,910381705019542738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2096,6786049253938763018,910381705019542738,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4080 /prefetch:25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exeFilesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeFilesize
4.9MB
MD5d2aae059904e4fa7f5b1a8aa59e308f2
SHA1100b148ae71041388e010ad46e2424f37cbf9732
SHA256f674d798707185dd7631452eed0a7d529ee21326c1530514489c541db20ab18c
SHA51296be5e38affe24f02774307b93a6ee8c014c8cf7321cca8a76940d4a47cc9f4531bb3fdfed944304aa024d19c391c4692bc8b5523dfcdc7b03060f7675d78e17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a9e8da71c587e09410cfe46f273321b0
SHA1a1c76b07bb070c2a21b70769a734ab2a029c3348
SHA256277c4d86a886c71253097057462e5e2d39311f1095f9f82752b7062c0d9fd9a6
SHA5124f142f84f96af3cea95fabd1d79f9b61644025f1f13e04b4356e6192b21601553c1ffb6881cc08e2a7b6317b5587b25ff197b9f5e3a05d05ffc8ba7128b4dee6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f8466820889963736a6337022e0e88b6
SHA1c8300359bc701204d84c5f782d6c6b2de95f8190
SHA256322c15b9fcdb2773889c27d9e2861df0355661d9e6324ea3bb70bcee1a050cb9
SHA512fbcf9a75d2ca89b5a6734972b312001a6ae0aaba3da09bdde501fae7fca80bb3d050b7ea057ad271c5d8f06c525edf8e9af9a9ed8dcec92552467269d8e42770
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD56d0cc822d0db44310dd7277554107a1f
SHA11ed5af8912af0339de322ec7ea8e38f0103d3074
SHA256ce4f5e6d1221e1346b48156f9efa0b4ca32d71e07e109ccce7bd1208cfc5c28a
SHA51266ce1bbf9b7d424fe2025a2b72a7eaacca769944b9af39252fefdbfaa4477c790bde6813950828c4f78315789bcee2819341226875fd022748232f0ad19e0773
-
C:\Users\Admin\AppData\Local\Temp\HD_02e03012fd479b8108f8903d5ccba195443a04243a17d8b9e7c2fdae89288338.exeFilesize
644KB
MD566eb21741ecfc2a8a53a24d65ec7a40a
SHA16d70532a0b9a1012da004bb78461fff8d9845253
SHA25664cd27f902fdf3e74c2ed74f7640ec000441ef46daffa20416da582e751b18a8
SHA51247289021ab9543a30a2ab647f42619cba048be9c03f4b8c6fbc888bb7167c0cd8868e482114874c0b6c8f02dc48b6e87d22b1c4f04e53a0d20b62897199955be
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.7MB
MD5fb1d8296569bcb3582d0c85c6cdd8aaf
SHA1c92ebe86c07f3bdfbfff40cd531bf95b98d33771
SHA256cf3aafcd22549318d89c4dca8f0f1febe69cd8018803476f6d9e8e1ccf0a03c0
SHA5121810fbb2ca21db4370ebbd53e6c8ea9aa50c748b4878191dd963391c0577b5da12c480b57a5e67510c4c1713b9b10f5076138e10eff5a7a7cf41e33eb6331f75
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
\??\pipe\LOCAL\crashpad_4416_XPJBSCGXTCBMZGNQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/712-17-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/712-28-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/712-15-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/712-13-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/712-16-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/772-120-0x00007FFB50ED0000-0x00007FFB50ED1000-memory.dmpFilesize
4KB
-
memory/3044-77-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3044-27-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3044-34-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3044-53-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4276-10-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4276-4-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4276-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4276-6-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB