gh0strat | c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
Size

4.1MB
MD5

81330c5d60ef8774e124dbff29577d75
SHA1

e65c8510c32213d952104a96ac3a175ea439a62d
SHA256

c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe
SHA512

2dcacdf539cd4b8b01a819455f3225ea74ef11355e13eb855c4f6396ab9559647e5e04e91e44c28a66d14d54ae34d07f3b7a6d816425eee723ad9ac4fb7ce18f
SSDEEP

49152:KCwsbCANnKXferL7Vwe/Gg0P+WhUhsC/9cXp3GFpOoqu6r422rTm6v:dws2ANnKXOaeOgmhHS9cZ3GFpOot230

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2628-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2628-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2772-42-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2772-41-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2772-43-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2772-46-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2772-49-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 8 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\259400864.txt	family_gh0strat
behavioral1/memory/2628-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2628-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2772-42-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2772-41-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2772-43-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2772-46-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2772-49-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatfor.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

R.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259400864.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatfor.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 6 IoCs

Processes:

R.exeN.exeTXPlatfor.exeTXPlatfor.exeHD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exeRemote Data.exe

pid	process
2360	R.exe
2628	N.exe
2652	TXPlatfor.exe
2772	TXPlatfor.exe
2828	HD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
2188	Remote Data.exe

Loads dropped DLL 9 IoCs

Processes:

c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exeR.exesvchost.exeTXPlatfor.exeRemote Data.exeHD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe

pid	process
1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
2360	R.exe
2200	svchost.exe
1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
2652	TXPlatfor.exe
1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
2200	svchost.exe
2188	Remote Data.exe
2828	HD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2628-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2628-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2628-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2772-42-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2772-41-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2772-39-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2772-43-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2772-46-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2772-49-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

Processes:

svchost.exeN.exeR.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\259400864.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c03553d7d6aeda01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000039ca3a87ff30a544fe90915d8293c70113dbdc80cb300531aec8efd86830e133000000000e800000000200002000000009361b2c3e65e9f2502324e344bfde12f7a106321a780894ea5e0b08907c1a6a90000000ddb92b1b688d993627ff9caa4b36bf20db059be327b07f0df3988f53f4b6c100120073aa957fd0a056afd5be7bede93db29666ee0bfb25408de55caa62c4857fcc7a8c0f755c68de89f1e09efb6ede31925ac55d8508d259552b17dfa0a56a43fd8add7b7755daee2b7787d17143b3037876199a87500171b8140a51d2eafe68a513594bd26d5b6d21145ad11354a56c400000006a34982f221496dc08e066c5c61c75c1c9943d2ba0a907de06a3e41031dc082cddec5988182c41c42bda0c9929a340dad7feda5b5d27ea1e66cd61bb8f07c0bd	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C327D151-1AC9-11EF-8C92-6A2211F10352} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000ec85969b14f1cfa87662fda4bfde0fe3b767a15fc5c1e8e6ec782250130ee896000000000e80000000020000200000002833499f25bc4c5652c292cd055bef06828b9d4f4d8d407ae1b2ccc0a6938d2320000000c646102a9527e7f45596d4584e3df0ca8129e3d54b9ea0ee0022ab6cd4e501d440000000e968e80bdf8f4a2e01ae08b54dae7f3bf6865e1c32b808cee00606a2fda65d61b5965f0f56cb0a9f6144e88fe3b93c8898f3bda24db34cac1a46eb1bc5256e67	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422825800"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2576 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe

pid process

1992 c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatfor.exe

pid process

2772 TXPlatfor.exe

pid	process
2576	PING.EXE

pid	process
2772	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

N.exeTXPlatfor.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2628	N.exe
Token: SeLoadDriverPrivilege	2772	TXPlatfor.exe
Token: 33	2772	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2772	TXPlatfor.exe
Token: 33	2772	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2772	TXPlatfor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1844 IEXPLORE.EXE

pid	process
1844	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
1844	IEXPLORE.EXE
1844	IEXPLORE.EXE
108	IEXPLORE.EXE
108	IEXPLORE.EXE
108	IEXPLORE.EXE
108	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exeN.exeTXPlatfor.execmd.exesvchost.exeHD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exeiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1992 wrote to memory of 2360	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	R.exe
PID 1992 wrote to memory of 2360	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	R.exe
PID 1992 wrote to memory of 2360	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	R.exe
PID 1992 wrote to memory of 2360	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	R.exe
PID 1992 wrote to memory of 2628	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	N.exe
PID 1992 wrote to memory of 2628	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	N.exe
PID 1992 wrote to memory of 2628	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	N.exe
PID 1992 wrote to memory of 2628	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	N.exe
PID 1992 wrote to memory of 2628	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	N.exe
PID 1992 wrote to memory of 2628	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	N.exe
PID 1992 wrote to memory of 2628	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	N.exe
PID 2628 wrote to memory of 2684	2628	N.exe	cmd.exe
PID 2628 wrote to memory of 2684	2628	N.exe	cmd.exe
PID 2628 wrote to memory of 2684	2628	N.exe	cmd.exe
PID 2628 wrote to memory of 2684	2628	N.exe	cmd.exe
PID 2652 wrote to memory of 2772	2652	TXPlatfor.exe	TXPlatfor.exe
PID 2652 wrote to memory of 2772	2652	TXPlatfor.exe	TXPlatfor.exe
PID 2652 wrote to memory of 2772	2652	TXPlatfor.exe	TXPlatfor.exe
PID 2652 wrote to memory of 2772	2652	TXPlatfor.exe	TXPlatfor.exe
PID 2652 wrote to memory of 2772	2652	TXPlatfor.exe	TXPlatfor.exe
PID 2652 wrote to memory of 2772	2652	TXPlatfor.exe	TXPlatfor.exe
PID 2652 wrote to memory of 2772	2652	TXPlatfor.exe	TXPlatfor.exe
PID 1992 wrote to memory of 2828	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	HD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
PID 1992 wrote to memory of 2828	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	HD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
PID 1992 wrote to memory of 2828	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	HD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
PID 1992 wrote to memory of 2828	1992	c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	HD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
PID 2684 wrote to memory of 2576	2684	cmd.exe	PING.EXE
PID 2684 wrote to memory of 2576	2684	cmd.exe	PING.EXE
PID 2684 wrote to memory of 2576	2684	cmd.exe	PING.EXE
PID 2684 wrote to memory of 2576	2684	cmd.exe	PING.EXE
PID 2200 wrote to memory of 2188	2200	svchost.exe	Remote Data.exe
PID 2200 wrote to memory of 2188	2200	svchost.exe	Remote Data.exe
PID 2200 wrote to memory of 2188	2200	svchost.exe	Remote Data.exe
PID 2200 wrote to memory of 2188	2200	svchost.exe	Remote Data.exe
PID 2828 wrote to memory of 1436	2828	HD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	iexplore.exe
PID 2828 wrote to memory of 1436	2828	HD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	iexplore.exe
PID 2828 wrote to memory of 1436	2828	HD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	iexplore.exe
PID 2828 wrote to memory of 1436	2828	HD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe	iexplore.exe
PID 1436 wrote to memory of 1844	1436	iexplore.exe	IEXPLORE.EXE
PID 1436 wrote to memory of 1844	1436	iexplore.exe	IEXPLORE.EXE
PID 1436 wrote to memory of 1844	1436	iexplore.exe	IEXPLORE.EXE
PID 1436 wrote to memory of 1844	1436	iexplore.exe	IEXPLORE.EXE
PID 1844 wrote to memory of 108	1844	IEXPLORE.EXE	IEXPLORE.EXE
PID 1844 wrote to memory of 108	1844	IEXPLORE.EXE	IEXPLORE.EXE
PID 1844 wrote to memory of 108	1844	IEXPLORE.EXE	IEXPLORE.EXE
PID 1844 wrote to memory of 108	1844	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
"C:\Users\Admin\AppData\Local\Temp\c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\R.exe
C:\Users\Admin\AppData\Local\Temp\\R.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2360

C:\Users\Admin\AppData\Local\Temp\N.exe
C:\Users\Admin\AppData\Local\Temp\\N.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:2576

C:\Users\Admin\AppData\Local\Temp\HD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
C:\Users\Admin\AppData\Local\Temp\HD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/
3⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1844 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:108

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:2688

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\Remote Data.exe
"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259400864.txt",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7460392318cbc38862e74542e6484ea8

SHA1
2852319dfd5aae51fc7c4212a80047738009dcee

SHA256
2fbadad53b65fac5ab58c6b6dbc6c08e5e8801b36a51a042b4128714e9824c19

SHA512
bbbabb1b3fe09c539330db5b6dc66556ea3926b8db957ea6a4d28d8186ba782de7c6e6cca61884266eef6d066716015ea8e8ba3f18ccb03a0404ff9ac03b8b12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f138b58466edcb9c17adec302e0c148f

SHA1
7004c8529b7de22417be862b045b36739e7ae499

SHA256
17ba0b238c1856d1bd3c02a438bd1cf685fcaa7f2715bff299a13272a2d0802c

SHA512
0096ce93800cb89c5492ea8444d6c2640b51cb2f580cb6ec8dbb460597bbae498316cddec1bc72a8e43ed2449ff40ce8365cede2dc4f4ccab28b623b4d076f5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8a5da022d821b38ac93f15c0da54eefc

SHA1
5c5356899cf36d27f6af25a40984b2c807c13031

SHA256
cf80868d755770ccf8af89c8c011603fcc1faaa69fdc8c66dde3d074d81d5d0f

SHA512
4c133b91ef8e906a23f5efdb00e554016de8f250d7918e029de2a9112a7b99582f6525a276e74c9db447399fe588fb3fc2027d3dc7885491d068a987ee868fbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
88168c3be63069c9b3c2dc15a0f669b4

SHA1
2831a5a987cf9c95b4dae34c9248a68567b1fece

SHA256
cd79a0877cd0d17c718b7f4b8a7964aa098cd8a8ab73115085f29375e9137ef1

SHA512
bc9abaee3e9cffabbc2fcacbc730ae6b7efed4958b798069191fae1c16f5d060ee4cb2439d8fa33c817396b8e70f4038ef13cef5c64ae2030e115b39fec74d44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fb1a5d7879267461d940a3d4a180bdde

SHA1
14a325c03a986d0fdc1c0d98bb6f564e81318b06

SHA256
6bea5d2dd7ba8183feaa079924f213ef1a9ab81d9f8c300c92f663d17543e9f1

SHA512
20eb92fd335b5cb62793978664a5b5dcfd379d98399e3361addb0754e1d3c2e03408d53e79a675c0862722e0cfb8963d723cc23d550c7f69fa10a79406ec2639

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2d08abf8d97ef5bfbed9c85eeeda360d

SHA1
55f3a5555ee5ade21d1f00147191c48a70fded84

SHA256
54f6c2cad2a2dfb61f7dd64fb4fe53ed9e5d3063ce00b595a2c6fb6d2ff88180

SHA512
e34316e8f665d79a9e711dddf67a97a6953cd08dd27f861204f3554238f51cda520c203bf7298b29d491d48ab01b0b9dc4b9a7afc4e36478e7cf97b944cbea90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9e1bfe7b20d80325f4c1f9b131c745bd

SHA1
c410400f627f0aa770d3afd3d53e3a9723ac80ee

SHA256
73780c1095f0c1eca2a649efe844eceab889cd54965e585393d894086428b9ae

SHA512
8847eda03e6fa72ee8819c01c9aa8477ebdfe22e8ddd768acf3fec7595a4f607d16b04dbb43b4aea782eeba9ea11eec603d051482638713524f070af5227f6d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5579cacbec4b0445d398dcef67a7bc48

SHA1
3c5c96a7ce7c23faf253e087de2b4442dde20058

SHA256
467a6b3eeb9040f02c3da970c5b38a255f625ea705e20c22e919760dd6e30ade

SHA512
24ccd31e24ae3f225a6e253ba4c2bc98e90d2903417194a075aa4e8e40dece51008876d0319d0b3ea52bb4358ff129ede1e3aeb92e610fcde65f37c0e44ea73e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1a4a87334a5c64db71efc3d23f21d6f7

SHA1
1ca3c5ee02ba1bb98a9e501774730cd253032a9b

SHA256
9da045c71ca611c380762633da79e3b1d4d8190e0a8f842af9899c90342b185b

SHA512
ee671fdf380cfea5d8b35787b2e5a82a923e8204f285ca3977d59810eff1c655a76f70c063bc647fd053aec9667e27b1aa306a4966851c7a9bc843ae91a8bfdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
79cc99c951baaddab657250db3975f24

SHA1
67317c29496ccc812429e50825cc5dd7bd366df4

SHA256
a5f55c4e9f8724dcef2edd6394fc80166a6d86b237a6b0befce0b1a04048fd62

SHA512
8a61f25cbacbac7e94f37ef074b9c3038be3fb932151fc33546e9f72557ac326d2fbbd549fd35e97c437f83770fe4614507f387a83e29584a60a49f9a931ba59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7bbdf412177a9b27d51519eec586cfe3

SHA1
a68a4694321b7337aaeedeaa41e98992018b9aac

SHA256
6596783f6ccdac91895deeca1cc0d5f40c0aa8c30dc5ce0b0f671fcbb719ba7b

SHA512
ad26c36da6fe08075cca76403ab8482c2e322584df8066c936458c5e153d23955d7dc2b98390d6b9fdf8e71477d7794d1efea0f6f9b7f2bc799b09f99fc76996

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8a2a84a225e51ad24668c25cf4d80ff1

SHA1
615571e9c3ad2f6d434fa8efed3d16fb42527245

SHA256
081e706f26ec4107dcba9a9c3db253256a59c0c40adc001c6ae99f1698cadd9f

SHA512
6d97de31f57941cba8730aa713b93aac476d6e1ad17ba5f492cb395b0f141402d199a018787ebe0592a0b8d289a360c31cfb9478ee2ef09d91e12d50e0bc9764

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
33d114424fc358918df2e6ed7e4a1cfe

SHA1
77fe8b2498d8058d45d22f273214ee319d21ee20

SHA256
2b3de2c6c04992c60191ff8c2cba4e16ee6ba1c9d57e60e3f550bbe177cf1535

SHA512
0a605b3cc342a00a0038ccfd69b2b3bb75fcf472995705b2b49dbb5f0d30082c20a6ca4d95544aa864deb70ce59e104659c9c9c98dae2059a2810ea0d52a5726

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b74a49a3decf0f323e8fab3a4edb16c9

SHA1
0d0473220f25a1742cbed8a8e7a9d6dd549f6f37

SHA256
27096efe6ca116ce91dd99b997c53633f20f44e56ba87b2bd58499043ea145d8

SHA512
c1103e2e6fc66464952ff25905f67a4438233e0699ea0534e29e46decde1ad122ac53c93cd71314fe8584d326f602456d931fac8e368d910b26c19736247b13f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
828412351f96902b9e9be997f28e8266

SHA1
1bc334f1def181ce180b93df2df8dbc43a050291

SHA256
21c23bfe69b484985604a551292a481591806482422017db2409ad2353d5835b

SHA512
6e869703c62c100678dbbeaa0320b76ad9da06856894740e0c6f7eaf6d79818388273fbdbc0f586510444d3c93d553ec6b5c48339b2c76b9a38bf40dd47d917d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
86837432fae913d29d82248e91ac63b9

SHA1
e335168bcac71f8f996f994d0014454e6e528775

SHA256
017a15d0a361b47c352112349c12bf946e76f0d1cca95f9c544a58a0a6265e52

SHA512
ea182a4f9f416614d99d10ecf9605d9a1749b054e1a2e9d8055069d81fafbbd030c189d7310f3b106b8f9385ff532f34723be4803b1c8d58fccb811870eab466

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0a56c79a1aa229cb54b1808b94148994

SHA1
75d46e35b4fec9c3e7f8dad0cd888417444fe7d2

SHA256
ac2463e8cc2817159d387006812b8aee6a1cd224e46ac989906d6d20e7f94f4d

SHA512
88ca021b8501f28b08fdb8e583090ced2e1ab52960048d2d9550cfe891808c7e9c68d9d28ec6ab2f629b58208b78703f9b88d85fe0d4caf97b4c98122141a295

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
56f7c0a769a2bbeb57f689d23d17f760

SHA1
3a7eda2d521b63cd704cb287fb7569d43ecdf7aa

SHA256
b6e7f7e43c3646915c7c655019dc1c9889b1056f5229af569551c5f48b6d8de4

SHA512
c4291ef0846abc187a59d413515f294313b50b834a3b48307184c608f59d632e27474d804cd698928c5cc0865d124b88caf242ed9dd434649dce3c472d229818

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6fc9e524f6afed7c228059dc3042169b

SHA1
a60f083bb17cb050d80ebc9085b111ce7e76c631

SHA256
90ea6ea6c0da3986b7fa9ce579cd82b465416e1c30e103290d7651fc32d032ab

SHA512
0c3f72ac12e12eb977fb47f6689f8b04e6ec4c79f53f7df0b6747ccd7fdcfb6c9959d732324690e4e4085b0b77df00e74d2fbdfa993db6108572d179b134c01f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3FA1.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
2.3MB

MD5
0c931cfffaf62479258ec258f61e666c

SHA1
e3ba94e4bffe709062d3145fc289a0c80ef222a3

SHA256
83161791203e2a476a772486f98214b2a8abe63b29f1b6791df5c94e037bfb7d

SHA512
b3e3d6fb7115328f3b50974efe36a61f9febd346c6595f21c973ee3aaba8554f54198742dd1da32b685f3eae3c0ad3e047efa940c1552e16c05b462bb64e9e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_c7387492ed2e9a13e518ada75946f8aac82b48782b0e474c364e3deb15a0efbe.exe
Filesize
1.7MB

MD5
ce5911867cc2a6e12437951e7e7ebb45

SHA1
30384356c668fa81c392aed779ca7c78a7aa0a4f

SHA256
004ae8947d08152218ec28c3277a793d0b6caf8dc67cef6b00fc959f4ccce09e

SHA512
0463dfe68b152383ebee1290d72766478e7d871e531630cb135c5614457a19dc0e5caa451c2d473a06eece20bcf03037dc34f9fc47565d1153b1ac0464a97f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.exe
Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4002.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\N.exe
Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\Windows\SysWOW64\259400864.txt
Filesize
899KB

MD5
c305f3d368b0b2107a751db39f88a7f8

SHA1
7a24581598f2e3c57a677f30f19e9e9d71b3a2ac

SHA256
998e89896031a517d76eb6af640522c779ef5df7790c0234c7d393bb8d88b1d4

SHA512
699588d4232814e8f83dd39780d5bf7c3ddd2838a43c25f12236a5580d46e79f506190306bcc3f520c09f3126155c219e01c1adb3ff93ef87aa7061e494d33ea

Download Submit
\Windows\SysWOW64\Remote Data.exe
Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2628-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2628-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2628-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2772-42-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2772-41-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2772-39-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2772-43-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2772-49-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2772-46-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download