Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 04:14
Static task
static1
Behavioral task
behavioral1
Sample
73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
Resource
win7-20240508-en
General
-
Target
73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
-
Size
1.5MB
-
MD5
affef89f172cffe917c2b42dc69638e6
-
SHA1
50836283636ff872201ee06780c939eaeed43eab
-
SHA256
73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c
-
SHA512
9dde0b203eabaf711af813df895a7577e6e1e967710410c652d35138a741053a4c84119412b170fbd6494a277b565b77bb6efa9aebd8a6036fbc568b175b98c8
-
SSDEEP
24576:509tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+qDVD:509XJt4HIN2H2tFvduyS8VD
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/692-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/692-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/692-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4420-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4420-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4420-24-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4496-25-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4496-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4496-34-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4496-47-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 10 IoCs
Processes:
resource yara_rule behavioral2/memory/692-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/692-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/692-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4420-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4420-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4420-24-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4496-25-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4496-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4496-34-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4496-47-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation HD_msedge.exe -
Executes dropped EXE 21 IoCs
Processes:
RVN.exeTXPlatforn.exeTXPlatforn.exeHD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exemsedge.exeRVN.exeTXPlatforn.exeTXPlatforn.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exepid process 692 RVN.exe 4420 TXPlatforn.exe 4496 TXPlatforn.exe 4860 HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe 5060 msedge.exe 4532 RVN.exe 1324 TXPlatforn.exe 3344 TXPlatforn.exe 4152 HD_msedge.exe 2752 HD_msedge.exe 1016 HD_msedge.exe 2344 HD_msedge.exe 4348 HD_msedge.exe 3000 HD_msedge.exe 4408 HD_msedge.exe 4244 HD_msedge.exe 4772 HD_msedge.exe 1572 HD_msedge.exe 3008 HD_msedge.exe 4428 HD_msedge.exe 5072 HD_msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/692-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/692-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/692-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/692-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4420-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4420-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4420-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4420-24-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4496-25-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4496-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4496-34-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4496-47-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
HD_msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
HD_msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName HD_msedge.exe -
Drops file in System32 directory 2 IoCs
Processes:
RVN.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 7 IoCs
Processes:
msedge.exe73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
HD_msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HD_msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exemsedge.exeHD_msedge.exeHD_msedge.exeidentity_helper.exeHD_msedge.exepid process 1236 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe 1236 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe 5060 msedge.exe 5060 msedge.exe 2344 HD_msedge.exe 2344 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 2632 identity_helper.exe 2632 identity_helper.exe 5072 HD_msedge.exe 5072 HD_msedge.exe 5072 HD_msedge.exe 5072 HD_msedge.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 4496 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
RVN.exeTXPlatforn.exeRVN.exedescription pid process Token: SeIncBasePriorityPrivilege 692 RVN.exe Token: SeLoadDriverPrivilege 4496 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4532 RVN.exe Token: 33 4496 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4496 TXPlatforn.exe Token: 33 4496 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4496 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
HD_msedge.exepid process 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
HD_msedge.exepid process 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe 4152 HD_msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exemsedge.exepid process 1236 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe 1236 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe 5060 msedge.exe 5060 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exeTXPlatforn.exeRVN.execmd.exeHD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exemsedge.exeRVN.exeTXPlatforn.exeHD_msedge.execmd.exedescription pid process target process PID 1236 wrote to memory of 692 1236 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe RVN.exe PID 1236 wrote to memory of 692 1236 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe RVN.exe PID 1236 wrote to memory of 692 1236 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe RVN.exe PID 4420 wrote to memory of 4496 4420 TXPlatforn.exe TXPlatforn.exe PID 4420 wrote to memory of 4496 4420 TXPlatforn.exe TXPlatforn.exe PID 4420 wrote to memory of 4496 4420 TXPlatforn.exe TXPlatforn.exe PID 692 wrote to memory of 1804 692 RVN.exe cmd.exe PID 692 wrote to memory of 1804 692 RVN.exe cmd.exe PID 692 wrote to memory of 1804 692 RVN.exe cmd.exe PID 1236 wrote to memory of 4860 1236 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe PID 1236 wrote to memory of 4860 1236 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe PID 1236 wrote to memory of 4860 1236 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe PID 1804 wrote to memory of 4120 1804 cmd.exe PING.EXE PID 1804 wrote to memory of 4120 1804 cmd.exe PING.EXE PID 1804 wrote to memory of 4120 1804 cmd.exe PING.EXE PID 4860 wrote to memory of 5060 4860 HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe msedge.exe PID 4860 wrote to memory of 5060 4860 HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe msedge.exe PID 4860 wrote to memory of 5060 4860 HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe msedge.exe PID 5060 wrote to memory of 4532 5060 msedge.exe RVN.exe PID 5060 wrote to memory of 4532 5060 msedge.exe RVN.exe PID 5060 wrote to memory of 4532 5060 msedge.exe RVN.exe PID 4532 wrote to memory of 1496 4532 RVN.exe cmd.exe PID 4532 wrote to memory of 1496 4532 RVN.exe cmd.exe PID 4532 wrote to memory of 1496 4532 RVN.exe cmd.exe PID 1324 wrote to memory of 3344 1324 TXPlatforn.exe TXPlatforn.exe PID 1324 wrote to memory of 3344 1324 TXPlatforn.exe TXPlatforn.exe PID 1324 wrote to memory of 3344 1324 TXPlatforn.exe TXPlatforn.exe PID 5060 wrote to memory of 4152 5060 msedge.exe HD_msedge.exe PID 5060 wrote to memory of 4152 5060 msedge.exe HD_msedge.exe PID 4152 wrote to memory of 2752 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 2752 4152 HD_msedge.exe HD_msedge.exe PID 1496 wrote to memory of 3200 1496 cmd.exe PING.EXE PID 1496 wrote to memory of 3200 1496 cmd.exe PING.EXE PID 1496 wrote to memory of 3200 1496 cmd.exe PING.EXE PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe PID 4152 wrote to memory of 1016 4152 HD_msedge.exe HD_msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
HD_msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe"C:\Users\Admin\AppData\Local\Temp\73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:4120 -
C:\Users\Admin\AppData\Local\Temp\HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exeC:\Users\Admin\AppData\Local\Temp\HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://qqgame.qq.com/download.shtml3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul5⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:3200 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4152 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x80,0xe8,0x104,0x7c,0x108,0x7ffaf51146f8,0x7ffaf5114708,0x7ffaf51147185⤵
- Executes dropped EXE
PID:2752 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:25⤵
- Executes dropped EXE
PID:1016 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2344 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:85⤵
- Executes dropped EXE
PID:4348 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3000 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4408 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4244 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4772 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 /prefetch:85⤵PID:1728
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:2632 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:1572 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3008 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4428 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4208 /prefetch:25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5072
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
PID:3344
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:64
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exeFilesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeFilesize
4.4MB
MD53fe8375cea1f63f251a81525faa711d9
SHA140514702966f78770a26ad13329fcc085d7949c6
SHA256cbc14e7a92f8e5c4c3a492ba6159c0a34c02a37730a64e935d017a53fea01a00
SHA51213116d5ed9523fe21008fdfa9a9a34e7ee5f08aa5868d397bf0a19e4a3b89c22aca51a7683b302475c82b92bf406ddd90fc81b82a39f67bdb84c846cb1aed00c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3ed1fb09-0f11-40d6-b0fd-dbe715ee40a6.tmpFilesize
5KB
MD5125844978d9b1885987767c7ac710e58
SHA1e487ed8df54f75d11fca42722174f0cd5b4a861f
SHA256f4e09a17c205b3da57e6831d2421a5e52aae105e84f7e28d287f09f2aea590ca
SHA512eb399ccabadb6aa82ca9d14e7de61ee53dee370c8c894e4e68d324bda10f8645d47e12c0133a31856aa550b51b416a1b1e4defcb0ceeb6933bbc1a67a4db4da1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a9181c3ba2de739ec99d1efb7b6a5639
SHA1c5afb769e524f335c1948020c5fcbe48857431f4
SHA256ef7d1db82431fa5f01548ae957a1b3ad0788c2cb931b27770216bf3a39a56de2
SHA51273c99c3e35927a8b0730731380219ebf736c389a3b4fb03be141c61397e0b77debccb5602a9eebde6ec40fec4aae073307983199ee481cbb311ae6bbf8134400
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD582fbd9c8279aed2ddd2dac68e70fbc08
SHA10d69addb28de29cd002d43d3dac18154b090b2c3
SHA256c6ee7f2e4871b5bd50de98ece7e524421241e8a12ddd86cf2aeb3fbc1cc0764d
SHA512f4af2e2823f93906da60fd5b07df61bfce7ed36470a5b1954f2186925b4f55d6dda9fd992cdd5755f3dd1705876d077aa2a7fa1ea3336f1b13b736a99152e626
-
C:\Users\Admin\AppData\Local\Temp\HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exeFilesize
198KB
MD526ad88629608fbdd06212a4ca11362d1
SHA18aa8791c5d18b8192623380082e044ab5f5bf99b
SHA2565b0493551e2be141fa80d7ee577b40406606a27410a7b326401569df70eec878
SHA51282d60898a8955f5c107dbac7108120cd432752cc1b267bc59c9be2a1eff6c0f6172ef31af49d8f24a287c97ad4521eeec26992091678b7334aa03a5d56180d7f
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.3MB
MD54e652dd88fdd5275e3ff16afdbc08980
SHA11a0c5b5db2c39c129d50e5f508b217a8902fcd06
SHA25690c346a9569f31486503d534e261af23b0f6c39f28d49f1d0eb42425d2cceae0
SHA512bcb5c448f82365052a1c098379203e1481755b0cedf32ef6ae3015a898b0338fda3f6cf6e09666bc552ae5a8790e7fee753daae7c9066416b4667fde683f6e6a
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
\??\pipe\LOCAL\crashpad_4152_AUCYEKBFRLYTDPLMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/692-6-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/692-10-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/692-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/692-4-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1016-122-0x00007FFB12CD0000-0x00007FFB12CD1000-memory.dmpFilesize
4KB
-
memory/4420-13-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4420-24-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4420-17-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4420-15-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4496-47-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4496-34-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4496-30-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4496-25-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB