gh0strat | 73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
Size

1.5MB
MD5

affef89f172cffe917c2b42dc69638e6
SHA1

50836283636ff872201ee06780c939eaeed43eab
SHA256

73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c
SHA512

9dde0b203eabaf711af813df895a7577e6e1e967710410c652d35138a741053a4c84119412b170fbd6494a277b565b77bb6efa9aebd8a6036fbc568b175b98c8
SSDEEP

24576:509tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+qDVD:509XJt4HIN2H2tFvduyS8VD

Score

10^/10

gh0strat purplefox discovery evasion persistence rat rootkit spyware stealer trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 10 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/692-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/692-10-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/692-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4420-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4420-17-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4420-24-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4496-25-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4496-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4496-34-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4496-47-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/692-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/692-10-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/692-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4420-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4420-17-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4420-24-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4496-25-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4496-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4496-34-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4496-47-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	HD_msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	HD_msedge.exe

Executes dropped EXE 21 IoCs

Processes:

RVN.exeTXPlatforn.exeTXPlatforn.exeHD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exemsedge.exeRVN.exeTXPlatforn.exeTXPlatforn.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exe

pid	process
692	RVN.exe
4420	TXPlatforn.exe
4496	TXPlatforn.exe
4860	HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
5060	msedge.exe
4532	RVN.exe
1324	TXPlatforn.exe
3344	TXPlatforn.exe
4152	HD_msedge.exe
2752	HD_msedge.exe
1016	HD_msedge.exe
2344	HD_msedge.exe
4348	HD_msedge.exe
3000	HD_msedge.exe
4408	HD_msedge.exe
4244	HD_msedge.exe
4772	HD_msedge.exe
1572	HD_msedge.exe
3008	HD_msedge.exe
4428	HD_msedge.exe
5072	HD_msedge.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/692-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/692-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/692-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/692-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4420-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4420-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4420-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4420-24-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4496-25-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4496-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4496-34-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4496-47-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

HD_msedge.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HD_msedge.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	HD_msedge.exe

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 7 IoCs

Processes:

msedge.exe73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe	msedge.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HD_msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	HD_msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4120 PING.EXE
3200 PING.EXE

pid	process
4120	PING.EXE
3200	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exemsedge.exeHD_msedge.exeHD_msedge.exeidentity_helper.exeHD_msedge.exe

pid	process
1236	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
1236	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
5060	msedge.exe
5060	msedge.exe
2344	HD_msedge.exe
2344	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
2632	identity_helper.exe
2632	identity_helper.exe
5072	HD_msedge.exe
5072	HD_msedge.exe
5072	HD_msedge.exe
5072	HD_msedge.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

4496 TXPlatforn.exe

pid	process
4496	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

RVN.exeTXPlatforn.exeRVN.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	692	RVN.exe
Token: SeLoadDriverPrivilege	4496	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4532	RVN.exe
Token: 33	4496	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4496	TXPlatforn.exe
Token: 33	4496	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	4496	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

HD_msedge.exe

pid	process
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

HD_msedge.exe

pid	process
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe
4152	HD_msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exemsedge.exe

pid	process
1236	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
1236	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exeTXPlatforn.exeRVN.execmd.exeHD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exemsedge.exeRVN.exeTXPlatforn.exeHD_msedge.execmd.exe

description	pid	process	target process
PID 1236 wrote to memory of 692	1236	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe	RVN.exe
PID 1236 wrote to memory of 692	1236	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe	RVN.exe
PID 1236 wrote to memory of 692	1236	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe	RVN.exe
PID 4420 wrote to memory of 4496	4420	TXPlatforn.exe	TXPlatforn.exe
PID 4420 wrote to memory of 4496	4420	TXPlatforn.exe	TXPlatforn.exe
PID 4420 wrote to memory of 4496	4420	TXPlatforn.exe	TXPlatforn.exe
PID 692 wrote to memory of 1804	692	RVN.exe	cmd.exe
PID 692 wrote to memory of 1804	692	RVN.exe	cmd.exe
PID 692 wrote to memory of 1804	692	RVN.exe	cmd.exe
PID 1236 wrote to memory of 4860	1236	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe	HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
PID 1236 wrote to memory of 4860	1236	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe	HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
PID 1236 wrote to memory of 4860	1236	73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe	HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
PID 1804 wrote to memory of 4120	1804	cmd.exe	PING.EXE
PID 1804 wrote to memory of 4120	1804	cmd.exe	PING.EXE
PID 1804 wrote to memory of 4120	1804	cmd.exe	PING.EXE
PID 4860 wrote to memory of 5060	4860	HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe	msedge.exe
PID 4860 wrote to memory of 5060	4860	HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe	msedge.exe
PID 4860 wrote to memory of 5060	4860	HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe	msedge.exe
PID 5060 wrote to memory of 4532	5060	msedge.exe	RVN.exe
PID 5060 wrote to memory of 4532	5060	msedge.exe	RVN.exe
PID 5060 wrote to memory of 4532	5060	msedge.exe	RVN.exe
PID 4532 wrote to memory of 1496	4532	RVN.exe	cmd.exe
PID 4532 wrote to memory of 1496	4532	RVN.exe	cmd.exe
PID 4532 wrote to memory of 1496	4532	RVN.exe	cmd.exe
PID 1324 wrote to memory of 3344	1324	TXPlatforn.exe	TXPlatforn.exe
PID 1324 wrote to memory of 3344	1324	TXPlatforn.exe	TXPlatforn.exe
PID 1324 wrote to memory of 3344	1324	TXPlatforn.exe	TXPlatforn.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	HD_msedge.exe
PID 5060 wrote to memory of 4152	5060	msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 2752	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 2752	4152	HD_msedge.exe	HD_msedge.exe
PID 1496 wrote to memory of 3200	1496	cmd.exe	PING.EXE
PID 1496 wrote to memory of 3200	1496	cmd.exe	PING.EXE
PID 1496 wrote to memory of 3200	1496	cmd.exe	PING.EXE
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe
PID 4152 wrote to memory of 1016	4152	HD_msedge.exe	HD_msedge.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

HD_msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	HD_msedge.exe

C:\Users\Admin\AppData\Local\Temp\73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
"C:\Users\Admin\AppData\Local\Temp\73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:4120

C:\Users\Admin\AppData\Local\Temp\HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
C:\Users\Admin\AppData\Local\Temp\HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://qqgame.qq.com/download.shtml
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
5⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
6⤵
- Runs ping.exe
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x80,0xe8,0x104,0x7c,0x108,0x7ffaf51146f8,0x7ffaf5114708,0x7ffaf5114718
5⤵
- Executes dropped EXE
PID:2752

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
5⤵
- Executes dropped EXE
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
5⤵
- Executes dropped EXE
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4244

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 /prefetch:8
5⤵
PID:1728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3588 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2056,3884902133761262213,12829385156850300115,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4208 /prefetch:2
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Executes dropped EXE
PID:3344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:64

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe
Filesize
3.2MB

MD5
ad8536c7440638d40156e883ac25086e

SHA1
fa9e8b7fb10473a01b8925c4c5b0888924a1147c

SHA256
73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a

SHA512
b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
Filesize
4.4MB

MD5
3fe8375cea1f63f251a81525faa711d9

SHA1
40514702966f78770a26ad13329fcc085d7949c6

SHA256
cbc14e7a92f8e5c4c3a492ba6159c0a34c02a37730a64e935d017a53fea01a00

SHA512
13116d5ed9523fe21008fdfa9a9a34e7ee5f08aa5868d397bf0a19e4a3b89c22aca51a7683b302475c82b92bf406ddd90fc81b82a39f67bdb84c846cb1aed00c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3ed1fb09-0f11-40d6-b0fd-dbe715ee40a6.tmp
Filesize
5KB

MD5
125844978d9b1885987767c7ac710e58

SHA1
e487ed8df54f75d11fca42722174f0cd5b4a861f

SHA256
f4e09a17c205b3da57e6831d2421a5e52aae105e84f7e28d287f09f2aea590ca

SHA512
eb399ccabadb6aa82ca9d14e7de61ee53dee370c8c894e4e68d324bda10f8645d47e12c0133a31856aa550b51b416a1b1e4defcb0ceeb6933bbc1a67a4db4da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a9181c3ba2de739ec99d1efb7b6a5639

SHA1
c5afb769e524f335c1948020c5fcbe48857431f4

SHA256
ef7d1db82431fa5f01548ae957a1b3ad0788c2cb931b27770216bf3a39a56de2

SHA512
73c99c3e35927a8b0730731380219ebf736c389a3b4fb03be141c61397e0b77debccb5602a9eebde6ec40fec4aae073307983199ee481cbb311ae6bbf8134400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
82fbd9c8279aed2ddd2dac68e70fbc08

SHA1
0d69addb28de29cd002d43d3dac18154b090b2c3

SHA256
c6ee7f2e4871b5bd50de98ece7e524421241e8a12ddd86cf2aeb3fbc1cc0764d

SHA512
f4af2e2823f93906da60fd5b07df61bfce7ed36470a5b1954f2186925b4f55d6dda9fd992cdd5755f3dd1705876d077aa2a7fa1ea3336f1b13b736a99152e626

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_73d4891ab20606207dc2407e936a490435ab42f498e43069bf229a821609f38c.exe
Filesize
198KB

MD5
26ad88629608fbdd06212a4ca11362d1

SHA1
8aa8791c5d18b8192623380082e044ab5f5bf99b

SHA256
5b0493551e2be141fa80d7ee577b40406606a27410a7b326401569df70eec878

SHA512
82d60898a8955f5c107dbac7108120cd432752cc1b267bc59c9be2a1eff6c0f6172ef31af49d8f24a287c97ad4521eeec26992091678b7334aa03a5d56180d7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.3MB

MD5
4e652dd88fdd5275e3ff16afdbc08980

SHA1
1a0c5b5db2c39c129d50e5f508b217a8902fcd06

SHA256
90c346a9569f31486503d534e261af23b0f6c39f28d49f1d0eb42425d2cceae0

SHA512
bcb5c448f82365052a1c098379203e1481755b0cedf32ef6ae3015a898b0338fda3f6cf6e09666bc552ae5a8790e7fee753daae7c9066416b4667fde683f6e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
\??\pipe\LOCAL\crashpad_4152_AUCYEKBFRLYTDPLM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/692-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/692-10-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/692-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/692-4-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1016-122-0x00007FFB12CD0000-0x00007FFB12CD1000-memory.dmp

Filesize
4KB

Download
memory/4420-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4420-24-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4420-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4420-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4496-47-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4496-34-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4496-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4496-25-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download