gh0strat | c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
Size

2.9MB
MD5

78c8c279baa16a6c4339fc365d9a9cba
SHA1

9fbb8808ab7429f767ba60d20f7fe4ef2e617069
SHA256

c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399
SHA512

af32d64d7646a324a2031edcfa394ac1b83f9d5797c2db2ea266253e722d49be4534d423e3ac8345a3bdc9744acdc2950410d53c7c4419646c21c0de458b084d
SSDEEP

49152:L89XJt4HIZ/Gg0P+WhgmwS1BNp1iu6G6G7vDXqUVq6Ytn/Px08xb7FhkWXbi:4ZJt4HIZOgmhbaUVq6YJPx08xn0WXu

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 9 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2216-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2216-12-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2216-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2492-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2492-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2372-32-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2372-34-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2372-38-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2372-40-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2216-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2216-12-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2216-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2492-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2492-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2372-32-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2372-34-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2372-38-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2372-40-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 4 IoCs

Processes:

QQ.exeTXPlatforn.exeTXPlatforn.exeHD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe

pid process

2216 QQ.exe
2492 TXPlatforn.exe
2372 TXPlatforn.exe
2480 HD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe

pid	process
2216	QQ.exe
2492	TXPlatforn.exe
2372	TXPlatforn.exe
2480	HD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe

Loads dropped DLL 4 IoCs

Processes:

c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exeTXPlatforn.exeHD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe

pid	process
1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
2492	TXPlatforn.exe
1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
2480	HD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2216-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2216-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2216-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2216-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2492-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2492-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2372-32-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2372-34-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2372-38-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2372-40-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

QQ.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe QQ.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe QQ.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	QQ.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	QQ.exe

Drops file in Program Files directory 4 IoCs

Processes:

c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b300517fe244d46b698d4a29e1e6f5700000000020000000000106600000001000020000000889e0f0ad7e710f795f7899df7d1258f1d23a9b11aa9f3d9212a74e97870b621000000000e80000000020000200000009351296f287c29832c9275623fbbd95f845de60a2a570b59af1f61b7884f857420000000d83aba6299b94e3706aa1efb7fd7e196253dd7f8ba21e2b7fa7717e52f5c4f3840000000a92777c58f8903e9268b679b27892b4cfcc29d588c96e151c12308e6873d31545ada54b472524d9596bedd6515c60ac7c245ef1da85e73295781a39d246740bd	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b300517fe244d46b698d4a29e1e6f570000000002000000000010660000000100002000000062adf22562164be7ad7cab091570559a46cb1b745ec48f720d21d1164d99c7c9000000000e8000000002000020000000506e4c700d5a992ab2cfe2c0efbfff491887c144279efd90802af77b5f8b00a590000000577fd0314bd67b0af32b2847fac94b7f54e789727e4f2eda3268f9738a7ded8e8972d191b71cc13d35d25e39fbe9aa749b7777c2c71b463a49f7628da9f34bf3c384c91a04e0f9250f780cd9feb05f7a37ef53f2eec2c0c1b1ce9bdbc40bd1e834540d73584aca7c637682eb4b5e3d8801af71e8225d97458179c11f783d37ce69f41a542f655e9cdd169fb470f5520c4000000019ae205a2ddf3fa46b89f0acdf404bfd8780ec5dd57f0153de68cf06789f4d9681867737c9b96783e977d76dfba538522885b6047fe6a6d34d88bf5df1a55252	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f08f3950afda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422877935"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{255D6051-1B43-11EF-8A7C-66DD11CD6629} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2820 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe

pid process

1904 c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

2372 TXPlatforn.exe

pid	process
2820	PING.EXE

pid	process
2372	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

QQ.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2216	QQ.exe
Token: SeLoadDriverPrivilege	2372	TXPlatforn.exe
Token: 33	2372	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2372	TXPlatforn.exe
Token: 33	2372	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2372	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

1840 IEXPLORE.EXE

pid	process
1840	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
1840	IEXPLORE.EXE
1840	IEXPLORE.EXE
1804	IEXPLORE.EXE
1804	IEXPLORE.EXE
1804	IEXPLORE.EXE
1804	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exeQQ.exeTXPlatforn.execmd.exeHD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exeiexplore.exeIEXPLORE.EXE

description	pid	process	target process
PID 1904 wrote to memory of 2216	1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	QQ.exe
PID 1904 wrote to memory of 2216	1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	QQ.exe
PID 1904 wrote to memory of 2216	1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	QQ.exe
PID 1904 wrote to memory of 2216	1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	QQ.exe
PID 1904 wrote to memory of 2216	1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	QQ.exe
PID 1904 wrote to memory of 2216	1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	QQ.exe
PID 1904 wrote to memory of 2216	1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	QQ.exe
PID 2216 wrote to memory of 2600	2216	QQ.exe	cmd.exe
PID 2216 wrote to memory of 2600	2216	QQ.exe	cmd.exe
PID 2216 wrote to memory of 2600	2216	QQ.exe	cmd.exe
PID 2216 wrote to memory of 2600	2216	QQ.exe	cmd.exe
PID 2492 wrote to memory of 2372	2492	TXPlatforn.exe	TXPlatforn.exe
PID 2492 wrote to memory of 2372	2492	TXPlatforn.exe	TXPlatforn.exe
PID 2492 wrote to memory of 2372	2492	TXPlatforn.exe	TXPlatforn.exe
PID 2492 wrote to memory of 2372	2492	TXPlatforn.exe	TXPlatforn.exe
PID 2492 wrote to memory of 2372	2492	TXPlatforn.exe	TXPlatforn.exe
PID 2492 wrote to memory of 2372	2492	TXPlatforn.exe	TXPlatforn.exe
PID 2492 wrote to memory of 2372	2492	TXPlatforn.exe	TXPlatforn.exe
PID 1904 wrote to memory of 2480	1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	HD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
PID 1904 wrote to memory of 2480	1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	HD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
PID 1904 wrote to memory of 2480	1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	HD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
PID 1904 wrote to memory of 2480	1904	c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	HD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
PID 2600 wrote to memory of 2820	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2820	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2820	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2820	2600	cmd.exe	PING.EXE
PID 2480 wrote to memory of 1748	2480	HD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	iexplore.exe
PID 2480 wrote to memory of 1748	2480	HD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	iexplore.exe
PID 2480 wrote to memory of 1748	2480	HD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	iexplore.exe
PID 2480 wrote to memory of 1748	2480	HD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe	iexplore.exe
PID 1748 wrote to memory of 1840	1748	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 1840	1748	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 1840	1748	iexplore.exe	IEXPLORE.EXE
PID 1748 wrote to memory of 1840	1748	iexplore.exe	IEXPLORE.EXE
PID 1840 wrote to memory of 1804	1840	IEXPLORE.EXE	IEXPLORE.EXE
PID 1840 wrote to memory of 1804	1840	IEXPLORE.EXE	IEXPLORE.EXE
PID 1840 wrote to memory of 1804	1840	IEXPLORE.EXE	IEXPLORE.EXE
PID 1840 wrote to memory of 1804	1840	IEXPLORE.EXE	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
"C:\Users\Admin\AppData\Local\Temp\c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\QQ.exe
C:\Users\Admin\AppData\Local\Temp\\QQ.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\QQ.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:2820

C:\Users\Admin\AppData\Local\Temp\HD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
C:\Users\Admin\AppData\Local\Temp\HD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://chrome.360.cn/
3⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://chrome.360.cn/
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1840 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dae3f1e93897872101911a0b9a6f9169

SHA1
3095fe92dd050554e83e9e33c895e495350239d7

SHA256
59b80f7d058d2d0a98ecb0e0e6e1d0a64b792b87a4a0d7e0a4aa8ee3f26e761c

SHA512
a2d8e2459f0633c95a5c6f444c24a38d180c8d226255d9e38ede353a1448dfc3e83b7fbb74ee9d0b03e15dd480b3ca85bfe6c23a534de141af5844f40288be61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5a4f35f5cffdacb4f80fd77840ea0738

SHA1
8291718939a6cb598dccc9213f2f034c6c2d6d21

SHA256
c309e7f5d771049d9af1bcbb4a9db1d997cfef0eba4e3c20d5080fa6931570cb

SHA512
75bc361df3ac2661a3765f19141c88ed00931a6978a6d66487e81349d8f6157928866c164f10b5810fb160cda1dac1928f15b53f19dd2d7df70ae5c89bbec711

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8efb1fa1f8867e9bcfcfcdbc44c5b2a

SHA1
af821d7d7f59e49a8ffd08e6c9b489cf9fc05c71

SHA256
5b12c6d46adf6622faedee1ca2494fa1e534cf9eb422d527f80198ef0ca80b82

SHA512
db57ca8ad29b02f017eb735ea25c5108943a0e6bbc64803d58f3441dd1e6dd9ca9d9d208516c4694ebb6cb6785a509847f3eff417729254bc53b16015ef40312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c512ca2e934325672fd29700d47b1df0

SHA1
ef4eeea176ece6cc72de3e1bfea342c010f4a3b1

SHA256
49a3b66ea7354c9c3c4cc2e90c463a07c23d84457d92cff1475a7351f76be9d8

SHA512
33a1c3d72c86e6960c8386581379565b4661f873fa47d89ec5d7166de9552a3a2cde9585458bcfd5babec99a2c0145e0301572e23cb49405cfa7ef521416e10a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30564c54b05d2efa6a8d33bb19bf00af

SHA1
afb423f0695539839ed479b4df6b961f4d7d1caa

SHA256
6c668738f58ba5e3e6f873944a415737b07d025b90366fffc5579cad7a7b9cf1

SHA512
2c04828de04f46894ec0df6b13c9c07d778bfb5f6bea145e115ff9b6629070343f2b2c4ee3ba2b631197e87dc80dc7b51f59947e5ebeb297e0cf67169079e5df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38642b96dc767f05662ab6c873b0ad1a

SHA1
ecf978d8ffda21a62e46cc32ce1d112fc34ff199

SHA256
e6c32ecc131e198a939c60f213fbc19d2a00185a097900352c7a6ba0d4c88243

SHA512
b6d84aa9cd4456d38bb0c896f7605d774d6b0fe3fead8fec8b5cb72272b08ba39514193244b35910096b82045d9358f3e5d77515cb222d0f73fce3bb254fec01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b82beff6b84c3441fd36d794423e1088

SHA1
8d4142bcf19955fc02c4770760954c8cc827d275

SHA256
dc6d8d551085e68f34a6e80c8be28bf568daedc07f1a7e36385ef0b1bf86d67d

SHA512
5448e113da1ab10397e13784b17f2a827c0aa9d535afbedd81ecf7319a6b5eb1d55a98d0229b410b978268021cd50e471a5dc2d5fcaa6202ae0a623e14d96249

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ccad7ce933d8482bff0baef7f29b6ad

SHA1
4bd87695f50489c3a88ccc39538d7485fe5eede5

SHA256
6c3c93d505846a46bf75ab7f0514c134546b4ef11cc325cad8462c23a201fffe

SHA512
cae36de2ea0ca2c575b24bcd9d305e262d4f9e42efcd04010da9b74e1f3eb6312231034a3a3caf4a525d5b547385bc523b37743e53cb35d4c71f85af58036fbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee77483e1a13d67ac46c2d23c992642e

SHA1
ec7c7a79b174bd1835de1c28658171ec55e5b5d4

SHA256
fc01dbd740e2a97c6dabe25ed1c8942f7dfe0dfe39d1a03436f5d8fa1c0d0989

SHA512
5f874a5608dc43ae553c4a9e8b46a8e9c0a2278f97bbcede1a1ea036d409131c99b70c56e162cbfc081196d928bc2a05cb633d154705288fa5f12d3a278b12d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5283136ffb2826f8e1b42d19e6cfc001

SHA1
3d423602debc7692a2365754072e958ad28cad1c

SHA256
23e59a0f8966190d442a1732e204c1f189e99a430d326c67bb975de160d27db5

SHA512
06756512d0c9576394c1e75ea00807ccfdaa73d88d06a42f10ca6d16909df5346b2f9a8134175744739c2901f6801c5fd9ee9bd753d2a8e448c13ef8123b778c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07980ec69b2c5534409b2477f300bcae

SHA1
dbaecf465a42874b7b3d63796875254a6bc72004

SHA256
82178b512bea13bcef9f57b8bda7c39d75349dc2b47ae44c76aea8505b35f0c0

SHA512
157d3bba247fe0ac5fdac2ccc03c31fdb8d9977cf9ee1bbe14f277912509d85efa58bd9aa423a3d365c058c946e73320b3d3b521652a9654fd818eba3ecda7c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff2f7071c5fc8f6af8d9bc04f942858b

SHA1
d58df00f40797d8b81d558905f9b75e62441ee76

SHA256
527b67c2ea382a69954b1213943b8e7f5b7af5e611a11bd09bee8bee0355a928

SHA512
81d3740054edbef7b1c1cc1ee6e83196f94dd26f4ec2a108655d4b7431f17462f81ffefe572f1dea6feba9f06e7f24314b2bacaf98c0e76e5791559c318b0cb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba64b5b8858fa8d7c8b25649dbf5b056

SHA1
570fe2c98f724796ebd8f01499f108fc8a52e4b3

SHA256
6b50ec7b4fa1ec23707ae17cddf6114886a05173f0a3ac29fd969e6d38319b5e

SHA512
567799e1582c840cc8ee4dea9adfb77b0fbddb0cd528a5cc9115dbf28cdbce2917f4c390b130d35cf8259a158f685519bcdf6eb41ad3bb07da0e0fa6ff3ffbcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad16b30dd7e72941e036a593aa4123e3

SHA1
f7fb2b71d0aeb592ad3d8d73c3ad787de9811e90

SHA256
2d469f9090da208a32aae46dee0c050e2fcdfe675a9bd9a9236cf0acdc4b6e69

SHA512
440f18c20aa26125683543fb30dc595d67a5dfdcbe12c3f7dba6721701260ad5e16bd30f7096055baa0d750810f4eb637eafcd2febe4a905da7d38f6407fad6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9eb915a37bbf2f27749f03a866c2844c

SHA1
20cd5f9e4d00f95018626256f0cb377572483f19

SHA256
ca93e8437fabdcb2b623b62da359c634fa0cc6461ebe4a7512b64fd9b947c31c

SHA512
f0b54aaafbb986d271af233730b7ff8aabb25406ec1deb2fd32a6285d2163b555aba9d2f38faa13aa319aa754f1d30d423e024c0294556735f80958bd8ee66a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a42bc1cb241e6588d6ac40939829287

SHA1
2ca4e930196809ac154bb9deb3dcda7435cc4676

SHA256
5360b0d14ccfa1ae6805cfcfb49a2f7a2a74c057aeede9fb9729ba55644c13da

SHA512
2fd3d749312e5b2a59ad8ecbc0a5a710d9527c3454b567421241e298af9c4d04e7f1eb40233244c7614cb891a2a2df0e053ed9e73d1d818873e67a70a6061b26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9617097a2b01cf7cf1965dd3e0d3d780

SHA1
2b59411847dcc6cdb9c465b53816e42703d7c5df

SHA256
e0704a5fa4c268b050b2b075fe12b0cafa47ba176830b4734dc21b26c1c1ed58

SHA512
6deab119565ad57a4f6a0e4083ee5e4f0a5c392a1b07d8f3702914a3b8d60ba81b33c1777ce1b521540d86bf013c4a55ee73f35cbd57145f247571e7bc14625a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
480a1418f122265d4294b4530966106e

SHA1
8e1de58ac7162442d351a9aa5efcdcee65f09d4e

SHA256
0fba0f3e283a5a6c755cd15e9e5b6133b909ee52dc6c9256be00d8ae33d88e85

SHA512
fca573bc0a5355a669acdf979fbed3622d0ec0b91b4d076f57dbdaced1589434e572af488bdca69de49b33351e679c5562ed0a337c7e35191db0c613a0e1e5bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4b3a7ac2c87cc848cffe5f9c8d1301f

SHA1
b42f7aeb47746f95f8282fb95cdd4f96b4a654c5

SHA256
d1f811c3ee266d554c76fa50e3cee03906299b0e877f45666c0b89f46e309842

SHA512
77c6a89dfe62ec62ac95f809e965d645ee4c1517643857c63ee4d84e0942192177bf03b41a1d34feb16aa60ee88c1f8753445094c22c387a8307a4ef0034c2b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c324d975b124853b34d5051f5ac0ba96

SHA1
ad917a703bc4dc256983674aa1891e54d070c07d

SHA256
973572180f87b2567df55b65d687741486a28bd6b3cae91dde81018f20cd4b59

SHA512
4add00e3ab8b83eb9c4ddc2c3636ba6c36f6b5781b71325629836a0711b80ea048045be60df3110095c70096922037fe187880a17893b39a6c5ea205aab4e77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2780.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab284C.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.2MB

MD5
dc41837459ee9a59b9452b0b149f5721

SHA1
fa38edf07ca72d8778a7600cf12c465baecc1b37

SHA256
d6b79713192c927ce5b19fbac85c13f7c329cb82dd1ef8eb34e088c958a46069

SHA512
cfb9d1bcd78ee949ef4d0ed760b63560a834cce26be193208ec102fd01cc8447f64bf50717d1d9eba4d4888f58156002135291986d75c739b6da3f83a56d75a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2861.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\HD_c787046bbedd3caee1167074321efca9c0c8bc26ba99211ce473a3b41c1a6399.exe

Filesize
1.6MB

MD5
c71f6ae03f6add871ec836acdd8aa809

SHA1
cfabff5460d7ef12e1ced259e0ad30a76f73b75c

SHA256
af442f0d3ae043a54757c38ad107928fbcd8e54808e7269476b1105c58e474e6

SHA512
6fd0f9c197e858355864bb1f020f7e9005d8efa2580b114a2bb00911f0b19bde1ccd23c5638e886671f95f7bfae60ce3e5e6c565c14a0bd732dbcf4c91b68761

Download Submit
\Users\Admin\AppData\Local\Temp\QQ.exe

Filesize
377KB

MD5
3d6e7db5800f1dadb016cbf989749e3c

SHA1
7c09c438a352cbc4de5d7279bf07d36e8f6cbfef

SHA256
bb43f73ddd5d04adcd723061ccf3a535387fa439aba0039d39a72f5d6ae3062b

SHA512
a98392c694a662a243581bc07582bffa9f425c4bd9acf2a68c19fbe95ee64f95ed4ca3100802736f67eea809a95fbf4f5e357800d3fa21f9d57b1f8d07d1462c

Download Submit
memory/2216-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2216-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2216-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2216-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2372-32-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2372-34-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2372-38-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2372-40-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2492-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2492-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download