gh0strat | d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d

Analysis

max time kernel
150s
max time network
165s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
Size

2.3MB
MD5

d4127afd963bf18ac4c2bf3d053b8559
SHA1

acc0052be7515ef73a50759c20d9258226c80a8b
SHA256

d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d
SHA512

d078e94e8718b3bfdd7aa222a290ba9236e40ba948254e5a01ad444e891c3a80d8b56fa2b5adecb75cd1f14ef23e600215603462d7cec22298e45e6d19819526
SSDEEP

24576:r09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+omfQ0XnGsAJuH0:r09XJt4HIN2H2tFvduySSd0XGlN

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 8 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2600-23-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2372-12-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2372-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2372-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2600-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2712-45-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2712-34-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2712-71-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2600-23-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2372-12-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2372-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2372-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2600-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2712-45-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2712-34-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2712-71-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 5 IoCs

Processes:

RVN.exeHD_d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exeTXPlatforn.exeTXPlatforn.exe

pid process

2372 RVN.exe
3020 HD_d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
2600 TXPlatforn.exe
1180
2712 TXPlatforn.exe

pid	process
2372	RVN.exe
3020	HD_d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
2600	TXPlatforn.exe
1180
2712	TXPlatforn.exe

Loads dropped DLL 3 IoCs

Processes:

d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exeTXPlatforn.exe

pid	process
2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
2600	TXPlatforn.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2600-23-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2372-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2372-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2372-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2372-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2600-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2712-45-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2712-34-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2712-71-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 4 IoCs

Processes:

d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000008ba65316422d7c03d092e63573fd8f69a981383f62d132d7c3553008971b3343000000000e80000000020000200000007aa034c4cb04aa45b025c43c93896e775c7a8543125adaa06e53b7f4685332c420000000c3b3fcc6a7187a79791ca371cdb2ac8409e883708ef09d6da6aa6bd3a3b42d0640000000ace433a0c1b01bed462566d88d7c0319962c9e75c701b4ba76210cd5b153112b94b7036f360beec82ecdf3632670d85981a2014cbd103a3a9f570eb9d9ebb72e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422880876"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD4FBA71-1B49-11EF-8C93-DEECE6B0C1A4} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0abd1d456afda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000008862de14b1490161fb9011131705a76aa8de2879005b5df5161a54752e6358f2000000000e8000000002000020000000c365704a38e610e36d64a64eb87a8906ee16a6ce70871d5c4df683039715c57c900000002a00842bd108de52d66b5d260e5adc90f3cb066be39a26567d395b7a4ecca014f719c5fe5c16a554380b7d1ecb82f87f6106bd56878a5de8ffd368ad92bf6722e43c9ea5f969ffbe2b1d4c9f59534944af5c79fb025e192af971ee03746c337d8524c1098b9bf0a073aa416f6a9b7bec5efc88152cb2c9ee7c3841537f69c362a9ad292e4cbe0ab2c5ca529abc4ce98b400000002c977c6b2f7ed8c9086178dc55959f466e8de2fd6f2e3cb8ac4b63edb64d6248724f29064dbff1f85f983b4d120b7940105afdb883ada7afec594fe219777ca0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

376 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe

pid process

2988 d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

2712 TXPlatforn.exe

pid	process
376	PING.EXE

pid	process
2712	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RVN.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2372	RVN.exe
Token: SeLoadDriverPrivilege	2712	TXPlatforn.exe
Token: 33	2712	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2712	TXPlatforn.exe
Token: 33	2712	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2712	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2760 iexplore.exe

pid	process
2760	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exeiexplore.exeIEXPLORE.EXE

pid	process
2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
2760	iexplore.exe
2760	iexplore.exe
1524	IEXPLORE.EXE
1524	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exeRVN.exeTXPlatforn.execmd.exeHD_d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exeiexplore.exe

description	pid	process	target process
PID 2988 wrote to memory of 2372	2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe	RVN.exe
PID 2988 wrote to memory of 2372	2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe	RVN.exe
PID 2988 wrote to memory of 2372	2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe	RVN.exe
PID 2988 wrote to memory of 2372	2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe	RVN.exe
PID 2988 wrote to memory of 2372	2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe	RVN.exe
PID 2988 wrote to memory of 2372	2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe	RVN.exe
PID 2988 wrote to memory of 2372	2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe	RVN.exe
PID 2988 wrote to memory of 3020	2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe	HD_d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
PID 2988 wrote to memory of 3020	2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe	HD_d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
PID 2988 wrote to memory of 3020	2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe	HD_d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
PID 2988 wrote to memory of 3020	2988	d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe	HD_d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
PID 2372 wrote to memory of 2612	2372	RVN.exe	cmd.exe
PID 2372 wrote to memory of 2612	2372	RVN.exe	cmd.exe
PID 2372 wrote to memory of 2612	2372	RVN.exe	cmd.exe
PID 2372 wrote to memory of 2612	2372	RVN.exe	cmd.exe
PID 2600 wrote to memory of 2712	2600	TXPlatforn.exe	TXPlatforn.exe
PID 2600 wrote to memory of 2712	2600	TXPlatforn.exe	TXPlatforn.exe
PID 2600 wrote to memory of 2712	2600	TXPlatforn.exe	TXPlatforn.exe
PID 2600 wrote to memory of 2712	2600	TXPlatforn.exe	TXPlatforn.exe
PID 2600 wrote to memory of 2712	2600	TXPlatforn.exe	TXPlatforn.exe
PID 2600 wrote to memory of 2712	2600	TXPlatforn.exe	TXPlatforn.exe
PID 2600 wrote to memory of 2712	2600	TXPlatforn.exe	TXPlatforn.exe
PID 2612 wrote to memory of 376	2612	cmd.exe	PING.EXE
PID 2612 wrote to memory of 376	2612	cmd.exe	PING.EXE
PID 2612 wrote to memory of 376	2612	cmd.exe	PING.EXE
PID 2612 wrote to memory of 376	2612	cmd.exe	PING.EXE
PID 3020 wrote to memory of 2760	3020	HD_d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe	iexplore.exe
PID 3020 wrote to memory of 2760	3020	HD_d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe	iexplore.exe
PID 3020 wrote to memory of 2760	3020	HD_d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe	iexplore.exe
PID 2760 wrote to memory of 1524	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 1524	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 1524	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 1524	2760	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
"C:\Users\Admin\AppData\Local\Temp\d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:376

C:\Users\Admin\AppData\Local\Temp\HD_d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
C:\Users\Admin\AppData\Local\Temp\HD_d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://pc.weixin.qq.com/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_9B8670363F58B4643EB28A4A03EE9887

Filesize
471B

MD5
bee5fb5e805d35cd55420168a04f34e6

SHA1
526ddcbf946f16456937f29cf75dfcbff5b25e24

SHA256
40e4fcfd75e70860611c16994e1db4a1c339c35270bbbe93f55fd280c503c74d

SHA512
a35f8f918f17aa6566ef6f0a89b12b8184b73709ea42eef5df02ecc89be9df6a1c7e6ba10bffb739e442731321a2566ddde870edcc9ed840c04b28be90f09d76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7be6dfcda5f963bfa58f9930a5233283

SHA1
015672b718af654b5148c033e6a8b9134835f99b

SHA256
e7c0b87365a3bcd72952ea64fdd19e724023434cbf521ba40fdf0abcbdd4cbbc

SHA512
4d00392406421a8cac98a857abd1e08dbf31be9eb06d7ebc1e9910c2cef490012a47b9fafaa4a62d25646912a7afdf50cae848afe441550a1fe939f8a04cf2c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0ceaa313cd987525d342f9c5c230457

SHA1
dce26234832a7995b0e86bb1cd328ac60890cd5d

SHA256
18bc8f997cdce7730be48448387d5b9a44e98f4ac16de6c35ac31d2909a5131b

SHA512
4d7e968484959317a2ba0eb998ecc0b53589c64638b95b35a00dbe72f2c0cbb28c6446fd17adc37636b163caa02905aa1ff5ac444af3b289ff7172c7134d52e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fde3e211d140180fdde174c29df10b7f

SHA1
8ec2bd6ea5d03d6635db3a98651ac5963d90f441

SHA256
0f641c202501274c1f228a0ec7c5f2b35a0587688a08058e44259ad77a7b6a85

SHA512
93be6badb5d91aad944f8d19eedfd2d0bb9de850949ad39119920b274fbcf653a039e0c396e865e84d06e4d4b3de697c1c7d561b5b2c7805543f35ad7a9d2627

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a37fa7c4b294486f6b6aba7b9c9c0456

SHA1
2a63696085cfb47e35930293822163a01841525e

SHA256
24d8fe8643a7810c89853672b0066a2b738277f9e673c0844bc60994c365ddac

SHA512
79a4fae47f100e929ba7e4125095fb59ea0f3649b0d151b8ec466087eece09963f376b2f676a1b29c388d5e0e0359e08f0b52d0c157ac9086cd797276f0ac8c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
010afd7767e4b2786482cb9f90c344fd

SHA1
2fbb5d81e2b2626e29e3e6da4aee4518967232b2

SHA256
708ea94ebf035f43966825ceb8bb4080bbc4a95b48acd4935ec2851a99bd5783

SHA512
fdc1cfd0479416cf20323601eb2f9a9fbd2fe07c3f0d33ee9c7d6e1e32f5b090e5fb0fcbb6826d11c12416ff18721574c9a51afe63163d8a75b50843596ad71b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61d514c1f77d77976a830d5ca1ad2feb

SHA1
4d5ba9643adcaca61072ad2fc7349917a7f312c4

SHA256
0d0eb8e385ae90938fcec3a012b1a16eced3d90c15396211d5dba70328dfb2ec

SHA512
8c5873503d8b36e709e16ef2fdab2aecb7e6ba3b8ac9c542f9bdd7c8c885293c89fb0c6a8085ef008c9cee6beb0f01c3840358334f6ba896150e4a0dcd6af7dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
730f30b51f10868f61cb6c8b1bcf8cec

SHA1
ea2a2374f085528164c114db56e4c7469159e12a

SHA256
633b424c6411b85a13f89d38eee339e2788e0871d6a1358cdbf9d7cc60b73d17

SHA512
c4ac71af8a8e4b9281088588d7482266105e1ca27e547079c79243aca429148e4115d3b7c302798f76e75b37e91e2eeb902f21c0351196ef8b1fc0dfa5931187

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7eef76d91a2bd50d58aef3a3945ce2a2

SHA1
3795b84e08942f34c26b34a631a0a2f5f592cbcf

SHA256
0eaa56169daf4a23ff3d043f10a7b217b3d29c2a5ac0df8d207df059d4b01e38

SHA512
39d23a3862d84e2f3164a542ec59790a4fe55c024660f9b4db56b8237a66e621676e9e25c988c61eb1ea8e0167fc095d16a3bec65ff444b60979b2d2de7e615d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1104b6c0e5840189224945464707dc8d

SHA1
69b022bdbbec9cfd56f79e1b67e9c19b59f4dd0d

SHA256
36b0da26a5ec271be274aede2cf403c8020d4bf72e256ffe1a35da634959c795

SHA512
c41486aed0c07da6e82ac0dfaa4bd6ef6467bd9f191865cc9e8e482eac2a8af1e0f17e2f4d9c3ebfd2233f32d72d763ec730481d9c15cf82afff935b25fe9ff0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb384fed14d6c375d6902fa5442888cd

SHA1
d7dadd53ddfdbcd2ed5df155480926d6ab77325f

SHA256
4f267b43f87101ab9ef9713062928a06a6842128cb93e7780fd384ad50503c59

SHA512
78edf9b406a3c2349461347f5342d5bb6d0528106a01c959f99576cb65e778824b19d5fa7b9cb4121ffdf2fdddb2252c0744b132c161dcc58ab2978dd4733781

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
beb35ef9c4f1ca9a09d072e73396cd32

SHA1
03c6513cefce2a5ecefa8fcd0a8fca8782599ad9

SHA256
27473f51e30520de0707dda917181b3e3f044949f84e240ab3a97ccc0dbbdea7

SHA512
9d369f90aa198f26c12723a7d442df350fff93898a195d64579a25f3794edd2cff5cdf41f1ee8a6e73b806010ed329cc5b075a9b778aa3ea4a4ffedc6a0cb7d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b3dc487b1f55eb732956eb1caa64bbf

SHA1
e1da3c899dcc579e1a49dbb337b22661cfe52ae5

SHA256
906faef63a2593c4839305889821754e32c4002e695197e96100e4f5f44190f1

SHA512
ff1c08e8f54f20eaa1d18904da203ef356feb4b97768f89186d37a00f22b510b388fab5568fe76341455d731cb7b3182eabcb376d2765cd2863ceb1a0eb92882

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6886604da8bd2fb20a5b311faedaf4ae

SHA1
c540fc9b96d96cbb5e077ae0be829fa9feabb243

SHA256
57b85eb7d8126a589bec2aa0dd7e5f08463cfb22964808e9ae300da3077cea8e

SHA512
7fde5b842e92843ae423b1d27b0a80abef89bd468a581f93b7fae42a52df9799712696889919594c42c1897a52a21e723eb0d5382744fe7dfdba4bdca2ec5541

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90d078959aa5d4664a6f9cd267d2a8ac

SHA1
c34d1444d5810e7ee1565a7eff69fe6ad5085dae

SHA256
6926cb25cb2c83194d26d16829ba7ff9cd10492ec3c163048ef7add20d54034b

SHA512
eeaa4db92d317b23a5d7265b487a0731f1d06aef1e391058070d0e52957f79808faf6ba85b0696400a47d528ec0d13e667dae7218071ca416995ed6f62e71b29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95b35a5ca45798e00d8c1f1266b7497e

SHA1
bb3effe12e25dfa923bb74c3dd062d33f2dc54b6

SHA256
967569296bf9c3d3876ca5231b7a7a07230f1c5781f594549e2aeca29daf061e

SHA512
f5812d5e2f14e21489be989665a21bdc8e90bb452776f4be28aa6282ef407265cd693aff858eb3c53b89e257f0fe7cfbd5368494aa79aa8b551f6b118728e8c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a10d29e710348e2aa2acace3a90d06bb

SHA1
01e7a5272c6d544a0cdb37ade831f6ea6d732a7d

SHA256
4242ea2caa0075f29ac370e988e47efc6212555bd93cecbc8cd954c98ca3d2f0

SHA512
0159e3c49edbfb5462407f2f8158949af562d27eeb6a89d180a7bdb51f49307fb441de126850ab156496285bfb583765e04ca832b0346e1698426a2701625cbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6de75039a521388028583995a28301fe

SHA1
09f23beb91686220fe46ee6df41928d6bf792ebb

SHA256
6472585480d17b4b85ccf35140d133bb99b142f98a7e80b4219d2cd241716860

SHA512
4838bb6316b6aa3244b8549cd3473b3b020ae4d3f9b7f0b555e2d651ccdf7c85b5b4d370ab8ed0988eded413b721b6cecf6425fec2b36863014526714d6dba18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e81249c74966377ce45b2c32862e774

SHA1
203fdbe61c801cdaf98e1117c19c2b05587e3e0f

SHA256
ead0a022a7f6ba7554b3ad4632a742e165caae7e1cfd1ec9beebb50febb11f5d

SHA512
0e43bee75956da9aaf64f723d3dc8a36acb9ddca3bde2edc67379a9178a5b505f899314ab8869d39dcf593b2ec598ad5c9089c131d94dc4835c3c8d58cc8ca0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
24b04863ef6562040f1804df3cf5b00d

SHA1
416e5d312a2da3791cb97d8e7b933df9c0d68626

SHA256
4259d267456865839d0b1b5f4c87177918e6238dbbbdfaa82f8a6d184390c91d

SHA512
d177bb43d4bfd1b92c48d12539ca16e9504d281818a357aa51cf3a0ca03f5601f879372441fe5ed7923b913b7ed956ea674d646449bef7afac0fe22496c68fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab71C7.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.7MB

MD5
36d6e7690dc3cc2f0c3907f3adc9af62

SHA1
c0c6b1b325d28f47f4fe83e8fc0a34baee5feb2d

SHA256
f3674bd4d06d3896ad609c73acd42b7ab9b64a86ce6054c10d81acfe8966606f

SHA512
18fffc225437bc4bdc33e234902aa062a1aab700c84ef0ccd77ad6ee84580ddcac8b86d273105837b876077f30f5fb7625d02d98306413edc575e4f5c6ddb5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar71D9.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\SysWOW64\TXPlatforn.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
\Users\Admin\AppData\Local\Temp\HD_d24aa6f87c305ea7ceecdbcb913eac8a540f57a3f85a764429731e036223585d.exe

Filesize
647KB

MD5
776fdc0e7331d3d16a6e2eeb956a52b8

SHA1
1960568f4f7d47966e9ce5e3d6fd646b129fe322

SHA256
caaa46d47506f6503156f4ada2543981741250468a63d54bc6a937818372f9c4

SHA512
e53e244770c249622968133b8b217c5084d8cd55dba2a047dd1317deef080c04afa96ee2c51a8cf77ea9449e5d0d322e043ab88773c42c3677f9ed1db1557b8a

Download Submit
memory/2372-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2372-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2372-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2372-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2600-23-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2600-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2712-71-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2712-45-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2712-34-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download