Malware Analysis Report

2024-07-28 11:03

Sample ID 240526-prp5dsdf99
Target 889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870
SHA256 889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870
Tags
oss_ak gh0strat purplefox persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870

Threat Level: Known bad

The file 889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870 was found to be: Known bad.

Malicious Activity Summary

oss_ak gh0strat purplefox persistence rat rootkit trojan upx

Detect PurpleFox Rootkit

Gh0st RAT payload

PurpleFox

Gh0strat

detect oss ak

Sets service image path in registry

Drops file in Drivers directory

UPX packed file

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Remote System Discovery
T1018
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-26 12:34

Signatures

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 12:33

Reported

2024-05-26 13:08

Platform

win7-20240215-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1804 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1804 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1804 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1804 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1804 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1804 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1660 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2672 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3048 wrote to memory of 2672 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3048 wrote to memory of 2672 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3048 wrote to memory of 2672 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3048 wrote to memory of 2672 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3048 wrote to memory of 2672 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3048 wrote to memory of 2672 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 1804 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
PID 1804 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
PID 1804 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
PID 1804 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
PID 1992 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1992 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1992 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1992 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

"C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 shq.goodgame168.com udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
CN 47.98.186.102:80 shq.goodgame168.com tcp

Files

\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/1660-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1660-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1660-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1660-12-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3048-18-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

MD5 22f7340e7ce6098c948d4369df4be09f
SHA1 c2c227fdb8702510e44bf8ae14c57e1ff8161612
SHA256 291fc1bfaf4da9b362dbf2eae0192da877932b811fc10f8b8d69701967f13fac
SHA512 cb759fc7bf942a4beb1f15b8d5def7f7541a83b2c8ba000343d471779216a9a2828f98d69bb2b0d981ea142456afcb6eb37bc9a0df82d303d4ebbb3d55d6b9ac

memory/3048-26-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2672-29-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2672-32-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2672-31-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2672-36-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2672-33-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2672-38-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 f16e20253806997a16fc77594e2a11f9
SHA1 fc8f5e86c09539419537b08bbd95afb3c412026d
SHA256 65eaf3291401f8fec68c77ad398681b41d792d2fa3c438ed7caa3612299e31a9
SHA512 d496c19c4ecf422ee7cda9ef76c57a4e764a11472108f36388045fe6c3b66cf8d085b158a156fa06837f2ec498da0501749e6ab40b37156c8fb12d33272ad8de

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 12:33

Reported

2024-05-26 13:08

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

detect oss ak

oss_ak
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1676 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1676 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 1676 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 5036 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 5036 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3328 wrote to memory of 1240 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3328 wrote to memory of 1240 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3328 wrote to memory of 1240 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 4288 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4288 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4288 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1676 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
PID 1676 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe
PID 1676 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

Processes

C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

"C:\Users\Admin\AppData\Local\Temp\889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1748,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 shq.goodgame168.com udp
CN 47.98.186.102:80 shq.goodgame168.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

C:\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/5036-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/5036-6-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/5036-10-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/5036-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3328-13-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3328-15-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3328-16-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3328-17-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3328-23-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1240-24-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1240-27-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1240-31-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/1240-32-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_889f47bff923158c99a3ed34e330474d7c6f5f6cef0178c17b80450eebf68870.exe

MD5 22f7340e7ce6098c948d4369df4be09f
SHA1 c2c227fdb8702510e44bf8ae14c57e1ff8161612
SHA256 291fc1bfaf4da9b362dbf2eae0192da877932b811fc10f8b8d69701967f13fac
SHA512 cb759fc7bf942a4beb1f15b8d5def7f7541a83b2c8ba000343d471779216a9a2828f98d69bb2b0d981ea142456afcb6eb37bc9a0df82d303d4ebbb3d55d6b9ac

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 f16e20253806997a16fc77594e2a11f9
SHA1 fc8f5e86c09539419537b08bbd95afb3c412026d
SHA256 65eaf3291401f8fec68c77ad398681b41d792d2fa3c438ed7caa3612299e31a9
SHA512 d496c19c4ecf422ee7cda9ef76c57a4e764a11472108f36388045fe6c3b66cf8d085b158a156fa06837f2ec498da0501749e6ab40b37156c8fb12d33272ad8de

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 af88c8dcbf1c5e287bb4f42c59eed448
SHA1 2b3124223de0a2df46ef88efb9231de25de343d9
SHA256 c0c4fc450f3b35cf4d672a5a551851f9d77903776b57a1787d4cf477666654a7
SHA512 0d8bcea1666abdb705fe270846f37dfcc4e2f4bc6e20295a6a201aeafe20a195f45c04d85c14da392a8c2556d33867d73783a8f233d4e5e7793ac6ab6bf573b3

C:\Users\Admin\AppData\Local\Temp\X.ico

MD5 e33fb6d686b1a8b171349572c5a33f67
SHA1 29f24fe536adf799b69b63c83efadc1bce457a54
SHA256 020c8e0963f89f4b14538b7d69e83c6fec44a29bbbd52fbb6deb2be5c697f450
SHA512 cf1f1d6a9efe53f84e5b4a8246b87c0b96496716605d1b00352d9aae30e664d3d2cbadebf598b4e690a9feef0b5785887a4e643cc5f68938ca744af1d3539e55