Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 16:11
Static task
static1
Behavioral task
behavioral1
Sample
5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe
Resource
win7-20240419-en
General
-
Target
5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe
-
Size
4.0MB
-
MD5
04424a5bb943a3308ebbc813a42c4af6
-
SHA1
cea9d17cd451e46e072305a2fd20f7688df41f40
-
SHA256
5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8
-
SHA512
cdd54cb9e5324a3d42a342a707c4f753c5286c55879b0119e8e437bf7f36bd853275a32e33ea8b52ed46f577a48ca24ddc71e000ca2c472c5ba952bde001a31b
-
SSDEEP
49152:1CwsbCANnKXferL7Vwe/Gg0P+Wh3hqz1UnUhO3YEpjF1Zpr42KedC/:ows2ANnKXOaeOgmhoz1jqtK2Kh
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2192-21-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2192-20-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2652-38-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2652-37-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2652-41-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2652-47-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2652-49-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 8 IoCs
Processes:
resource yara_rule \Windows\SysWOW64\259397339.txt family_gh0strat behavioral1/memory/2192-21-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2192-20-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2652-38-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2652-37-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2652-41-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2652-47-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2652-49-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatfor.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
R.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259397339.txt" R.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatfor.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatfor.exe -
Executes dropped EXE 6 IoCs
Processes:
R.exeN.exeTXPlatfor.exeTXPlatfor.exeHD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exeRemote Data.exepid process 1392 R.exe 2192 N.exe 2656 TXPlatfor.exe 2652 TXPlatfor.exe 2624 HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe 2940 Remote Data.exe -
Loads dropped DLL 9 IoCs
Processes:
5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exeR.exesvchost.exeTXPlatfor.exeRemote Data.exeHD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exepid process 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe 1392 R.exe 2444 svchost.exe 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe 2656 TXPlatfor.exe 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe 2444 svchost.exe 2940 Remote Data.exe 2624 HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe -
Processes:
resource yara_rule behavioral1/memory/2192-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2192-21-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2192-20-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2652-38-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2652-37-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2652-33-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2652-41-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2652-47-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2652-49-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 6 IoCs
Processes:
R.exesvchost.exeN.exedescription ioc process File opened for modification C:\Windows\SysWOW64\ini.ini R.exe File created C:\Windows\SysWOW64\Remote Data.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Remote Data.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatfor.exe N.exe File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe N.exe File created C:\Windows\SysWOW64\259397339.txt R.exe -
Processes:
IEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423160962" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000024a58c69feb85b8cef3d8abe24982e93b8ec5ea7cf953a09fb0daa5320761ec2000000000e8000000002000020000000e17fe4f10f7d7a5bb9c4de8b6f051a4bd6a9c050a5ef5dca44bfc43a65d22854200000001cf6c6019776106d741cb2e9bd3ea0e039dc8fa8b7b62e07bc57a094e417cafd400000004d7b71184b2017f3aa22df7ffabc02a73bc27dd5a9ca3d12da79264498268b2d95385350b54be0f3dcd6a31e180b11bbd5736daf1422b5b642f984d8eaaa5243 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f038e232e3b1da01 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1F376691-1DD6-11EF-97A3-C6E8F1D2B27D} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000023b98350396971fc9eaa9c58a39797e3af6af298cc89fa40a9f2f1ffce0dafb4000000000e80000000020000200000007b218ddf325f6ddcf13ed0e2382ea3e06cddf7deb759aac18ed7caf4536c7c35900000003d761999ac5948e3989c49a99f8bb00ffcc14c7965a3866ede7388ac3d04e53979cda93cd60a579bcf2e774e3ff197f5bab296d64df7a36333356b27d179aa9b90675d1121e05668c035cad766a8fecdb1b9031430d9231ff5ef1e4f222644f8a10bac722ba07b7ef6ebe39475b30b3d31b832befa20fbcc25f9bcba00033164ebfcf5a112f797f68a582996a112e0cd4000000074ac4f51d64a78fc9e20f3a35ef95f8913dfbd19c875a0155a4806b6b667bb3556a9b5c4a05c9fe7ef521942df59950b4d1a05e36968fc79828daf79fff20ba1 IEXPLORE.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exepid process 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatfor.exepid process 2652 TXPlatfor.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
N.exeTXPlatfor.exedescription pid process Token: SeIncBasePriorityPrivilege 2192 N.exe Token: SeLoadDriverPrivilege 2652 TXPlatfor.exe Token: 33 2652 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 2652 TXPlatfor.exe Token: 33 2652 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 2652 TXPlatfor.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
IEXPLORE.EXEpid process 1252 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exeIEXPLORE.EXEIEXPLORE.EXEpid process 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe 1252 IEXPLORE.EXE 1252 IEXPLORE.EXE 1912 IEXPLORE.EXE 1912 IEXPLORE.EXE 1912 IEXPLORE.EXE 1912 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exeN.exeTXPlatfor.execmd.exesvchost.exeHD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exeiexplore.exeIEXPLORE.EXEdescription pid process target process PID 2176 wrote to memory of 1392 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe R.exe PID 2176 wrote to memory of 1392 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe R.exe PID 2176 wrote to memory of 1392 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe R.exe PID 2176 wrote to memory of 1392 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe R.exe PID 2176 wrote to memory of 2192 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe N.exe PID 2176 wrote to memory of 2192 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe N.exe PID 2176 wrote to memory of 2192 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe N.exe PID 2176 wrote to memory of 2192 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe N.exe PID 2176 wrote to memory of 2192 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe N.exe PID 2176 wrote to memory of 2192 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe N.exe PID 2176 wrote to memory of 2192 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe N.exe PID 2192 wrote to memory of 2716 2192 N.exe cmd.exe PID 2192 wrote to memory of 2716 2192 N.exe cmd.exe PID 2192 wrote to memory of 2716 2192 N.exe cmd.exe PID 2192 wrote to memory of 2716 2192 N.exe cmd.exe PID 2656 wrote to memory of 2652 2656 TXPlatfor.exe TXPlatfor.exe PID 2656 wrote to memory of 2652 2656 TXPlatfor.exe TXPlatfor.exe PID 2656 wrote to memory of 2652 2656 TXPlatfor.exe TXPlatfor.exe PID 2656 wrote to memory of 2652 2656 TXPlatfor.exe TXPlatfor.exe PID 2656 wrote to memory of 2652 2656 TXPlatfor.exe TXPlatfor.exe PID 2656 wrote to memory of 2652 2656 TXPlatfor.exe TXPlatfor.exe PID 2656 wrote to memory of 2652 2656 TXPlatfor.exe TXPlatfor.exe PID 2176 wrote to memory of 2624 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe PID 2176 wrote to memory of 2624 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe PID 2176 wrote to memory of 2624 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe PID 2176 wrote to memory of 2624 2176 5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe PID 2716 wrote to memory of 2620 2716 cmd.exe PING.EXE PID 2716 wrote to memory of 2620 2716 cmd.exe PING.EXE PID 2716 wrote to memory of 2620 2716 cmd.exe PING.EXE PID 2716 wrote to memory of 2620 2716 cmd.exe PING.EXE PID 2444 wrote to memory of 2940 2444 svchost.exe Remote Data.exe PID 2444 wrote to memory of 2940 2444 svchost.exe Remote Data.exe PID 2444 wrote to memory of 2940 2444 svchost.exe Remote Data.exe PID 2444 wrote to memory of 2940 2444 svchost.exe Remote Data.exe PID 2624 wrote to memory of 284 2624 HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe iexplore.exe PID 2624 wrote to memory of 284 2624 HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe iexplore.exe PID 2624 wrote to memory of 284 2624 HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe iexplore.exe PID 2624 wrote to memory of 284 2624 HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe iexplore.exe PID 284 wrote to memory of 1252 284 iexplore.exe IEXPLORE.EXE PID 284 wrote to memory of 1252 284 iexplore.exe IEXPLORE.EXE PID 284 wrote to memory of 1252 284 iexplore.exe IEXPLORE.EXE PID 284 wrote to memory of 1252 284 iexplore.exe IEXPLORE.EXE PID 1252 wrote to memory of 1912 1252 IEXPLORE.EXE IEXPLORE.EXE PID 1252 wrote to memory of 1912 1252 IEXPLORE.EXE IEXPLORE.EXE PID 1252 wrote to memory of 1912 1252 IEXPLORE.EXE IEXPLORE.EXE PID 1252 wrote to memory of 1912 1252 IEXPLORE.EXE IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe"C:\Users\Admin\AppData\Local\Temp\5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exeC:\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1252 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Remote Data.exe"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259397339.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b29cc839656de49ee089b3cf35068ccc
SHA12caff3146e6545ada8cee41698f79d7d28f2c3b4
SHA2564280884aa70ce9c25bbffdfedf1e08af85596d37adf851d1529115a069c6937c
SHA512f97e425ec8b9dedf77f5580013190d025ddc1d25dfec0a008cd1af1bbf30bb3f15f7c91065e43b37f224843c06109b5ab79a74ddedd678bb91e0bcc405c4a09b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b813bb5899a6efc216e975f1b12926e8
SHA10b632ae8327a8eee2f3cfbbc52c458e710143508
SHA2567df665ed10b20274b71a3ef1f9d1568fb39cab8f4cffa0e312702adbba323eea
SHA5122a17274d592c471494c1e06c6fec4b8e06594d021c7dbda2d28ca9787dd4b3a2b62c98103abd7a373e391e3cfea6f259dcf3fbcdb0b53a995fa92e8066226d53
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD53e07ee738f982bed1f7fecf2b938a856
SHA188863c223e62c8c3c1e06e63d1435cf1b7bf62ad
SHA256a6dd9890778c59bb841102cfeca9b93631e47d98d553b0dedb10770d16a9aac7
SHA512a65c7b3277cc1ee928bb8bf6474e356570583320b11e0c5da9766b7e39438418ccd20291c34f0393eb2b8261d9d7378ee2801e85576be762cfc351676710ee7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5efda36d8ced231fc108b590dfa364723
SHA1fbc030aa19d8af7770fadaa40c7c940111ddb345
SHA25604609a932504f070f4058617d85be46adbf5caf9a57a1c4b7439363487098328
SHA512642abbba5451d6fcc97d92540ee7de70ac40a6f79391fb8d12d41e5b55be7f9cc7a020a445dae0dbe4c888ac630cf03f747dcc4bc91dc971c29b56c9287fc481
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD514134653ea7adaccc0b813138eb82e6e
SHA12a9e532e448deeda9fecf59c01330f3f16ae7f1a
SHA256eeaed6b211779012007578f4e1c01ab658d4bf5a3b950a57ea31a7fc6097e0c6
SHA512d52017bb2dea65ca49efa76aab2b7b9d1dc2154661181a1bfea73e676e4c979e4393e90137dc955fda0b57143fd39df884d1d20152500267c7cf30055571067c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD548ccbbce0c3f53303315b6858df31d7b
SHA11bdf27bca2bbda7bb5c5b621798217bbee603206
SHA256573780d34e14eb7375e8c8377df3d1dc90edf1113795246ca2ccadcb35f46a86
SHA512d12ac3eea5b21cb8c668041885bc6a2f01fb43dbccf6e869880f2b1b1e47ad52e6a7ea485a5d61e12571baa8a9bd4c51525d2510d5e7fb6bf87a89529acff109
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD57ba7e8e9cce36d3c535d59e82341fffc
SHA1fb054c252296dcbe9d971885aa7efbb72d474d8e
SHA25602877710fc3b7977ec10b533b091a6ea83f08f670138211905c3fe77e777fc49
SHA51251f4e50be9d247624b3b5edcf497564de3ccc2e3d69a5b53ff19a5dc8eb37c2080adcd0c01f3b8b6cf8143a0fcaf7d8282dd0b430708151e1fbbcc1369da9274
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD547879082b8b08a7934dbd72d1c79eac0
SHA1cf0b74db42f56d1cc43a9caf4126fc0343275caa
SHA256bf91abecdd5aba1779b0543c25cc143270951d8f549e6413ecfb6507cc8e2354
SHA5127401fee70b80bf51a0e14d1fde74b1b06dc3102e87facdf715ff181298ad9e7f120c7ad680637a120b095a8f64a06e3479f48fa0f1b7dd8cc395e79067fe3689
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD55e67436ee2494d526c5d48b49ebba69b
SHA17c5f2b0577d6f7fd24b7042f4b84b536fbf23a32
SHA256cf969e51b6262890f7c44abc7f8a16c4557f8055b8f603cc52059f4a62bb16bd
SHA5122fd94b0b97c21ef6b4fa4e951a362347be77120696f0b5c3198fc9fd5b4edebf4fff6973127fe7a7536ee58f0bc0ced40601efd49863215fdf1b4dc8db9e04c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5bd4c7207cb063a494618c409868e46aa
SHA1e8a1b828b9cfa46a915285d8a5c7fcd9eda60eb5
SHA2562e55ab67ef44bcee140c4d8a796bf0a513f846694d6cdb49b34968a08df6228d
SHA51298af6cc101de6fe07f56a749387b6abf4d22eccee7826a825d7620bfc637dff19414d1394a285159fd3d88cf367b9d644c0adc19d44325fa4099286e0d2fad30
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD517277ceadb88cf29b18df04db5af3798
SHA1b5e188ab11e6b0dc0616b4a65347b1ee16aaf7ff
SHA2568077bf1bd0ef129347898f15d099f33861c38246f27fee67fff9e4d431dd0d40
SHA51218eaa0f3fd53e0670cb0bf46fa4bfbb75e9746bcf03e664a6152d4d9588eac500a6a7bf16369ac7a1a3fc67a7329c0b0d38979be31c9450a729b569ebdfb07a3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD546b0823cfc3e2568f7aecaf423b9bc1d
SHA11d3194cfe4b3ac8f9e203066c2daf3ba4f90b13b
SHA2567fbc4956fb3c68ce42aa3c13a2eb7bbd7d35d0d126ae9a1a3e954c580fb0c306
SHA5120012a9845739c7fc0817201ed5f50742110ed2ef0c3783dd492e2a12302bc504b226a33b8b8b5b6cf67e1be4f5c03d52e8cc6d18b4cecf7016ab4d801dce8baf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a9b26523aaa30524f8933a5ee18f24eb
SHA11c3c4bc1d2374eaa5f46f19e343b93e5160def76
SHA256097deee662410d5f4a18eac94418c3361f0c1614a481465705845dfe63ff9d00
SHA512ed0e7d6d07e1cbb46ff8bef722cd35e9a5e6bca88b4e845fe8c1365e618e399808e4e9ca158086b64c3a209a3e80029317236de616e37389d4d28ffcf9a04bc8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58a3ce2b0b5570ec5253ca4d320a36be2
SHA1aa9e987ea24551115ce0faf8d36fffca59b0c444
SHA256faa99bf0dd21ca1a0c32cb8553a83fd6b15623be52a8c3f54e973937f045c32c
SHA512fcc6aaade6aff431c920e827c0acf060dff424542234b9414126f62dfd346f4256e1eb08e929d70d374d5c74e632ca93911389bfe9dfadbf32808cc55e867dd5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5784955b3aa061b121cdbd921e32f0656
SHA1beb8525248278d29162b8ac85890a5c6098f5ffa
SHA2563a7539eb7bc95ada433676ebc1fd33e3683188cdc5f17f97acb56f17502072c1
SHA512de874fdee51d8bb1a0e6363b58f0baf5ffb8e983e58a48d518007482f3a2a0c395d4ee3ada324cdb610f4c9296ed099afe9c4802d0ebec17d8b205278b5b42c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5213d1483298b94f5a45b6bd8122b3c60
SHA10c66843a806105738cce8e9901f0d46eb46547e3
SHA256a376e75a8cc9705b9f315fa1dc2b502b10187b3a9d7be23216feee563abc27fb
SHA512f0b769b3bb2f83deb6897f1044c6381c10ef218b87e66e99979eb6ed8db47021b3b319a5ff2c4d66b3d43306347e25ca6e51652b4eb9f765d5bd0fb0082bdfd5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54c46d746c90af02445097e89ab70db6a
SHA1678bdcd0e70a65c5136dc1c8c59215d9dddf1ae3
SHA2565ce012f85242ca99e9a8d296b10c15afb1bbd527acf537a18876145e553de845
SHA51266e6aa0ef31f7f34892e7d787a92ec635d961aa87ec74c2be5b5c77b8fd41303e3f0e15d7e9734cadc8a96b29561f48a3c413ecc61c7de54e70013479dba11fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5766885625749ab90ab9e612f243ae529
SHA16d1be478ea9d16b64626ef04f5cb4cbc33d2207d
SHA256ec585c9314e2beddb39b2140faf1db61509dd8542c44736aaeb42706d856eba2
SHA5121d96c319dcee03476a7a1526cc5b31cd96181e9cd20aceedaddff81fb1835cd426597f12fc5c78042561f1eb540f642f3305152810a56ef112feb0f2ae7039aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58ca73ed736b39534e73123805b9e8d4f
SHA12f9860ca0eb08b039479df65b241fe991813de6e
SHA256510d91e8e1ecf7c1febd722e9889e3262fa86d25c19faab4b4cb1532670a464c
SHA5121cdc97f5af41fe714787301069e7b297f130f891052bf04b7ea5ee27bf163a40c17ed0729fea0c0b3ddae3f90e64b7f06e0f0b349a2db00bea52cdb9c9e32f2c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5784ca7319ed71cac5defee08b235c397
SHA1fd7ece8e38e7a1a308c234ad4f22e5d8af960344
SHA2566824c9919c13ab48b5b23f08c3324c2b9af2ed7a6491a567c00658566a4c93b3
SHA512f6a372abe8f8c355386e10202487fb39ea0a9e9d6608baa7ce2fa25e4927552c7de29c14658234d55a7ecbe1c992326c2fa7fc59d02c01a3d979c92af13feecd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f61b3608cc058ae0ba9ddf9170218573
SHA1e6052870077e53faee4acecde7a293b17e1e90dc
SHA2569d83dcdb8ed68c07e83be5ba881b62abfe7eb1b2a24be951e6fd10a57885f07f
SHA512647b561ce47fac60a37be51e8f6b8fb1f9beef71cef66a592c6b7d4e935a0b335db30e4b97c0b5e9167d9d31c8e390f8e771e3ae3e4d8230303ea9717e3a8556
-
C:\Users\Admin\AppData\Local\Temp\Cab321A.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
2.9MB
MD5b7ab7ab6b9c445db7a50620450970f77
SHA1683a231521d6dd10664aec1b70f182065d24aef7
SHA25604bf4712a8fbde15c7aab1397dbf6bda316d2221b5eaabaa1aadc31df52444bb
SHA5122771b164a5598d5f7cbc85ad2baae18b2a4b7bda9ad77194c304dc39ec38ba00e810c71820d1508743182eb33a36aa99474e897ba34050b20c29ccc8e5f5197b
-
C:\Users\Admin\AppData\Local\Temp\R.exeFilesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
C:\Users\Admin\AppData\Local\Temp\Tar32BD.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
\Users\Admin\AppData\Local\Temp\HD_5eb75eb167af4d1b5883e2938af9202594068fc92bd5cdf55e951614ecef8ae8.exeFilesize
1.1MB
MD545ebd25a2158aed5d54f1164c964c860
SHA115b6b76c2853b8309e2b2182bb02b42c8c1e9371
SHA25622b1e9dd9ec5a056817f425234674aa961a649758f13308a698a4c92854ce4c3
SHA51216cfdaa5d59d73f7cdd58f621b68b4b22d775b556194f40aa04c99c8798eddc5dbefe844ea3c161c0e188de2143f9c16764011ac68efcfb0d658e84d3cbb0419
-
\Users\Admin\AppData\Local\Temp\N.exeFilesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
\Windows\SysWOW64\259397339.txtFilesize
899KB
MD50ea572dddfbad4b1571d9303ff0c3b19
SHA10cbffaa84db8c9c1c739a032378b2e6995fcaa0c
SHA256fb70755ccf0eec39694f2a60326c7150cd4cdb69065025758ed1a1cb26856c83
SHA5122284ad9ad65d049e2035c9342a06c4c87a6f0213b14a2ffe5b2189bb72fcfca34f0d831dda8539b2df41d0bc88f85771c07ca8e155a114a39f3caa1c0d6c4a5c
-
\Windows\SysWOW64\Remote Data.exeFilesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d
-
memory/2192-18-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2192-21-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2192-20-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2652-38-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2652-37-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2652-33-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2652-49-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2652-41-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2652-47-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB