Malware Analysis Report

2024-09-22 14:59

Sample ID 240605-v2wmtadh55
Target c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c
SHA256 c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c
Tags
gh0strat purplefox persistence rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c

Threat Level: Known bad

The file c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox persistence rat rootkit trojan

Gh0st RAT payload

Detect PurpleFox Rootkit

Gh0strat

PurpleFox

Drops file in Drivers directory

Sets service image path in registry

Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Unsigned PE

Runs ping.exe

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-05 17:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-05 17:29

Reported

2024-06-05 17:32

Platform

win7-20240419-en

Max time kernel

121s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\COM Surrogate N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\COM Surrogate N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\COM Surrogate N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\COM Surrogate C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe N/A
File opened for modification C:\Windows\SysWOW64\COM Surrogate C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\COM Surrogate N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\COM Surrogate N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\COM Surrogate N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\COM Surrogate N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\COM Surrogate N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie C:\Windows\SysWOW64\COM Surrogate N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\COM Surrogate N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\COM Surrogate N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\COM Surrogate N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\COM Surrogate N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\COM Surrogate N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\COM Surrogate N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\COM Surrogate N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\COM Surrogate N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\COM Surrogate N/A
Token: 33 N/A C:\Windows\SysWOW64\COM Surrogate N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\COM Surrogate N/A
Token: 33 N/A C:\Windows\SysWOW64\COM Surrogate N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\COM Surrogate N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe C:\Windows\SysWOW64\cmd.exe
PID 1860 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2668 N/A C:\Windows\SysWOW64\COM Surrogate C:\Windows\SysWOW64\COM Surrogate
PID 3032 wrote to memory of 2668 N/A C:\Windows\SysWOW64\COM Surrogate C:\Windows\SysWOW64\COM Surrogate
PID 3032 wrote to memory of 2668 N/A C:\Windows\SysWOW64\COM Surrogate C:\Windows\SysWOW64\COM Surrogate
PID 3032 wrote to memory of 2668 N/A C:\Windows\SysWOW64\COM Surrogate C:\Windows\SysWOW64\COM Surrogate
PID 2656 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2656 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2656 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2656 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe

"C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe"

C:\Windows\SysWOW64\COM Surrogate

"C:\Windows\SysWOW64\COM Surrogate" -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\C274B2~1.EXE > nul

C:\Windows\SysWOW64\COM Surrogate

"C:\Windows\SysWOW64\COM Surrogate" -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 sk.yg.ink udp
HK 103.147.13.110:443 sk.yg.ink tcp

Files

memory/1860-0-0x0000000010000000-0x000000001019F000-memory.dmp

C:\Windows\SysWOW64\COM Surrogate

MD5 3dd22032bb9f535c6820141b18ff1a85
SHA1 850959dce7003d1892f07b50553ae619d764321e
SHA256 c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c
SHA512 e6578edaffea7d5d2db215ecf81c4f5d7bfc16f3fa79944491bb5b577e15710cb6e21c681b3b16d1455b2bf54d680699d05cc415e47208535a649a72ed392319

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-05 17:29

Reported

2024-06-05 17:32

Platform

win10v2004-20240426-en

Max time kernel

120s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe"

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\COM Surrogate N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\COM Surrogate N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\COM Surrogate N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\COM Surrogate N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\COM Surrogate C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe N/A
File opened for modification C:\Windows\SysWOW64\COM Surrogate C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\COM Surrogate N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\COM Surrogate N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum C:\Windows\SysWOW64\COM Surrogate N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\COM Surrogate N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\COM Surrogate N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\SysWOW64\COM Surrogate N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" C:\Windows\SysWOW64\COM Surrogate N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\COM Surrogate N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\COM Surrogate N/A
Token: 33 N/A C:\Windows\SysWOW64\COM Surrogate N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\COM Surrogate N/A
Token: 33 N/A C:\Windows\SysWOW64\COM Surrogate N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\COM Surrogate N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe

"C:\Users\Admin\AppData\Local\Temp\c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c.exe"

C:\Windows\SysWOW64\COM Surrogate

"C:\Windows\SysWOW64\COM Surrogate" -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\C274B2~1.EXE > nul

C:\Windows\SysWOW64\COM Surrogate

"C:\Windows\SysWOW64\COM Surrogate" -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 sk.yg.ink udp
HK 103.147.13.110:443 sk.yg.ink tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 110.13.147.103.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 98.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1432-0-0x0000000010000000-0x000000001019F000-memory.dmp

C:\Windows\SysWOW64\COM Surrogate

MD5 3dd22032bb9f535c6820141b18ff1a85
SHA1 850959dce7003d1892f07b50553ae619d764321e
SHA256 c274b2e340898ac8c990b24d0ca9d4e0668108397b0bf1a2f6c89545e78b911c
SHA512 e6578edaffea7d5d2db215ecf81c4f5d7bfc16f3fa79944491bb5b577e15710cb6e21c681b3b16d1455b2bf54d680699d05cc415e47208535a649a72ed392319

memory/4272-10-0x0000000010000000-0x000000001019F000-memory.dmp

memory/3724-17-0x0000000010000000-0x000000001019F000-memory.dmp