Malware Analysis Report

2024-09-22 15:24

Sample ID 240606-egzwqsha86
Target 51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4
SHA256 51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4
Tags
blackmoon gh0strat purplefox banker persistence rat rootkit trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4

Threat Level: Known bad

The file 51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4 was found to be: Known bad.

Malicious Activity Summary

blackmoon gh0strat purplefox banker persistence rat rootkit trojan upx

Detect Blackmoon payload

Blackmoon, KrBanker

PurpleFox

Detect PurpleFox Rootkit

Gh0st RAT payload

Blackmoon family

Gh0strat

Sets service image path in registry

Drops file in Drivers directory

UPX packed file

Loads dropped DLL

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-06 03:58

Signatures

Blackmoon family

blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 03:55

Reported

2024-06-06 04:00

Platform

win7-20240221-en

Max time kernel

85s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2852 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2852 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2852 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2852 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2852 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2852 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 2908 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2180 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2372 wrote to memory of 2180 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2372 wrote to memory of 2180 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2372 wrote to memory of 2180 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2372 wrote to memory of 2180 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2372 wrote to memory of 2180 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2372 wrote to memory of 2180 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 2852 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\HD_51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe
PID 2852 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\HD_51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe
PID 2852 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\HD_51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe
PID 2852 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\HD_51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe
PID 2400 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2400 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2400 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2400 wrote to memory of 2488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe

"C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Users\Admin\AppData\Local\Temp\HD_51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe

C:\Users\Admin\AppData\Local\Temp\HD_51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackerinvasion.f3322.net udp

Files

C:\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/2908-12-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2908-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2908-8-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2908-5-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2180-33-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe

MD5 d03a33be902c401b35b8d59c97526f13
SHA1 6a3b51fdff6e36b44198bb02d74396dfc54992a3
SHA256 b7858dc382a73b45ff885dae080a303c19c043d752a0a8269b51de85d2420841
SHA512 c5027c8dbb97880e2d14b8e62fc5dc49a8a97ec1c63e39bace71d2764293657705ac0e4b60c62e542d2e2384a7db0905b14695e3e983bca4ceb89a86154722e0

memory/2180-35-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2656-88-0x0000000010000000-0x000000001003E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\X.ico

MD5 fb44f7af2882d222b600539171f54c1d
SHA1 0c5a1a0b1620a55a0f194464227be25a2f0347e1
SHA256 f2a78e76259bc8fd4ab6af7b4e16dfb49a10643308aca3d14c09e61ac0ebd487
SHA512 21e906473f64303c4c8d55213ccb84f4a803c11fb5eef34ce3194adfb391ccbcc91e7c399556c7a4e4f3d33b9b19524d4499ec771ee8e1a10df26ea7cc2dcb67

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 5b69dd82503b5c5208a9129c698cc18e
SHA1 e9616d8195b9c189c32f354cc54530b4166f0fcc
SHA256 c82926a45f70f0699dbb57b43072665b9fa95b9ebfe8ff9364b3dfbf77a61dd5
SHA512 c758c4a39720c1e9bc8b30f745a8a0a06fcc9f7af7e6048afa3733a5c7fe4c3087177c23e73bd74abc3664ccb4da4aa602373caf207508889f2f78d1ef11a7df

memory/2180-116-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2656-117-0x00000000005C0000-0x00000000005C9000-memory.dmp

memory/2656-86-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-84-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-82-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-80-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-78-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-76-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-74-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-68-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-65-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-63-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-61-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-59-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-57-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-55-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-53-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-51-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-49-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-45-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-43-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2656-41-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2180-38-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2372-24-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/2372-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 03:55

Reported

2024-06-06 04:01

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

PurpleFox

rootkit trojan purplefox

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\QAssist.sys C:\Windows\SysWOW64\TXPlatforn.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" C:\Windows\SysWOW64\TXPlatforn.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe N/A
File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\TXPlatforn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3404 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 3404 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 3404 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\RVN.exe
PID 3404 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\HD_51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe
PID 3404 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\HD_51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe
PID 3404 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe C:\Users\Admin\AppData\Local\Temp\HD_51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe
PID 3720 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\RVN.exe C:\Windows\SysWOW64\cmd.exe
PID 4800 wrote to memory of 4936 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 4800 wrote to memory of 4936 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 4800 wrote to memory of 4936 N/A C:\Windows\SysWOW64\TXPlatforn.exe C:\Windows\SysWOW64\TXPlatforn.exe
PID 3132 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3132 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3132 wrote to memory of 3596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe

"C:\Users\Admin\AppData\Local\Temp\51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe"

C:\Users\Admin\AppData\Local\Temp\RVN.exe

C:\Users\Admin\AppData\Local\Temp\\RVN.exe

C:\Users\Admin\AppData\Local\Temp\HD_51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe

C:\Users\Admin\AppData\Local\Temp\HD_51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -auto

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul

C:\Windows\SysWOW64\TXPlatforn.exe

C:\Windows\SysWOW64\TXPlatforn.exe -acsi

C:\Windows\SysWOW64\PING.EXE

ping -n 2 127.0.0.1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.201.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 106.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 hackerinvasion.f3322.net udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RVN.exe

MD5 80ade1893dec9cab7f2e63538a464fcc
SHA1 c06614da33a65eddb506db00a124a3fc3f5be02e
SHA256 57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512 fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

memory/3720-6-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3720-4-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3720-7-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3720-8-0x0000000010000000-0x00000000101B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_51977da0a61cb810829b84eb33035b1366d4678710e34fdad66bee7c741186b4.exe

MD5 d03a33be902c401b35b8d59c97526f13
SHA1 6a3b51fdff6e36b44198bb02d74396dfc54992a3
SHA256 b7858dc382a73b45ff885dae080a303c19c043d752a0a8269b51de85d2420841
SHA512 c5027c8dbb97880e2d14b8e62fc5dc49a8a97ec1c63e39bace71d2764293657705ac0e4b60c62e542d2e2384a7db0905b14695e3e983bca4ceb89a86154722e0

memory/4800-20-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4800-22-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4800-21-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4800-18-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4936-33-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4936-28-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4800-35-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3720-34-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/4936-36-0x0000000010000000-0x00000000101B6000-memory.dmp

memory/3456-43-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-73-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-79-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-77-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-76-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-71-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-70-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-65-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-61-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-59-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-57-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-53-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-51-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-49-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-47-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-41-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-39-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-67-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-63-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-55-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-45-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/3456-37-0x0000000010000000-0x000000001003E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\HD_X.dat

MD5 5b69dd82503b5c5208a9129c698cc18e
SHA1 e9616d8195b9c189c32f354cc54530b4166f0fcc
SHA256 c82926a45f70f0699dbb57b43072665b9fa95b9ebfe8ff9364b3dfbf77a61dd5
SHA512 c758c4a39720c1e9bc8b30f745a8a0a06fcc9f7af7e6048afa3733a5c7fe4c3087177c23e73bd74abc3664ccb4da4aa602373caf207508889f2f78d1ef11a7df

memory/3456-121-0x00000000025C0000-0x00000000025C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\X.ico

MD5 e33fb6d686b1a8b171349572c5a33f67
SHA1 29f24fe536adf799b69b63c83efadc1bce457a54
SHA256 020c8e0963f89f4b14538b7d69e83c6fec44a29bbbd52fbb6deb2be5c697f450
SHA512 cf1f1d6a9efe53f84e5b4a8246b87c0b96496716605d1b00352d9aae30e664d3d2cbadebf598b4e690a9feef0b5785887a4e643cc5f68938ca744af1d3539e55

C:\Users\Admin\AppData\Local\Temp\RCX88A8.tmp

MD5 d0d0c51eeeaa49308ccc48050fa7e517
SHA1 a9f86e6cc0deb3dca7499dddf870654974e699ed
SHA256 35cb2d22c9a7a12e65796da30e084fff072eca093a2f6dab67488709708383f7
SHA512 acc8b95761183ea842217aaa574e727a6200f9907043c30469a4df5dfc35fdc2ecf7bc17b535b20e22cc74cc8b7475e24b161a22499a8f6d1808a68b6df8d8bc