Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 03:42
Static task
static1
Behavioral task
behavioral1
Sample
92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe
Resource
win7-20240508-en
General
-
Target
92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe
-
Size
3.2MB
-
MD5
0a389fd39bc39dfe5f215952b1cea5cc
-
SHA1
b9b30185c0f9b88a84e9e1e9eb3026c7c2e975af
-
SHA256
92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684
-
SHA512
fd79031e4e6f9f2964fff5371efdf2d0891d6292b3810b9dcbc40c33062c0587d7abf7f35e3c51a171c8b3fee46046f6dc23f753a655eef9fb3b1b8291a63c87
-
SSDEEP
24576:tCwsbKgbQ5NANIvGTYwMHXA+wT1kfTw4SIuvB74fgt7ibhRM5QhKehFdMtRj7nHv:tCwsbCANnKXferL7Vwe/Gg0P+WhT1u
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4476-20-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4476-19-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4476-23-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1552-28-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1552-29-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3488-40-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3488-54-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/3488-56-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 9 IoCs
Processes:
resource yara_rule C:\Windows\SysWOW64\240600609.txt family_gh0strat behavioral2/memory/4476-20-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4476-19-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4476-23-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1552-28-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1552-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3488-40-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3488-54-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/3488-56-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatfor.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
Processes:
R.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240600609.txt" R.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatfor.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatfor.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation HD_msedge.exe -
Executes dropped EXE 24 IoCs
Processes:
R.exeN.exeTXPlatfor.exeTXPlatfor.exeHD_92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exeRemote Data.exemsedge.exeR.exeN.exeTXPlatfor.exeTXPlatfor.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exepid process 1604 R.exe 4476 N.exe 1552 TXPlatfor.exe 3488 TXPlatfor.exe 5092 HD_92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe 2852 Remote Data.exe 2032 msedge.exe 4244 R.exe 1768 N.exe 3132 TXPlatfor.exe 4636 TXPlatfor.exe 1268 HD_msedge.exe 1580 HD_msedge.exe 3312 HD_msedge.exe 4808 HD_msedge.exe 4396 HD_msedge.exe 4320 HD_msedge.exe 1420 HD_msedge.exe 3168 HD_msedge.exe 3540 HD_msedge.exe 2404 HD_msedge.exe 4076 HD_msedge.exe 4548 HD_msedge.exe 1068 HD_msedge.exe -
Loads dropped DLL 3 IoCs
Processes:
R.exesvchost.exeRemote Data.exepid process 1604 R.exe 2868 svchost.exe 2852 Remote Data.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4476-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4476-20-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4476-19-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4476-23-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1552-26-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1552-28-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1552-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3488-40-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3488-54-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/3488-56-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
HD_msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
HD_msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName HD_msedge.exe -
Drops file in System32 directory 6 IoCs
Processes:
svchost.exeN.exeR.exedescription ioc process File created C:\Windows\SysWOW64\Remote Data.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Remote Data.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatfor.exe N.exe File opened for modification C:\Windows\SysWOW64\TXPlatfor.exe N.exe File created C:\Windows\SysWOW64\240600609.txt R.exe File opened for modification C:\Windows\SysWOW64\ini.ini R.exe -
Drops file in Program Files directory 3 IoCs
Processes:
92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exemsedge.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
HD_msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HD_msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exemsedge.exeHD_msedge.exeHD_msedge.exeidentity_helper.exeHD_msedge.exepid process 4532 92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe 4532 92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe 2032 msedge.exe 2032 msedge.exe 4808 HD_msedge.exe 4808 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 4892 identity_helper.exe 4892 identity_helper.exe 1068 HD_msedge.exe 1068 HD_msedge.exe 1068 HD_msedge.exe 1068 HD_msedge.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatfor.exepid process 3488 TXPlatfor.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
N.exeTXPlatfor.exeN.exedescription pid process Token: SeIncBasePriorityPrivilege 4476 N.exe Token: SeLoadDriverPrivilege 3488 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 1768 N.exe Token: 33 3488 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 3488 TXPlatfor.exe Token: 33 3488 TXPlatfor.exe Token: SeIncBasePriorityPrivilege 3488 TXPlatfor.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
HD_msedge.exepid process 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
HD_msedge.exepid process 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe 1268 HD_msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exemsedge.exepid process 4532 92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe 4532 92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe 2032 msedge.exe 2032 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exeN.exeTXPlatfor.execmd.exesvchost.exeHD_92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exemsedge.exeN.exeTXPlatfor.exeHD_msedge.execmd.exedescription pid process target process PID 4532 wrote to memory of 1604 4532 92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe R.exe PID 4532 wrote to memory of 1604 4532 92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe R.exe PID 4532 wrote to memory of 1604 4532 92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe R.exe PID 4532 wrote to memory of 4476 4532 92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe N.exe PID 4532 wrote to memory of 4476 4532 92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe N.exe PID 4532 wrote to memory of 4476 4532 92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe N.exe PID 4476 wrote to memory of 4820 4476 N.exe cmd.exe PID 4476 wrote to memory of 4820 4476 N.exe cmd.exe PID 4476 wrote to memory of 4820 4476 N.exe cmd.exe PID 1552 wrote to memory of 3488 1552 TXPlatfor.exe TXPlatfor.exe PID 1552 wrote to memory of 3488 1552 TXPlatfor.exe TXPlatfor.exe PID 1552 wrote to memory of 3488 1552 TXPlatfor.exe TXPlatfor.exe PID 4532 wrote to memory of 5092 4532 92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe HD_92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe PID 4532 wrote to memory of 5092 4532 92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe HD_92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe PID 4532 wrote to memory of 5092 4532 92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe HD_92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe PID 4820 wrote to memory of 2524 4820 cmd.exe PING.EXE PID 4820 wrote to memory of 2524 4820 cmd.exe PING.EXE PID 4820 wrote to memory of 2524 4820 cmd.exe PING.EXE PID 2868 wrote to memory of 2852 2868 svchost.exe Remote Data.exe PID 2868 wrote to memory of 2852 2868 svchost.exe Remote Data.exe PID 2868 wrote to memory of 2852 2868 svchost.exe Remote Data.exe PID 5092 wrote to memory of 2032 5092 HD_92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe msedge.exe PID 5092 wrote to memory of 2032 5092 HD_92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe msedge.exe PID 5092 wrote to memory of 2032 5092 HD_92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe msedge.exe PID 2032 wrote to memory of 4244 2032 msedge.exe R.exe PID 2032 wrote to memory of 4244 2032 msedge.exe R.exe PID 2032 wrote to memory of 4244 2032 msedge.exe R.exe PID 2032 wrote to memory of 1768 2032 msedge.exe N.exe PID 2032 wrote to memory of 1768 2032 msedge.exe N.exe PID 2032 wrote to memory of 1768 2032 msedge.exe N.exe PID 1768 wrote to memory of 964 1768 N.exe cmd.exe PID 1768 wrote to memory of 964 1768 N.exe cmd.exe PID 1768 wrote to memory of 964 1768 N.exe cmd.exe PID 3132 wrote to memory of 4636 3132 TXPlatfor.exe TXPlatfor.exe PID 3132 wrote to memory of 4636 3132 TXPlatfor.exe TXPlatfor.exe PID 3132 wrote to memory of 4636 3132 TXPlatfor.exe TXPlatfor.exe PID 2032 wrote to memory of 1268 2032 msedge.exe HD_msedge.exe PID 2032 wrote to memory of 1268 2032 msedge.exe HD_msedge.exe PID 1268 wrote to memory of 1580 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 1580 1268 HD_msedge.exe HD_msedge.exe PID 964 wrote to memory of 4868 964 cmd.exe PING.EXE PID 964 wrote to memory of 4868 964 cmd.exe PING.EXE PID 964 wrote to memory of 4868 964 cmd.exe PING.EXE PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe PID 1268 wrote to memory of 3312 1268 HD_msedge.exe HD_msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
HD_msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe"C:\Users\Admin\AppData\Local\Temp\92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exeC:\Users\Admin\AppData\Local\Temp\HD_92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ifeedback.qq.com/platform/feedback?app_id=30&uin=PCWeChat2024062003423⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\R.exeC:\Users\Admin\AppData\Local\Temp\\R.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\N.exeC:\Users\Admin\AppData\Local\Temp\\N.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86ac046f8,0x7ff86ac04708,0x7ff86ac047185⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=1992,216253416047739188,2997019604701067107,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:25⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,216253416047739188,2997019604701067107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,216253416047739188,2997019604701067107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:85⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1992,216253416047739188,2997019604701067107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1992,216253416047739188,2997019604701067107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1992,216253416047739188,2997019604701067107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1992,216253416047739188,2997019604701067107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,216253416047739188,2997019604701067107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,216253416047739188,2997019604701067107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1992,216253416047739188,2997019604701067107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1992,216253416047739188,2997019604701067107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=1992,216253416047739188,2997019604701067107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=1992,216253416047739188,2997019604701067107,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3456 /prefetch:25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Remote Data"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Remote Data.exe"C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240600609.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatfor.exeC:\Windows\SysWOW64\TXPlatfor.exe -acsi2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exeFilesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeFilesize
5.8MB
MD55da56dfd4378a619b1f46fce303db828
SHA108b45b73fecc19f1f77f536715d54dfefd9b6a25
SHA256f59c166d7fa50fd8d96910df3a41a7bf28fb3e2753c451a2e7e031193e8425d9
SHA512a103dcfc8d7842c60a09e24bc03437e2ce5170f733a6eeb06fc795e4a765b4ad0f1bda027bab444b101fabf059708836bbdb865280dacd38c193ce4b11f8e4ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD50cbfad299f621062634c0f744fa783e7
SHA179fe5b0a9514bd8d99a527d388dfa5302270b32a
SHA256d2758e0d794248076e42f01bba4ee27381a0ee5f5bad5741d009f640674caec0
SHA5121c4445a25d790eb974e7b0963c6fb44291b5495515140a7c256aea0a2e7651786839e62113ae629a47de8da7772af3afb3a4c9eee9e2347abe6cd62ac041820a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD59995304774318bdc16ac30d713168dfb
SHA18d418e4aed547f0640ad9edad8f7c0704d84a42e
SHA256b6e9cb0d25d9438abe82a9311170a64c95d986939e6ead12c18644ff7da777ab
SHA512665d36118357e5d91f720a00bcd34238f5c3f4662c736b7d27b08d0a8d5b0783e89509f800b81ed1a76e4acba969d40006dc075ce19e11a280fb264dca43f6c6
-
C:\Users\Admin\AppData\Local\Temp\HD_92a771f4067943d3bef6d4707c03e8708552b51aa881cb5dd75e6a664ee06684.exeFilesize
555KB
MD511c9f88ceb25ba111f5d0e28d836ad3e
SHA1bde2c5841922445cf71ecfb3019a21ee650ce85b
SHA2565b9386c5eb542db3628d69ddc565b1e568f9ab955d910eb5b84b8bb50029fa18
SHA5124f93a14b84c856f8ab61f3e4dd73ae9beb58c2bbd84b16081cc269173a03f23087ffd15d88a20edccfbbc695a62409c0c36f8e12c38943241e89cb8d64427bcd
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
2.6MB
MD5b839588744c7f743c0222fc5562f2c6d
SHA185e65e774ee60d9db73555d2293508024ebb0b63
SHA256fe84230efaf15326dd66fc93c501de9c04bab33426925174cc61d15b0d6a4ad9
SHA51204a6311e9b05effa2b1ebd68d4da33dd5115e48f6aa68d8ba26a15a3c8fc028fa1696c201ad9c8ab3ff127baa573c808cdf9a30598fe2684ec18fffb202150ed
-
C:\Users\Admin\AppData\Local\Temp\N.exeFilesize
377KB
MD54a36a48e58829c22381572b2040b6fe0
SHA1f09d30e44ff7e3f20a5de307720f3ad148c6143b
SHA2563de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8
SHA5125d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0
-
C:\Users\Admin\AppData\Local\Temp\R.exeFilesize
941KB
MD58dc3adf1c490211971c1e2325f1424d2
SHA14eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5
SHA256bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c
SHA512ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d
-
C:\Windows\SysWOW64\240600609.txtFilesize
899KB
MD5a86e0b286aa38e2ac875096744dd3408
SHA161e00e27e3ac9dff6e4de2c4c38795280898116b
SHA2564d8ae2d74bcb1fe6b8d1c39835f61ea8b730b55f9d23c3d40f744f06f79d450d
SHA51215de90d4b7d352aa25484ed198356cf8ab953543aa9da60c467c3d7e02c5136b081d12e24c9331275f5e56a2b49a6499e1bbc6ed1480ae28bed4050bc4ab6efc
-
C:\Windows\SysWOW64\Remote Data.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
\??\pipe\LOCAL\crashpad_1268_BBGGVIZUDRDIDCJSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1552-28-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1552-26-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1552-29-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3312-106-0x00007FF878F30000-0x00007FF878F31000-memory.dmpFilesize
4KB
-
memory/3488-40-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3488-54-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/3488-56-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4476-23-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4476-17-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4476-20-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/4476-19-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB