gh0strat | 030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 08:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe
Size

5.1MB
MD5

6f6ea6ee0487762330db744a13b28194
SHA1

09110a360a9907df54eebf1851c7790aa193da11
SHA256

030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0
SHA512

3ca0cca7433a8c2f3b0125352ef73a15108c21e14fad932b40e56992f8804ec0316ba56d90d4ee783bdc67be4ce59403a239f164be8716b076ca7d8c80375550
SSDEEP

98304:Pws2ANnKXOaeOgmh+WvJDmn2/fbtc7wEZmSVylDhV/20V5hkgkK:5KXbeO7pFmnghZ2YVx

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 5 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2012-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2012-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-43-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-48-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2548-50-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016176-6.dat	family_gh0strat
behavioral1/memory/2012-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2012-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2548-43-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2548-48-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2548-50-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259396933.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 6 IoCs

pid	Process
2092	R.exe
2012	N.exe
2592	TXPlatfor.exe
2548	TXPlatfor.exe
2996	HD_030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe
2920	Remote Data.exe

Loads dropped DLL 9 IoCs

pid	Process
1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe
2092	R.exe
1992	svchost.exe
1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe
2592	TXPlatfor.exe
1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe
1992	svchost.exe
2920	Remote Data.exe
2996	HD_030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2012-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2012-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2012-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2548-43-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2548-48-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2548-50-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\259396933.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000075326cba029fd440a778ebc78d32f37100000000020000000000106600000001000020000000cc6d8f4d71a7aae851996c74c47ee967a2c83babf3e71f428ee97c5024e1342a000000000e8000000002000020000000c90193e47a65174dd69375165a2ab53b4f6be41a37edcce3946370bf2f8d527590000000ba0d29712a0174a7d18e157f3e2d5c63e4f0f7c1e1c12b69b5328b95f1e376bc43515dc4aea3fb8eb03366ddbd18f8f7abaa861ae0c025d65e5124ad3628bf3d8366324fe1c32eda1968bbde54499968d807eab3a24d6135f7a2f20980a814a1fad6362e1b0905273ad53c71c4a334157ed07cada1b08c0a9ba585ef1907f4bacc3284b4759d78b518f18e595416ca52400000000bdd1ab287064fa863a2f80f25115387fbccdea54805de08a81aaa8229d8e3da1a1ef71692de44ceebe7ef8456cdda9da4967a28f657dd2958b46dc392daa05d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0067ce2cdcc6da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{181DADC1-32CF-11EF-888E-CA4C2FB69A12} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000075326cba029fd440a778ebc78d32f37100000000020000000000106600000001000020000000137a3d6fe8171b04288002abc50768b351af0432ef8dffaa86587f3994d4cfc4000000000e8000000002000020000000e158f9155ee79e2f066ec139f70c1ce4ae8e0df19ec90a3a469ad4cdb6cb3a2e2000000050e7496207197aa4355370971c981d75b704b05b596d3f4ffef44ccfa51f2c3e400000006ccb308c40ac26bb87f1ff29722320f72a540dfd5e7a7f48b99968a766fbc7606fab61b8d49307c62b61e2166a4f422bfb7b843e091aad10fc6580b3efef44c6	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425466919"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2440	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2548	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2012	N.exe
Token: SeLoadDriverPrivilege	2548	TXPlatfor.exe
Token: 33	2548	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2548	TXPlatfor.exe
Token: 33	2548	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2548	TXPlatfor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1532	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe
1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 2092	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	28
PID 1160 wrote to memory of 2092	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	28
PID 1160 wrote to memory of 2092	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	28
PID 1160 wrote to memory of 2092	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	28
PID 1160 wrote to memory of 2012	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	31
PID 1160 wrote to memory of 2012	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	31
PID 1160 wrote to memory of 2012	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	31
PID 1160 wrote to memory of 2012	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	31
PID 1160 wrote to memory of 2012	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	31
PID 1160 wrote to memory of 2012	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	31
PID 1160 wrote to memory of 2012	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	31
PID 2012 wrote to memory of 2692	2012	N.exe	33
PID 2012 wrote to memory of 2692	2012	N.exe	33
PID 2012 wrote to memory of 2692	2012	N.exe	33
PID 2012 wrote to memory of 2692	2012	N.exe	33
PID 2592 wrote to memory of 2548	2592	TXPlatfor.exe	34
PID 2592 wrote to memory of 2548	2592	TXPlatfor.exe	34
PID 2592 wrote to memory of 2548	2592	TXPlatfor.exe	34
PID 2592 wrote to memory of 2548	2592	TXPlatfor.exe	34
PID 2592 wrote to memory of 2548	2592	TXPlatfor.exe	34
PID 2592 wrote to memory of 2548	2592	TXPlatfor.exe	34
PID 2592 wrote to memory of 2548	2592	TXPlatfor.exe	34
PID 1160 wrote to memory of 2996	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	35
PID 1160 wrote to memory of 2996	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	35
PID 1160 wrote to memory of 2996	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	35
PID 1160 wrote to memory of 2996	1160	030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	35
PID 2692 wrote to memory of 2440	2692	cmd.exe	37
PID 2692 wrote to memory of 2440	2692	cmd.exe	37
PID 2692 wrote to memory of 2440	2692	cmd.exe	37
PID 2692 wrote to memory of 2440	2692	cmd.exe	37
PID 1992 wrote to memory of 2920	1992	svchost.exe	38
PID 1992 wrote to memory of 2920	1992	svchost.exe	38
PID 1992 wrote to memory of 2920	1992	svchost.exe	38
PID 1992 wrote to memory of 2920	1992	svchost.exe	38
PID 2996 wrote to memory of 1540	2996	HD_030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	39
PID 2996 wrote to memory of 1540	2996	HD_030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	39
PID 2996 wrote to memory of 1540	2996	HD_030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	39
PID 2996 wrote to memory of 1540	2996	HD_030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe	39
PID 1540 wrote to memory of 1532	1540	iexplore.exe	40
PID 1540 wrote to memory of 1532	1540	iexplore.exe	40
PID 1540 wrote to memory of 1532	1540	iexplore.exe	40
PID 1540 wrote to memory of 1532	1540	iexplore.exe	40
PID 1532 wrote to memory of 1812	1532	IEXPLORE.EXE	42
PID 1532 wrote to memory of 1812	1532	IEXPLORE.EXE	42
PID 1532 wrote to memory of 1812	1532	IEXPLORE.EXE	42
PID 1532 wrote to memory of 1812	1532	IEXPLORE.EXE	42

C:\Users\Admin\AppData\Local\Temp\030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe
"C:\Users\Admin\AppData\Local\Temp\030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2440
- C:\Users\Admin\AppData\Local\Temp\HD_030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe
  C:\Users\Admin\AppData\Local\Temp\HD_030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1812

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:1988

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259396933.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2920

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
6d939f91b9c3824b5abbe403ae4b1289

SHA1
b1e2bd94368a21718d4824ecaa29eaf82fb465e6

SHA256
d3b9678988789575f81a50b46e2798df383df8b8db0a9868a49128a5f6ebf5f5

SHA512
b52c4695abcbb3c502f02063bdf909edbaea5c1dea7241d65005161ae9a70bcb92a6eb163d987fbdababc6a016f53cffd9a71ca51cd377fa0f8f08cd9452825a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f91fc39a48527f8c2fdffdb5e9ce7f84

SHA1
e86b2ee431448d597993d4f4be3ad7ac9c024249

SHA256
673a69f204d13849e7550ef11f22e0d083b1ce739ed04eeb0d6b03d73f27e5a3

SHA512
83ba7b28e41f6566e0b771b987f844f773fd006c92eb772c4689fca5489df74731de0fb8d97d9fa1bbea038a9c1963347328553396492e064b5561c70eff8a76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62ab83635ead3d4ea57cc0c817abb936

SHA1
7904afde4e640bec6ee5bc7ac0f296a654047862

SHA256
43ada52ef5c8ebd97ab20edfb7eda9a5e331bb9650cb9e159d12e101ef1ddd3f

SHA512
de571c2cebbbff6b82d0919cb94d3cd9fbce36ba8c4787de3747c6f2ea9684ed6ac15afcbe9a7ff65f78fea346172c512cd0e457d85a23f6994c5d035a6189e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9b284cb64d1b117c8dc38d914e54586

SHA1
c7ebaf40f5fd93961df2bc9a1f6b4d527b2c2dff

SHA256
8cacc86fe1ad5a0e7c2d53683cc96ae8e6fdc8dbb91477c88b819485c09701e1

SHA512
d1a3cfad7bafb5c8107f4ba447b8ef5379d9f56aa6b114d8a2f9591ec54e55a113eec023ea28d880b22f4b015007c5189b1a1f4783ed36bf9165b8daab30b7ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb372cb1a14e2b2f43952f5017bc026f

SHA1
19090b4d708452d72c2fc4ffdd97d21290d166ef

SHA256
1a5099f93eeefae47414434209ad352d7aef082166affac7b392d1a8f09dc083

SHA512
1837969bc8932169b135ff5f27fb13362ad586f3956fdf6a4003f89869ecfab3024c63551e3160461317148692930223b7408b31810441c5bf744fe2a9cac59e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1459a211de0d2b01d63f056f3171b677

SHA1
dde577b41a78c7deca84708cd33a52ed2754eefb

SHA256
0207818a2ef47623bfd0923d281f255f21f3489ee0d9068e22194ce86ffab692

SHA512
2469f79a385d8fcec213938f321e3c276ec4926fbb9253391bbadd93dc92e5ec9ef9de958d651b82c079864154c6c889650c07a5bc783ff7872f94f170915e3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
490bf49e6122363c9ee179fcd69beb25

SHA1
870c0faa4e878dbd4041fec85a5ff7e0f8cf4a8a

SHA256
37ce974e08a45796731d5ca698d731f94555ff7c047bb07de84784031e06552f

SHA512
d510a5f02158e505a49d97fa1783b6353b06a614debf66a88a27191b5167f52c3047aaaaaf325889ca762ee4cde97bbdfa8f126915a6b19704a563cf1657d582

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e630f5818bcb62afb7c9944ebdeb0d0

SHA1
318cc572b89d4bf6047f952db0fd7e812b552566

SHA256
93982fb0c57687905eb3709af26d530d03c2eec7b239b79f254696b75ca460e1

SHA512
e7e96d8e803b7e4d36417185b66dc9ce3175b9b723d68a4f3da500eaa059ff1165bc89ec0544d1eea812fadf40f68a06b1a85504defc481fab36d4ffaa1ca5ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bce91232fe0ede259cb51de1e1cf213d

SHA1
999abe3260f7aec0d792c95ebeb3b2fd9aedfe35

SHA256
661e702b7bfbacdbef0cce812ca595e770f41513935c62bf4777025ccc4814ee

SHA512
dcdc9f0c216ab728d8c089d0ff9d3b59c6f915c557086433cfe2c01cbdb424842bbf749d3214dd2935683cb438a09829bdfa32705a1914c1275673bafdfafc66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39d279c33ebbaed0671bc9e4ff24994d

SHA1
582ea5b72df238a9fe0f2ab0dc4a76f3ea751d2d

SHA256
a4373c709f652fd7bd99be98072efd2b35cf2a57ba314f39d861d858315f6885

SHA512
6d3f4cc20af348f93c9881cc44ce114d637178445993152f479b9f4ced69df993aa328eba12c3e1c16315e21fc50c92aca3a86d9b518149cd9dac63ebf7e3859

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
106eba0884a51f02a5f3f0a5c34e2111

SHA1
1bc2841a185b101a55ad78d57e0f11356d0568f7

SHA256
8de50358361482d33857ee4c9fbf211f9111094865c247acc4f0a70a35af45c7

SHA512
cb92879a1c6bb4bed05cd881db4f5303a8f9e60c7e47fd1da10c1ca56546da53f6b596b1ab7c9140e9905c08ccde01781eb0f520b29b15fdd42739d81b38a2d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e9f637b33a08699420d24fac39728ff

SHA1
25184cbc728424bd90749e093d3ae4a29d494fce

SHA256
f94f9af5e58d82183edf49bc14f1aba19dabfe1e16cfa8c38f108ca7133fcf28

SHA512
13e367816f97eed148f3f6b8c231dd68ea4c2aa2e670d2a25bae443228d991d5172f29b7b988cda324341a7fa9ab1ee95e754a3fa6b4d45ad652ad7012944256

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d908ccdbc99fb1e19beafc3fab897f99

SHA1
3a0694a48521aa7538900e194038cd1172e07fe9

SHA256
a2315a98640d82788a75dbce32349c4649eabcadf07326e0f9bec7262c81cd4a

SHA512
17a087634320a2e35ef80763d0775466e8ee9d959fe91e08b22e5c78fcea3d12d8d501fc814a27d5a3b699cc8d75ed2908f3698e1bcd7c087e8b62fd83d9b553

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
381f5a83ec4078c9eb2fe176f1707592

SHA1
a51f2607c227a3328e41b7cd12e98a7c27063f7a

SHA256
86e355486818e6a2981faaae8691ce0d91b023fe3228308f7cd8c111924881c5

SHA512
9b69d2dddda9f7fedd6de56a08ceb4701f8529966805e3e2abe0a52b19bca419d6f59e02911b480bc2eb53ae3785ed9e53c4a1947fc70f5675b8c1fc23d79fa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a215ce4399cbd5958d01efe12ca3c456

SHA1
00583f467f9180bc3b9bbc3714daa4f5ceafb2db

SHA256
fec4376aa2f6925bf21b2f88f12f8d867b7411d90b5f9ed13aed31c432233d91

SHA512
141d8be24b08b3bc5215ba1d84582c844395e42ee27e659b85c3e6fa2c0f4133dc3d7c8a3bf36ab8b7a7459360f469fc35b92eaf315bc8b0b4ad54bc5b5bdad4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc98ffe496f8790d37c3df91473d7cca

SHA1
3a2fa506ff2de27b1e88a4d18807c9449c3d8308

SHA256
318ea8836ba23fa4890f510d34ddb5ca32506f3c79b2ab61481916ad32cc0d36

SHA512
d03ac9273d3d19d2f0eff0912c775b89d8b728935251f56c88e02fdb736f1d4871da2950f06cd6222ae27b427fc9c53ee545e184a58b2a68aa92ef41e4f5b485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85f9c9a224d05b5466ea5a82b43ffdf9

SHA1
c931371f826b729cb4536c1b6327476e31575efe

SHA256
80c1ffd0357f176818fc2bfc52822f5fef07a882dab843901982d247dec3c87b

SHA512
d79bf20e707e9fbe8cea3eeed712298258f129154cc91089e15b66090e8dfbe112cd125c270164453e3f73e86aa75f32b9f3bd82d68eb2de0cdd44a21c2ef0b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ee1d4a2f98901c9d1d34d99f1c12b43

SHA1
598b87016f4821a4e549ecc43e3dbf67b16a37f4

SHA256
c3dac4819cfc3a3fff34d546123753343097245081074085770c66ac8975a702

SHA512
c3d2926dfec58b43b39d02b0e0e99a9eb06d4ffb9007e98e4cc98929ee36228db97f756f0aa9eb22e7ac656fad1614f6d02763538558f43c01e8189a61c1d8dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca17ee4652afe9c47b6ebc182f0ea63c

SHA1
8e6aeeb4beaeab28ac6181ba5ec1b5de3e5ef78a

SHA256
23d4871a5f4d7cf7bb26bccd7652a77fe551e277d105f2c0826f98c355b86b1f

SHA512
691dba2477263f41982b836489eaaa3a7581382671d59e7c86690f484a6dd998baa7ceeb066160f7c429a558a69d79fc345f5ecfc4fa814448888a9c46ad9e49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1620ac64b8aee4d231a954acbd980288

SHA1
022a4df4517f81e4286143b1e5aa8af7f186965d

SHA256
63ee54d3f63384d776488dcaba22a4edf7578d641ef274f8beae9bd7e25493ae

SHA512
4bd90ec732f7d6eb29d9b84fe3f389418f68d46d22453b48ca78e7344c8d3a7462e534fbb06ec09eee32f08e1b2e315089ebdd974ee80ad70107768e5faf1c7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1485188ac9207c061ee9bb49b4d102fe

SHA1
8cc3004a0d7b025a19a92e8ac279b94610d0c2c6

SHA256
b3cb5555a01481300f6cf0455fde072797deef76e7e6f5d3918b49da825a9339

SHA512
76da1164593f9f37c0a40958c30cc7f4ba3fd1627d65f2d3e79094d5767613b3b907e2a8125ce04a0356d08b4e442953210dfc3046b282061ce3b80c6141bb1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3258.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_030b594ba77fb0dce11b04c109579d74604055d9164d6e4243e475e7c58adfd0.exe

Filesize
2.4MB

MD5
b9823da79874c50c85acf9d277ce564e

SHA1
625e23ff610ab2df1f8b2c4c16662733a63c9642

SHA256
a3d95c0781699c555e9173d138b70cda11674a02fbfdf35930d7595a61824716

SHA512
67f69329d7ffe387b58ac319b8a5db3f5e8f19e99c7fff8ebe53cb786f31a9a4cc5ca64a6f7a6b39a76e0df4b892e680e28db533782529e7234d3cdd456406a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
2.7MB

MD5
93ba2a5b0a638efe2866ca535170d9fd

SHA1
bd381c24139b0f46ed92b1b8e4832d4f252c5e0b

SHA256
974adc749478ecfbf6c3f4b6c5534cb7328b0f8fac0485b4ba4e0468a6dc43b6

SHA512
f0d1e09237d24904e0aad817c5d9260076c3735365cdc5048d7a612485c152e7c37824c222d4e6e03edb06d9c05733553a2d5042b84a52bf29b98d291cc14522

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar33D3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
\Windows\SysWOW64\259396933.txt

Filesize
899KB

MD5
984b94121d0013291a1827885cacf71f

SHA1
a02472b74a4c60512bdcca925e8625fe7610ba53

SHA256
6ac0d3d746c224d37303eafd5871dcfd59246788ad22ebaa1cb85d0cc54fc08c

SHA512
e0d1b54586fad22efe41d13dc2b09713f2438a7ba4b915296c6b95c312f94ebb41b44615e6b459f8faaa07138f1ec8689b1b22830f76a6e48477a756815ecfa6

Download Submit
\Windows\SysWOW64\Remote Data.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2012-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2012-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2012-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2548-43-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2548-48-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2548-50-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download