Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 11:54
Static task
static1
Behavioral task
behavioral1
Sample
150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
Resource
win7-20240508-en
General
-
Target
150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
-
Size
7.9MB
-
MD5
8fb60aacdbae702cef6c315966ef338c
-
SHA1
4935d60a2ee95ddb9c807a52a9d98c28f1331790
-
SHA256
150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294
-
SHA512
096e57960aa0c66426555e0899f3ad7c095abc757d136ff5bcf14c5e692a4e6f51a565ddea23dfdd22002bb206e26a3235ee996be29b2112ee7ac6467221e437
-
SSDEEP
196608:fWT9nO7WymnHhWAwJOwDuEwUdMDSOyIN9fhjtTYIYYmKL+cqCf4J:V7BUWAwJOEujUdM2OyG9VtUIYdHY8
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1848-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1848-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1848-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4620-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4620-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4620-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4612-38-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4612-43-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4612-42-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/4620-29-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 12 IoCs
resource yara_rule behavioral2/memory/1848-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1848-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1848-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4620-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4620-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4620-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/files/0x00080000000234ce-36.dat family_gh0strat behavioral2/memory/4612-38-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4612-43-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4612-42-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4620-29-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/4612-25-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240618109.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation HD_msedge.exe -
Executes dropped EXE 24 IoCs
pid Process 1848 svchost.exe 4620 TXPlatforn.exe 516 svchos.exe 4612 TXPlatforn.exe 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 2468 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe 2032 msedge.exe 2308 svchost.exe 4808 TXPlatforn.exe 4584 TXPlatforn.exe 4508 svchos.exe 4192 HD_msedge.exe 4724 HD_msedge.exe 3436 HD_msedge.exe 1704 HD_msedge.exe 5036 HD_msedge.exe 3628 HD_msedge.exe 3748 HD_msedge.exe 4408 HD_msedge.exe 1620 HD_msedge.exe 2688 HD_msedge.exe 4140 HD_msedge.exe 3748 HD_msedge.exe 4640 HD_msedge.exe -
Loads dropped DLL 3 IoCs
pid Process 516 svchos.exe 4492 svchost.exe 2468 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/1848-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1848-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1848-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1848-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4620-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4620-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4620-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4620-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4612-38-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4612-43-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4612-42-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4620-29-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/4612-25-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName HD_msedge.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\240618109.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HD_msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HD_msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1828 PING.EXE 2276 PING.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2128 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 2128 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 2032 msedge.exe 2032 msedge.exe 1704 HD_msedge.exe 1704 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 3576 identity_helper.exe 3576 identity_helper.exe 4640 HD_msedge.exe 4640 HD_msedge.exe 4640 HD_msedge.exe 4640 HD_msedge.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4612 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1848 svchost.exe Token: SeLoadDriverPrivilege 4612 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2308 svchost.exe Token: 33 4612 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4612 TXPlatforn.exe Token: 33 4612 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4612 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe -
Suspicious use of SendNotifyMessage 27 IoCs
pid Process 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe 4192 HD_msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2128 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 2128 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 2032 msedge.exe 2032 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 1848 2128 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 88 PID 2128 wrote to memory of 1848 2128 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 88 PID 2128 wrote to memory of 1848 2128 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 88 PID 1848 wrote to memory of 3904 1848 svchost.exe 90 PID 1848 wrote to memory of 3904 1848 svchost.exe 90 PID 1848 wrote to memory of 3904 1848 svchost.exe 90 PID 2128 wrote to memory of 516 2128 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 91 PID 2128 wrote to memory of 516 2128 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 91 PID 2128 wrote to memory of 516 2128 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 91 PID 4620 wrote to memory of 4612 4620 TXPlatforn.exe 92 PID 4620 wrote to memory of 4612 4620 TXPlatforn.exe 92 PID 4620 wrote to memory of 4612 4620 TXPlatforn.exe 92 PID 3904 wrote to memory of 1828 3904 cmd.exe 97 PID 3904 wrote to memory of 1828 3904 cmd.exe 97 PID 3904 wrote to memory of 1828 3904 cmd.exe 97 PID 2128 wrote to memory of 3148 2128 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 99 PID 2128 wrote to memory of 3148 2128 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 99 PID 2128 wrote to memory of 3148 2128 150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 99 PID 4492 wrote to memory of 2468 4492 svchost.exe 102 PID 4492 wrote to memory of 2468 4492 svchost.exe 102 PID 4492 wrote to memory of 2468 4492 svchost.exe 102 PID 3148 wrote to memory of 2032 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 105 PID 3148 wrote to memory of 2032 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 105 PID 3148 wrote to memory of 2032 3148 HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe 105 PID 2032 wrote to memory of 2308 2032 msedge.exe 106 PID 2032 wrote to memory of 2308 2032 msedge.exe 106 PID 2032 wrote to memory of 2308 2032 msedge.exe 106 PID 2308 wrote to memory of 2160 2308 svchost.exe 108 PID 2308 wrote to memory of 2160 2308 svchost.exe 108 PID 2308 wrote to memory of 2160 2308 svchost.exe 108 PID 4808 wrote to memory of 4584 4808 TXPlatforn.exe 110 PID 4808 wrote to memory of 4584 4808 TXPlatforn.exe 110 PID 4808 wrote to memory of 4584 4808 TXPlatforn.exe 110 PID 2032 wrote to memory of 4508 2032 msedge.exe 109 PID 2032 wrote to memory of 4508 2032 msedge.exe 109 PID 2032 wrote to memory of 4508 2032 msedge.exe 109 PID 2032 wrote to memory of 4192 2032 msedge.exe 112 PID 2032 wrote to memory of 4192 2032 msedge.exe 112 PID 4192 wrote to memory of 4724 4192 HD_msedge.exe 113 PID 4192 wrote to memory of 4724 4192 HD_msedge.exe 113 PID 2160 wrote to memory of 2276 2160 cmd.exe 114 PID 2160 wrote to memory of 2276 2160 cmd.exe 114 PID 2160 wrote to memory of 2276 2160 cmd.exe 114 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 PID 4192 wrote to memory of 3436 4192 HD_msedge.exe 116 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe"C:\Users\Admin\AppData\Local\Temp\150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:1828
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:516
-
-
C:\Users\Admin\AppData\Local\Temp\HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exeC:\Users\Admin\AppData\Local\Temp\HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://dl.ludashi.com/ludashi/ludashisetup.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul5⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2276
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe4⤵
- Executes dropped EXE
PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4192 -
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0x104,0xd8,0x108,0x7ffbb46e46f8,0x7ffbb46e4708,0x7ffbb46e47185⤵
- Executes dropped EXE
PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:25⤵
- Executes dropped EXE
PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:85⤵
- Executes dropped EXE
PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:85⤵PID:1940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:3576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:2688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
PID:3748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2076,10122536472111656478,15163091394555182433,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3120 /prefetch:25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4640
-
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4612
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:1400
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240618109.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
PID:4584
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2356
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:220
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Server Software Component
1Terminal Services DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
Filesize
4.6MB
MD501f13bef7c609877bfe41cfe897c2c67
SHA1774f5a99e8c3aeaf9ebda42ed3deaa9912eddb3e
SHA2566046fcdffb537c10086c640b0e596b59063d121b8907e8d9852c6744d3e911e5
SHA512ff4b8a4ad71a325ea5d200f153917765867e9e2d13789ef44bd2919a537d22f993edc74e8c5c5479da588495eeb12fa7978e47690baabcf7d6ef081e4a770a98
-
Filesize
152B
MD54819fbc4513c82d92618f50a379ee232
SHA1ab618827ff269655283bf771fc957c8798ab51ee
SHA25605e479e8ec96b7505e01e5ec757ccfe35cb73cd46b27ff4746dce90d43d9237c
SHA512bc24fb972d04b55505101300e268f91b11e5833f1a18e925b5ded7e758b5e3e08bee1aa8f3a0b65514d6df981d0cbfa8798344db7f2a3675307df8de12ae475b
-
Filesize
152B
MD5257c0005d0c4d0bb282cb470925e4376
SHA1f9b8efb511ed64292568977c9f2ec255509e8f7d
SHA2568185c36aaacfc71e42f94fad8e198fe7fb2d868398ceabb89261cae94341cb22
SHA5122f3e8f352ed3ef88e8c28650390f93f98c92174d268330b886f3ebd1ba0163999051298ee12a054606b4986005452a241c6864cd292e69492d79c37d500556f4
-
Filesize
5KB
MD587a58afc183bb74a0f091dd73e07f5fc
SHA1653ca49d59114b3f212f89747967b663684c9c09
SHA256006366253aa50bd7222362e0e04d1968a223c11f6bbbf0cc83a7b1e4847c1a9d
SHA51275982f24df293d62b6ef2d99e67d39470aad202f9ef7a96b8ef3d1e0c54c952a6dcd193be1aa59f0cf19ec2c16621821a1d2227039fb14aee6df1a024d874c2b
-
Filesize
5KB
MD5aab8bec4fc51925c0e66d0bfa0506c8d
SHA1ade3e89b9c31bd02c787a6035f37543ec1cc53a1
SHA256e1d3391b16bb429aa38eac023d6d05fff0a66bb5420a93ab85a38524e35b7ec6
SHA512bdfa3484287acb4546df155c87481822a75e2ba365d897d120b4866986382c059cffc5b98c4f60aca88ecad7d6edb587b987570ea973e48d404141cb663a1ada
-
Filesize
24KB
MD595cd1581c30a5c26f698a8210bcab430
SHA15e8e551a47dd682ec51a7d6808fe8e0f2af39e86
SHA256d58162c5ae5e18fc06604c285e024c01686093d70994dc93b4ae9d85b4c3f7b9
SHA512e49403df10177053634c431203a91d26df5dfb23cbbb88847459ecdf4b6107040d0944a3e84ee6bb26cb4e8017a35c8c31b658387cd1b6938ba4cb9f59606ece
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5b4c0fe93c53093ae2b6b266e8941754f
SHA1fa43b8d37b25bd66cd41ba7a29a999555a333fb9
SHA256de6c7548ba1f2913dd7feaaed96b78bad3bf41bbd6c5c8ad9ba055d4eb3c51bd
SHA512ba7d9d2b34b87d111d48379dbb732693e87c1110715cbe8c16711ae9e6466d5a4ae3a8e478938375e519dff191574b5abc5bd0ce734ababf2beff2a2283c9483
-
C:\Users\Admin\AppData\Local\Temp\HD_150a83836ed6a4b133e9486b39ad55841f5aac6a43806d1cfae89032b135c294.exe
Filesize6.4MB
MD5433333d95590d6987cd2255701e0974c
SHA17a15a5d3dd68d8a3ff1b5ce0742ba8da0618bc07
SHA256dbef829a072c41161020cf3f7b10754ee73071ed09e77ed3b7f8b9843d1dfd3b
SHA512e420b2a6201b4a29974ad236491506501b8eec81d710ce20a9e55328085ed848d452e87f7d73dbf1320928f52bf8f094f40883614451f9f058c0c51150444dd4
-
Filesize
1.5MB
MD5272bedf8d490dba91c7657b955d61c22
SHA1529cd24a7bba3d88948619763f549e6e85f2b8e8
SHA2560822eae1f2e85712b1c3afb7e37bffd34262b0207c409ccbe89173e9e9bd7465
SHA512e42f270eb4cc35041cef3d6ed4bf713abbcdb741d2514f28fefd98787828b6be788b91a4487187ed36fa4725b45de87573a42f5421a73d36b3794506ab35c58b
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD5fc928b3ff6b0dfb30b0bb48b1a7d9e5b
SHA13d8462a2ccb344a74f3c6d88d1cfb7ce06507cae
SHA256498b6b6b17b98fa2e0d232a4cc53e1d7e864b9546044975344238cadb3b208e3
SHA51235f7855253f1d5debcc1e9e09c6584c343e09df357e9520e24c1c2a8adb36f240351edf7b7203983c42067128b12aded46f72de72637ba39c533c94549ef6c71
-
Filesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641