Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 18:30
Static task
static1
Behavioral task
behavioral1
Sample
aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe
Resource
win7-20240611-en
General
-
Target
aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe
-
Size
2.5MB
-
MD5
df6e20a3b560561073b83bc05cbeb887
-
SHA1
9339e837a6d81aad730e65d248158bac1230525b
-
SHA256
aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3
-
SHA512
cde38d8eebda77d2c1ca24e60326726a7d6385a898bbcbda7f86a43e499dc8c2f64ef6d012587c0413f37f2cfbcfa2aad08260ea156e22a170068fd14b0350bd
-
SSDEEP
24576:eQZoidOTdVZinacCET9Ecl1erdg0MCiVWhFU7cVPJtq4CdEXMdIQweYA/qV05N:eQZAdVyVT9n/Gg0P+WhoS9CdEXreDCqb
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2560-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2560-9-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2560-8-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2128-18-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2128-27-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2776-36-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2776-34-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2776-33-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral1/memory/2776-79-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 10 IoCs
resource yara_rule behavioral1/memory/2560-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2560-9-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2560-8-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2128-18-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2128-27-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/files/0x0009000000015ca2-29.dat family_gh0strat behavioral1/memory/2776-36-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2776-34-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2776-33-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral1/memory/2776-79-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259418134.txt" svchos.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Executes dropped EXE 7 IoCs
pid Process 2560 svchost.exe 2128 TXPlatforn.exe 2628 svchos.exe 2776 TXPlatforn.exe 2496 HD_aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 1268 Process not Found 1136 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
Loads dropped DLL 8 IoCs
pid Process 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 2128 TXPlatforn.exe 2628 svchos.exe 2504 svchost.exe 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 2504 svchost.exe 1136 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe -
resource yara_rule behavioral1/memory/2560-5-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2560-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2560-9-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2560-8-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2128-18-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2128-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2776-36-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2776-34-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2776-33-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2776-31-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral1/memory/2776-79-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\259418134.txt svchos.exe File opened for modification C:\Windows\SysWOW64\ini.ini svchos.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe svchost.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0873fd42dc7da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD1A7BA1-3320-11EF-B848-DEDD52EED8E0} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425502094" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000a2787f481653274b90c47e9954861bb81d474db2cdea4ac5a1f09b57020455ef000000000e8000000002000020000000acbf4ed8d619133f9e4ce32b16778a10d9f7716c179491ff2541da0f3f0c0d7090000000f14662084caeacf42aaa6c7a58c3b6b6c05bd7f843e207e01a757f77f8d9cbd5019403aa73efc569a93f793840d7e57f484622eeb92f4edb16ed6d6da4b27f4619520befa5b9c6c4d415942ed34af578a6f6bc4cc1755ddcdc5734a6008a87224a95539b658666cbbc8ffcf29c86d31de011de9cf6daa111831e219f304a1457c2d959cd8ccf0344a96500bfca1b5e6a400000006fcfe3e0c8fddcb3cd0887b92567ebd4f29d775d4587cf9e9ccb3bef7456cfd791366b220542b28c27e2f6a306997c32b2fc148f0a32040f48c6d320e35f13da iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000096714a9cd8e3f0134cf875843fa2ca9dff301cd0a927890e5a68526aa73e1a3f000000000e8000000002000020000000a4644dfcce0f3d077c81fe5b1429f33100fd2fe5d5f6480431283c038ccd6fed20000000ce6de44318977ab287e4d489e25de10c4018f951ad9ab2e642a5741997d595a0400000005bb4d0cbd68ff53f4617f083990f44dcf186fd17ce71b6093d5335f429c66eb3433c3ef84edefa219186ea87af02aa018740bcd1291c8803a8faa50d97630b42 iexplore.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2596 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2776 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2560 svchost.exe Token: SeLoadDriverPrivilege 2776 TXPlatforn.exe Token: 33 2776 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2776 TXPlatforn.exe Token: 33 2776 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2776 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1716 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 1716 iexplore.exe 1716 iexplore.exe 1544 IEXPLORE.EXE 1544 IEXPLORE.EXE 1544 IEXPLORE.EXE 1544 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 1200 wrote to memory of 2560 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 28 PID 1200 wrote to memory of 2560 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 28 PID 1200 wrote to memory of 2560 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 28 PID 1200 wrote to memory of 2560 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 28 PID 1200 wrote to memory of 2560 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 28 PID 1200 wrote to memory of 2560 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 28 PID 1200 wrote to memory of 2560 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 28 PID 2560 wrote to memory of 2736 2560 svchost.exe 30 PID 2560 wrote to memory of 2736 2560 svchost.exe 30 PID 2560 wrote to memory of 2736 2560 svchost.exe 30 PID 2560 wrote to memory of 2736 2560 svchost.exe 30 PID 1200 wrote to memory of 2628 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 32 PID 1200 wrote to memory of 2628 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 32 PID 1200 wrote to memory of 2628 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 32 PID 1200 wrote to memory of 2628 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 32 PID 2128 wrote to memory of 2776 2128 TXPlatforn.exe 31 PID 2128 wrote to memory of 2776 2128 TXPlatforn.exe 31 PID 2128 wrote to memory of 2776 2128 TXPlatforn.exe 31 PID 2128 wrote to memory of 2776 2128 TXPlatforn.exe 31 PID 2128 wrote to memory of 2776 2128 TXPlatforn.exe 31 PID 2128 wrote to memory of 2776 2128 TXPlatforn.exe 31 PID 2128 wrote to memory of 2776 2128 TXPlatforn.exe 31 PID 1200 wrote to memory of 2496 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 36 PID 1200 wrote to memory of 2496 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 36 PID 1200 wrote to memory of 2496 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 36 PID 1200 wrote to memory of 2496 1200 aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 36 PID 2736 wrote to memory of 2596 2736 cmd.exe 37 PID 2736 wrote to memory of 2596 2736 cmd.exe 37 PID 2736 wrote to memory of 2596 2736 cmd.exe 37 PID 2736 wrote to memory of 2596 2736 cmd.exe 37 PID 2504 wrote to memory of 1136 2504 svchost.exe 39 PID 2504 wrote to memory of 1136 2504 svchost.exe 39 PID 2504 wrote to memory of 1136 2504 svchost.exe 39 PID 2504 wrote to memory of 1136 2504 svchost.exe 39 PID 2496 wrote to memory of 1716 2496 HD_aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 40 PID 2496 wrote to memory of 1716 2496 HD_aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 40 PID 2496 wrote to memory of 1716 2496 HD_aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe 40 PID 1716 wrote to memory of 1544 1716 iexplore.exe 42 PID 1716 wrote to memory of 1544 1716 iexplore.exe 42 PID 1716 wrote to memory of 1544 1716 iexplore.exe 42 PID 1716 wrote to memory of 1544 1716 iexplore.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe"C:\Users\Admin\AppData\Local\Temp\aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\\svchost.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\svchost.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
PID:2596
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchos.exeC:\Users\Admin\AppData\Local\Temp\\svchos.exe2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2628
-
-
C:\Users\Admin\AppData\Local\Temp\HD_aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exeC:\Users\Admin\AppData\Local\Temp\HD_aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://pc.weixin.qq.com/3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
-
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:2512
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259418134.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_9B8670363F58B4643EB28A4A03EE9887
Filesize471B
MD504ec7192d24d44ec17702fd6d9b675c9
SHA13838c42dbd6a66149e3ace3da073a8d78db3ccce
SHA256ed3168ee4f75076cc37dc3c48e9b5e6dcdfe29281293dee85c13c90c9aec1ea9
SHA512e016ff25b9cdf3de80b249004fe6d3a7f12679f40e6d02d70f2ab4ada560b49b3f91c6c859791a6bc740c22d7fb4abb3eebf39d837a8bb69ddf65404f8349cbd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ca6f879805f1ee8e228035e839063147
SHA1fc9b85a4775ab159bb808a63f8bab306ade98cad
SHA25658a35399549a089db4bc2ba1d542bfeca1c7b3d5132df9dea3bef7f4794a45e9
SHA51211f6ddff2cb75b0ec9a4f21cb5b5cc6702b535b753b95a9f25fa5095635fc44b2ad778af94c0c5d2a548c1c1c5f28a44dae133593314f7a66d02c4b7c400662d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56efdaeab6b19445d9ded7b55065659c2
SHA19551e1bd8f355b03b542568cffb5ac3aae6fa3d7
SHA2564f176766719a386ee41b8b1b181738d719882201a631d74ca3f7cd8326aa0ad8
SHA5121e282e4356fc7061b7447684bb207bdc46949a489a7a2a77ef6b2ee48ac48103a1c57121cad0089fcc7a313d9306880547b75428414e6360e41fcd75a7b8b9f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5565330bf816551584bd552500f31b7fd
SHA19bef39c2d4367b36953830c7e474b9d603d0c429
SHA2567e568e260612b95ff02691085e6eaabb38610fd18aa4bd8c10fc1adad596c7f9
SHA51228656c384d1244277d0f42d598943d5227a18a28397a00b619b13575ad91e4eaa1366b7ef766d1f83b92f5d632c78e77ea220ac02f15acd2df89647f38b37cc2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57920cffcd45ed84888500f10baf9f46a
SHA1ddc730e55e4e58a70a8f52c4d7f7c537b4e7ea8a
SHA256b14f369d5c6cbdb98f6cdf6328e710a38faf29c1a4320c1cb024528859c68f69
SHA5124820b952ac71d35ec68eb00dcdadad87e991c52b6228630924c2abc6ce3b58475392827f13f4c87670790751a9c3f2fee9160f14a83e3eefd9399188676206aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55295f6211f39bfa794b67cd1e48107be
SHA19e52bf3920ec4948a7d3aaf82567a942943454a5
SHA256c77ea24f824bb0c4b3dc19ac8fe30b4799fa1c2ce0a468687a32fd9b052e2242
SHA51276a651650655272597dd177c2f43c995b0b580cb49534c1d843fdb1c62578100a5cc1f977e34efed42ceaa81ae1a534802e413c33dd078c700591bc36bd1379e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50aedb5c2c364551e664948b850dffa0c
SHA145f485b9b363925acfa953ce535239aa9621e0b6
SHA2569e77d65fc43f51373aaafeb799a0a6c8376fd5479accfbc1f55355fcf683102b
SHA5129bd775327532fd903e1963a0d046e4850ec32a4c93505ecb0b16448a7ecb6a176c5f68192fab4b40adeea56ed7de702a4e74ba622fe78abbab074e083f6f1a41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ad358829b8eb57d131ebdfae64e1956b
SHA1e451cee82e8d07e245f7c4f17dde24bb7dbd1f3e
SHA2568d3b77a6bbc0a7cbdc4f69edd137423857a95e434b9274f231d52d38219aef16
SHA512803cee89f25cfa12aafb60f847cff9e749a372fb0d4b9d3b36fe5e60e07217217fc59e16d67c20a7c4bd4be66799b6dace42765c013ba5ae9d9726b9dcd4e98a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5320a7c5b2d4663389c22f0b8dce12f4f
SHA162d16e7dbe439c1443d530408bd7a1f58a5ca9b4
SHA256ef2d2e11ba23226bad74b3ee4c6f064bfa43fac302a653fcfa794f2fd753ce70
SHA512f54ce3e3a74aa0005edc1e894a80291b61641a6dbd26086fc95c1e7c34e26b31dc37373773188ce54a4ddeed321f2b62c3831dfad3e1e58220f66aed1335b6e2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5448a780b336ef1794616f48f23621f42
SHA1573c4974ca4795d0480ba29294a18258bfbfdd6b
SHA256dcb162ca4d1d0ceeddfd99625444b0d1dce85562ce747532c332613446429fac
SHA512af4d837b2d835048fff47bd87e20eb7eebde157f5126cdaa105478f3cdf9232ad9abc92138951a140bf8469c2ed9dfd8ca5642b210e5ce9a457ffbdf35df2570
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54beb3d129662fd309b98aa794d53c9f5
SHA13d7bdaf99c5030c016a5e684b9e9779293c37e0f
SHA2563f9a3d4392ccd01e10137ac19151cc34e1db6c04957c0449a7757c6d278cf137
SHA5120d4a2b5a28e8bd8e464c86c41b68333ae6e93c72c8f25be276459e94cbde6e148b4a54483dbb0f510db0b6c6e222048391f47b6f6e0fab41655974d8bc525709
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55fe3adf62c4267faca4236fb0390be31
SHA10455c17af2c8054c55efbc5499b72970d4ca65a0
SHA2569a0514b2cd21a6f1a81eb275dbbf03836a33c4a8dc3622078f23831a1a29760b
SHA5125bd4da234d548f861e990a46fea298c81e278e805ae805be26afa713dd3d14f213a5bb324b5fb0358d44f5280fe45a7edbe01a8b6df8386ff8325706d815e37f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fbec6cd2b211b19cd17dc4955c7610e1
SHA19e7d8370bdeb235ec89dfbe04a811b8fae9f5e6d
SHA25655e8432809f42caef9f6a1783f15fb30a5fea2cbfcca4efc4b2bbd61e778656f
SHA512b0bcb9129e058cdfc22f778c6190c4a693cbad5935b3a9c9a57fb061c6921da106044f35c61adb10f108444a4681d361c3b1feb899c8ff70a3d0ca5835d2e04b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50d13684ebfea361efc980f26fea34a0e
SHA1af89ebf00469efb65ebece50e3f0e04ef873b55f
SHA256ee6b0198caf7dc1b2694f7be2436f5f3773baf298096f7b558cde7fcd8a8e807
SHA51258444f197253f78fdcb85a68485d481844a089f71dd5108024678393af60672deb4b7bcea11b11b26d6461f34dd92ffdfca40777ea919c1e1829855c94680b7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5002c539efb0b0878530338f1ccdd28b0
SHA10b426f7d53dc07f2c951767eb37c89c9cca23736
SHA25648e48ade27c056f4e0deccabe68dd1d4ba017becf452f6c2958aa6056c5dbe17
SHA512293ec32cd720b9ff41f6e2d7f448a3ce5d0bcc84c6bf8c3021a382452c594f9467a99b5e8e55e3dda6aea3270405693854ba698bad22efaeb685fd1c71d7a181
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD557cf0101bf8c89a17283fd10fb063017
SHA140b3aacb3de115f90650cd3ad0d97dce32fa1fcd
SHA256b7307ae80c2eb4ef38bcb257e0aa208d7c8bfeb8ad6ed0ad82a64fe038aa9e39
SHA512895f569cf19c1e075cb2798ddaff7d67df26f4a3436e8ca0b07dea64c79f7b8149a189074caf35e256930afb1cf1774aca62276463853a36d24161be8678312f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bbd648d09322168d30f967801f01188d
SHA19ecd98ead64a40029541f28277ecfd8a1bede250
SHA25655853abb8a0e782d3999a4cc79ce9d6ff9a6a84cebb62b9ff64344a4d980beb9
SHA512587341c7513ad6041f72e1df4397a958210546e40208b89f12f992d85a969fff91d2c79454e8db9dbd0f5bd196330dcc4e75756858617f90a126f488774f6773
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ec3806577608d903eec221d37abbf1ad
SHA1e9c8b9700b79c62e86a9ecc1c53f7e514aa23dfc
SHA256a0a388df720676dd25a84df6e882ab3c49ecc4bfd2b738f63660e237865a5e9d
SHA512f4c7045cbc2744e2e7332a0a5b1aa38aa4eb64d6f383030be629f632c462a2d2f03a3d74350de29538656106f776b2291a3c71577271d929f3503d74fdf8911f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a7221fe2954a3d5f81f5b88657d0a85a
SHA1c8b2e798ecfe831e0833202d824cf2b034e47c1a
SHA256e5db68ea27432ed5ea05dfe2c8b3cb8af609f061acf0d8322426ccaead3196c6
SHA512a06b2a5ca73de21b00895f32c82bf3734ca01541237ec4b5722d61deed01c1a0d6a4fbb30bb9d446de24d9d70a6ce1a8e51221d5abe464596f3ed51f0789cdd0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5783b682b8f9566e7ea7663ebc8b227eb
SHA10f140e2914841c05687d0d97a02484f8986b8298
SHA256c57b5a918d62b5fa028b40fb7bf637950c8f8c5221530ee19e0ffeeaf9207789
SHA5122332f76b6066aba28e4431c829238a1ac0e4d0938a43a049472165e900c1e6043950fe335a0cd68237218292524365eccec6292ffb72ab5964d20746a5126384
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5292d8687789a462cf9adee472c774b79
SHA1fd44e0e0dfc23641430243d69de3663fc78230ae
SHA25638dd8fc60058bfadce65477ff0e4fe61ed3cc09e7ff66cdbb07d78865cc519fd
SHA51201cea0781caeb77f14601928f03bc051239d96509e0023809e645e433393fa8b41fc4ced92cd56ee55d576219bb4dde694684b18260d323f64fb60bcbce2485e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_9B8670363F58B4643EB28A4A03EE9887
Filesize402B
MD51f12de716f110a7687a8491324f35e90
SHA1479d6c8b6d7574a7d283ccc5e67f42c2ce0597d0
SHA2562c1f463543b2eea1fbf0bce01ede1b7617b5bd44a79dba44c3a4bf24c5665c49
SHA5128e0597e98e0599b053325e6b373705cf555a6f21793f9bbc0fb26b762a973a66afa9de9449279f587ed9791bdeb0143770fd08f780a1a761586c5548ddc41d49
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
1.9MB
MD521d3b31ce900a5efab1edc2f6c0b716c
SHA1158f042106662d40d24632183d64b2ca4f65b044
SHA2568a525fded0f15ea9c0931db151db2d5a8973cf895ee788e31ea95d2390509568
SHA512f6f27fabdc567a17c0fe768c9f49b68e7f60092e8058c94e92baee98bbe2d768fd117e7327887714669c76430df5e395480946b92fe0ca5b1ea5cf17e6892b72
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
93KB
MD53b377ad877a942ec9f60ea285f7119a2
SHA160b23987b20d913982f723ab375eef50fafa6c70
SHA25662954fdf65e629b39a29f539619d20691332184c6b6be5a826128a8e759bfa84
SHA512af3a71f867ad9d28772c48b521097f9bf8931eb89fd2974e8de10990241419a39ddc3c0b36dd38aac4fdf14e1f0c5e228692618e93adce958d5b5dab8940e46f
-
\Users\Admin\AppData\Local\Temp\HD_aac8ce08e78b115ab925fd1db1885986e262d7ec92c176a2133ec6317a912bc3.exe
Filesize644KB
MD566eb21741ecfc2a8a53a24d65ec7a40a
SHA16d70532a0b9a1012da004bb78461fff8d9845253
SHA25664cd27f902fdf3e74c2ed74f7640ec000441ef46daffa20416da582e751b18a8
SHA51247289021ab9543a30a2ab647f42619cba048be9c03f4b8c6fbc888bb7167c0cd8868e482114874c0b6c8f02dc48b6e87d22b1c4f04e53a0d20b62897199955be
-
Filesize
377KB
MD5a4329177954d4104005bce3020e5ef59
SHA123c29e295e2dbb8454012d619ca3f81e4c16e85a
SHA2566156d003d54dcf2ee92f21bd6e7a6a7f91730bd2804381260bcabe465abe6ddd
SHA51281e9d456a4abfc7cd9e0943d4a0ce15523362c3179f3368381d1d7974f80a9f9113b5404b96e67e91684e0ea1895b7d0073e4c48d0bfc4fd0244b1af6acf0208
-
Filesize
50KB
MD5ffa7ae80adab65018ba485e5380ac4a9
SHA1951abc7f0a22299d3869ed9210c94dab84109d11
SHA256215dfca5e51916fb3977bcfc5ae9bca1e50392a48e28a16ee3ef0950b28601a0
SHA51211238ea671a52dc1fb95a9d0db3d3746e255816f1c918fea8567029cf0e1a678399440786f63302dc00b4a084de9997a0b057b6eacfbab15fcf179586bcf4af2
-
Filesize
43KB
MD551138beea3e2c21ec44d0932c71762a8
SHA18939cf35447b22dd2c6e6f443446acc1bf986d58
SHA2565ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d