gh0strat | 1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe
Size

2.6MB
MD5

64fa4f825428c9be5e9a2809d5c2bb06
SHA1

55918462460a1c26605ebda89ef0f53ad6245559
SHA256

1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e
SHA512

df936628aaf2f1caaa9c961d472bee9e052790c84ab12cd14bfeb77e98564aed787c74abf82ca795f5441f71a6c663109813513014ac09e4f72c4476a89d204a
SSDEEP

49152:/09XJt4HIN2H2tFvduySnh+XGwv2tP1zTPADnWPMklKu8bi4O8b8ITDnl13S:MZJt4HINy2Lknh+Wwv2tP1PPknK

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 10 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4836-6-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4836-10-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4836-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3236-15-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3236-16-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3236-17-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2228-29-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2228-30-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3236-28-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/2228-41-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral2/memory/4836-6-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4836-10-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4836-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3236-15-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3236-16-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3236-17-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2228-29-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2228-30-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3236-28-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/2228-41-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

Executes dropped EXE 5 IoCs

pid	Process
4836	RVN.exe
3236	TXPlatforn.exe
3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe
2228	TXPlatforn.exe
1700	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4836-6-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4836-10-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4836-4-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4836-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3236-15-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3236-16-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3236-13-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3236-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2228-29-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2228-30-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3236-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/2228-41-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RVN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatforn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4856	cmd.exe
2336	PING.EXE

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2336	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
596	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe
596	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2228	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4836	RVN.exe
Token: SeLoadDriverPrivilege	2228	TXPlatforn.exe
Token: 33	2228	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2228	TXPlatforn.exe
Token: 33	2228	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2228	TXPlatforn.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
596	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe
596	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 596 wrote to memory of 4836	596	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	84
PID 596 wrote to memory of 4836	596	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	84
PID 596 wrote to memory of 4836	596	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	84
PID 4836 wrote to memory of 4856	4836	RVN.exe	88
PID 4836 wrote to memory of 4856	4836	RVN.exe	88
PID 4836 wrote to memory of 4856	4836	RVN.exe	88
PID 596 wrote to memory of 3612	596	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	89
PID 596 wrote to memory of 3612	596	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	89
PID 596 wrote to memory of 3612	596	1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	89
PID 3236 wrote to memory of 2228	3236	TXPlatforn.exe	90
PID 3236 wrote to memory of 2228	3236	TXPlatforn.exe	90
PID 3236 wrote to memory of 2228	3236	TXPlatforn.exe	90
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93
PID 3612 wrote to memory of 1700	3612	HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe	93

C:\Users\Admin\AppData\Local\Temp\1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe
"C:\Users\Admin\AppData\Local\Temp\1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596
- C:\Users\Admin\AppData\Local\Temp\RVN.exe
  C:\Users\Admin\AppData\Local\Temp\\RVN.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4856
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2336
- C:\Users\Admin\AppData\Local\Temp\HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe
  C:\Users\Admin\AppData\Local\Temp\HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe
    "C:\Users\Admin\AppData\Local\Temp\HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe" --channel=3612.0.1560338888 --type=renderer
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1700

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Windows\SysWOW64\TXPlatforn.exe
  C:\Windows\SysWOW64\TXPlatforn.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_1db467fa9dbac60064321f8f98cc08a8155edcba8a0e5480e35ae793d5237e6e.exe

Filesize
1.5MB

MD5
7a97aa40d8a3da4a9095873c72d524c5

SHA1
d219db66995e0548ea1226cb1806388b1ac718f7

SHA256
00d2ce2c35e8f2d31c2a8778c6e8846be3d1467cd1e66aa494571a14dea0e4d1

SHA512
16de6e0fdda9ebd7de996e97f73d9fad661c947320b604e5aafdcde50ee4582b1b07da98233b12dc76c464abe2104323c056b1ab477532ee10f5117cb03aa90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
1.1MB

MD5
dfad2d59f25e1024166efe78e5cd8e92

SHA1
de73e2d1f149471a625b7ff2c55b44e416b97e07

SHA256
9a06d6dc6273f7063ec90ad32cedcb22278b9664b2590f0b2b13660df37f8a32

SHA512
e6da83c23cf09bcbc0cff57c424c1222554461941ace3cf1c3e8433033387a6435df4a058ca1427ca8264d9dc7ddf197e1ca479367c5a605bfad2f7ed7727462

Download Submit
C:\Users\Admin\AppData\Local\Temp\RVN.exe

Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
memory/2228-41-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2228-30-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2228-29-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3236-16-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3236-13-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3236-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3236-15-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3236-28-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4836-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4836-4-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4836-10-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4836-6-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download