gh0strat | 70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Size

3.5MB
MD5

54ed5a6a3beeefa7f4868f08393a08d8
SHA1

3b24098dc86668c29a16a5b69cc44e1923b8e72c
SHA256

70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79
SHA512

e20d8b0f965ef957c82bee92aefeca58447f5b09ec55445a678078ce62e034dbcd27e60adb396cf4f03037a977da63e1678d27a6d3dd9c5e46f399538618884d
SSDEEP

98304:Rws2ANnKXOaeOgmhNFFFehladBZkg6YBhFFFOhKMdS:DKXbeO7zFFF8ladBxFFFsKMdS

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 8 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4492-19-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4492-23-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/4492-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3444-28-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3444-29-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3644-39-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3644-43-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral2/memory/3644-44-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 9 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023caa-5.dat	family_gh0strat
behavioral2/memory/4492-19-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4492-23-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/4492-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3444-28-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3444-29-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3644-39-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3644-43-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral2/memory/3644-44-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\240628437.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 6 IoCs

pid	Process
2892	R.exe
4492	N.exe
3444	TXPlatfor.exe
3644	TXPlatfor.exe
3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
2624	Remote Data.exe

Loads dropped DLL 3 IoCs

pid	Process
2892	R.exe
3612	svchost.exe
2624	Remote Data.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\240628437.txt	R.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4492-19-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4492-23-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4492-17-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/4492-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3444-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3444-29-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3444-27-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3644-39-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3644-43-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral2/memory/3644-44-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remote Data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4432	cmd.exe
1152	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1152	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3676	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
3676	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
3644	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4492	N.exe
Token: SeLoadDriverPrivilege	3644	TXPlatfor.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: 33	3644	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	3644	TXPlatfor.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
Token: SeDebugPrivilege	3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3676	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
3676	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
3120	HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 2892	3676	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe	84
PID 3676 wrote to memory of 2892	3676	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe	84
PID 3676 wrote to memory of 2892	3676	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe	84
PID 3676 wrote to memory of 4492	3676	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe	87
PID 3676 wrote to memory of 4492	3676	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe	87
PID 3676 wrote to memory of 4492	3676	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe	87
PID 4492 wrote to memory of 4432	4492	N.exe	91
PID 4492 wrote to memory of 4432	4492	N.exe	91
PID 4492 wrote to memory of 4432	4492	N.exe	91
PID 3444 wrote to memory of 3644	3444	TXPlatfor.exe	93
PID 3444 wrote to memory of 3644	3444	TXPlatfor.exe	93
PID 3444 wrote to memory of 3644	3444	TXPlatfor.exe	93
PID 3676 wrote to memory of 3120	3676	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe	94
PID 3676 wrote to memory of 3120	3676	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe	94
PID 3676 wrote to memory of 3120	3676	70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe	94
PID 4432 wrote to memory of 1152	4432	cmd.exe	96
PID 4432 wrote to memory of 1152	4432	cmd.exe	96
PID 4432 wrote to memory of 1152	4432	cmd.exe	96
PID 3612 wrote to memory of 2624	3612	svchost.exe	97
PID 3612 wrote to memory of 2624	3612	svchost.exe	97
PID 3612 wrote to memory of 2624	3612	svchost.exe	97

C:\Users\Admin\AppData\Local\Temp\70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
"C:\Users\Admin\AppData\Local\Temp\70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1152
- C:\Users\Admin\AppData\Local\Temp\HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
  C:\Users\Admin\AppData\Local\Temp\HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3120

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:3508

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240628437.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2624

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HD_70ee3bc26c181c13b4cbfe114e950828ae3e088f383ea432f682b694bfe6dc79.exe

Filesize
922KB

MD5
7ce89829f9fb955dc377529c461852fd

SHA1
8b14f5345bfcfac08c31c284c1a0eee2cd53bcfb

SHA256
9775b4bbe23b8eb93727efe0a6d0b160ae5132a10b223f43200499cf0051a18f

SHA512
7b9cd587ba53f632a1eff914a6a4bfc345b2232ed6dc02dfefa9bc9aebe06ff7836c1698077f41483a34b0610e92549b1a4baf8b9e9b29c28469f53ec6722e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
2.6MB

MD5
e7ed42ef03cea6db95b5dcdeb959b7af

SHA1
61d2c0fed2ef771c981140176b7fde4dcd8ddef3

SHA256
e92a3fda7d80bdd8ae52cc4aebf13a1279fe413bd7c192658d37e4756ad20cbc

SHA512
62a7c2c5a5bbee3e5e12c0a797189cee325a2012eda20d0cb5bef94955ac1560e07ad616d5d258a6be236eb2ee5c2ec045457a4f9d91c4447916d2b973d31bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
C:\Windows\SysWOW64\240628437.txt

Filesize
899KB

MD5
0b5824223e2fe4665f4fd6e79904dde9

SHA1
cc7e7794673e23d09d2c9a41618d18f50c747635

SHA256
2655a33eb4e0e7cdd642e487d50e9bf5c262e2762d200941efe28b912bb429d0

SHA512
37b32da39df05df8c84a6fa9ebf3498bffbd0a989f3962a2b934fe3ba3700d2a3365846b1fe729fce5980c6cf8c4bb93173fb2280a7ed3ca87518a4afd371593

Download Submit
C:\Windows\SysWOW64\Remote Data.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/3444-27-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3444-28-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3444-29-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3644-43-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3644-39-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/3644-44-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4492-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4492-17-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4492-23-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/4492-19-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download