gh0strat | 3b99bfadd48cd3c2d39a63e979b19f97923eb5eb21eacc608de8fc17e88d2263

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-01-2025 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe
Size

4.7MB
MD5

9c2374e52ce7df3417625cb8420eff85
SHA1

a0551f6db8b353c43bde2c28c164daff9fcf14a1
SHA256

3b99bfadd48cd3c2d39a63e979b19f97923eb5eb21eacc608de8fc17e88d2263
SHA512

388e283cd7c5ab8ae341d13b925d259a21fa11e1143a921f0f13a10d9fbc039a7e8577fd6b7b93e2107ada12d6fb4c9effc5f3ab76017463d751cf5d154d50d9
SSDEEP

49152:+jwsbCANnKXferL7Vwe/Gg0P+WhcDmn2HFur0YuD7VGOwJXL8JV+z7RgU:cws2ANnKXOaeOgmhcDmn2K05ABnRgU

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 5 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral1/memory/2148-20-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2148-21-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2820-42-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2820-46-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2820-49-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016ace-6.dat	family_gh0strat
behavioral1/memory/2148-20-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2148-21-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2820-42-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2820-46-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2820-49-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\259553714.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 7 IoCs

pid	Process
2644	R.exe
2148	N.exe
2796	TXPlatfor.exe
2820	TXPlatfor.exe
2944	HD_2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe
1268	Process not Found
2632	Remote Data.exe

Loads dropped DLL 9 IoCs

pid	Process
2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe
2644	R.exe
1216	svchost.exe
2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe
2796	TXPlatfor.exe
2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe
1216	svchost.exe
2632	Remote Data.exe
2944	HD_2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\259553714.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2148-20-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2148-21-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2148-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2820-42-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2820-46-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2820-49-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TXPlatfor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remote Data.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2936	cmd.exe
1920	PING.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a073fcf73b70db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0FF1D7C1-DC2F-11EF-8121-F6D98E36DBEF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fcd93a50270f5d47a684f9b86a1a3ed900000000020000000000106600000001000020000000b82c6c1edb1f7e1d262430d834c3c3a03260135695136c2535e207da810bd80b000000000e800000000200002000000016aa5fa4c8454f4de0ee195d290fe86b72a2061c3c867f92f35cb42ee24e491a20000000f87f6ebfc91f8687014d13918176b13c51012123053ce0a5603f9dedb34cdd1c40000000723e52190a0c97a6bbe5024d42f9e9031c64e9f2b1ad773d30e2ed71f92e7829171f99a85de2b45ba97e9553db24468bc8776e9e924be15d64584d17b4118487	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444089888"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fcd93a50270f5d47a684f9b86a1a3ed900000000020000000000106600000001000020000000fcf1c075f1c50a654ff73db9dccef8fbef757e8495cc7b172087f58ecab854a3000000000e800000000200002000000055f4e80ab9fc8da8247ef11efe9455df82eb366af29eff962da83965ae51398090000000fea0af9216d294af9357c6611d89196b93627390779afbb254cfb94ab4549b2b28987567b86e6555b4b08a17f5ad40361bb6e52527778c2a04f7df33ca284bdf57f81a43fb7c1c803d12915133896a3e9b2a332000f8405329585ded6956c328c4d0c76ded0708408923fd0cedca26526490bd382f4da3c8326cc853ce76e9a1d8d7d57d50437fa74dbee73057b9c8124000000004cc779518b85c8ef54c2a6b978da320201cac43719298cfb2c6937e7000536c87c7f7b795f9fd7402548aa00276736af7781b982f716a722c204594824e7876	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1920	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2820	TXPlatfor.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2148	N.exe
Token: SeLoadDriverPrivilege	2820	TXPlatfor.exe
Token: 33	2820	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2820	TXPlatfor.exe
Token: 33	2820	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	2820	TXPlatfor.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2412	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe
2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe
2412	iexplore.exe
2412	iexplore.exe
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2644	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	29
PID 2604 wrote to memory of 2644	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	29
PID 2604 wrote to memory of 2644	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	29
PID 2604 wrote to memory of 2644	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	29
PID 2604 wrote to memory of 2148	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	32
PID 2604 wrote to memory of 2148	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	32
PID 2604 wrote to memory of 2148	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	32
PID 2604 wrote to memory of 2148	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	32
PID 2604 wrote to memory of 2148	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	32
PID 2604 wrote to memory of 2148	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	32
PID 2604 wrote to memory of 2148	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	32
PID 2148 wrote to memory of 2936	2148	N.exe	34
PID 2148 wrote to memory of 2936	2148	N.exe	34
PID 2148 wrote to memory of 2936	2148	N.exe	34
PID 2148 wrote to memory of 2936	2148	N.exe	34
PID 2796 wrote to memory of 2820	2796	TXPlatfor.exe	35
PID 2796 wrote to memory of 2820	2796	TXPlatfor.exe	35
PID 2796 wrote to memory of 2820	2796	TXPlatfor.exe	35
PID 2796 wrote to memory of 2820	2796	TXPlatfor.exe	35
PID 2796 wrote to memory of 2820	2796	TXPlatfor.exe	35
PID 2796 wrote to memory of 2820	2796	TXPlatfor.exe	35
PID 2796 wrote to memory of 2820	2796	TXPlatfor.exe	35
PID 2604 wrote to memory of 2944	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	37
PID 2604 wrote to memory of 2944	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	37
PID 2604 wrote to memory of 2944	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	37
PID 2604 wrote to memory of 2944	2604	2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	37
PID 2936 wrote to memory of 1920	2936	cmd.exe	38
PID 2936 wrote to memory of 1920	2936	cmd.exe	38
PID 2936 wrote to memory of 1920	2936	cmd.exe	38
PID 2936 wrote to memory of 1920	2936	cmd.exe	38
PID 1216 wrote to memory of 2632	1216	svchost.exe	39
PID 1216 wrote to memory of 2632	1216	svchost.exe	39
PID 1216 wrote to memory of 2632	1216	svchost.exe	39
PID 1216 wrote to memory of 2632	1216	svchost.exe	39
PID 2944 wrote to memory of 2412	2944	HD_2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	40
PID 2944 wrote to memory of 2412	2944	HD_2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	40
PID 2944 wrote to memory of 2412	2944	HD_2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe	40
PID 2412 wrote to memory of 1980	2412	iexplore.exe	41
PID 2412 wrote to memory of 1980	2412	iexplore.exe	41
PID 2412 wrote to memory of 1980	2412	iexplore.exe	41
PID 2412 wrote to memory of 1980	2412	iexplore.exe	41

C:\Users\Admin\AppData\Local\Temp\2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Local\Temp\R.exe
  C:\Users\Admin\AppData\Local\Temp\\R.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\N.exe
  C:\Users\Admin\AppData\Local\Temp\\N.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1920
- C:\Users\Admin\AppData\Local\Temp\HD_2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe
  C:\Users\Admin\AppData\Local\Temp\HD_2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://chrome.360.cn/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1980

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
PID:1952

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\Remote Data.exe
  "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\259553714.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2632

C:\Windows\SysWOW64\TXPlatfor.exe
C:\Windows\SysWOW64\TXPlatfor.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
18bb3107436699d0ff142af371d05e08

SHA1
05a4cc124cac224dea0910433ae409e7cb753219

SHA256
91f1a8ae3b735080d0e0859b66722b56975d9f596c0ac02871ce5fddc084d7ee

SHA512
965ebf458459a5efdfb14d1b3f1f0060c9ffea1a1edd48826386c096b8a35fdc37d15f4b892f1b535b928aec353afa89144a29db3e8724beda19b56bf40dc15e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b686e94455c268390a94e53284ad551

SHA1
694bbfddcc10ae7556c2e3a1d787deb227879084

SHA256
f1d0667c18f51f940cf0c5ca45f445ff5b3dd9a7db5e5354ad6e8810f5d8461e

SHA512
00249d43a8f506dfa07a05c3a1b65dd0cce8c4f7d0ba64bccd7d6090e51023c33b228fccf2ddf3148b299d74e1516083a541724e6aeef4fff3636defd44adadf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5df45aa041cba818475b509e38666f63

SHA1
22f9320c1ad242f70d5fd8d34987d47cbffb842e

SHA256
5c9557ed5ea034c7caee7d80952f86527e32c6e94a95fe9e7361ed5f44be300a

SHA512
2a1b62c7083ee24459ed41c7a3b39d02ff08c6bb4cc44861c278de1d6913d7c8a5d325d4eeff2fb6bdb039af6b7c0bc188eb39b9167300d6e5e752d19772c827

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bf6d3922451861bdf0efba15aef9868

SHA1
a4c34ef6c316fa5c0b57230862ad891b7395f96a

SHA256
1551a8a04ba342b314bec93235e54c971407997b95cbd26b288fa657af08925c

SHA512
a668bcaf43ee849c5750f1a762fd410a4edfdf4da450131f2e1c637c0a6bad968fa8d4e2d3f50efb918b75578beb9afd0ed1e84b65c9e30c69f3b9cb25e9af1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca32c01b79450ba58e8c0c6d1ead8cf0

SHA1
5e952a5880e99a76ada9cb656be6c99c9dd97485

SHA256
47a2b598c8fa1dd7e490f8316f8dc72981f267da53ea6bf2b42b7703f211ce5b

SHA512
7a6389e20ba5243858f5ded8da083690fd300fb6bba0d19678bff393ac724781727a0f4a8a6287605ef451549280ac30c651d2f1f241dbf4fd6d245969277961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2665b2c8d0f51c419078b084ab882e73

SHA1
099881027d76d71a0f2f0ab0651a09a908b29b60

SHA256
de86db529d31f7c6b50af508a39cfa9310fc84dfb7d784229877837af9f65f3b

SHA512
e7c61d1c7ce1ef24608922f14d1ed90deb5770267ddf76ec982c9759ad284838e8f4aa467df0e4797039bc320180c4fa30f2bf9e6dfd405add738e1da35f233e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bffada04dba0548f9ee8671d277f894

SHA1
ee539b232e62680ccdf76c3bf32637356059faed

SHA256
bd8e2c0c48c66ec5d0a8c4f778d6818b336612406a936ac7bc9053bbbd20724d

SHA512
9ee2b328e66f8e5e32bee271e4d98459f28301c97aa19628fa1e83aad83913c0528711c8ebefac0d7cffaf8db2d5ae9fb3d12e338caf4c38d3e752b715faf1b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf2e5730d2fedb8c4a4686a9cd5614e3

SHA1
e61c48ef9983c9f5aff080e43308bf02e20ebd8c

SHA256
5715e989de095269fa0632d3903b40718e97111c99708318375ea1f669580d89

SHA512
79b4916c2cdf23480a22bf09b0d648d8d19c546ace13b58b38d4f26d37b80c8d95306b247ee719f7f7f8b192bf5826edbf3e3893920c20b8771b4a3442059554

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c70aab35c292c14e50dd91fbc7549c3

SHA1
784c1084a48526ece86e025ac280f8bbf4336b02

SHA256
6624fc1345af0a9e777e2819fe8265ccec8e5aef41fecc3ededc5a4d7ea05e4a

SHA512
89c81f28ddef13df8cefec48bb6dc93a87523d54d34f5cdcfe343fa2cd65ced8ecfbdc6cdc0fe1ba34d31aa5ae5b0563bee614f7e1c7246a35e305f2108daca6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eebd1b7c0a3539eb0e2ad1b82cce012f

SHA1
4e216fc459337e08ddffd41398152d4a3272b762

SHA256
258dbb63d64e1d852479345a14a18d86b68ee930010247da932ac2694e396848

SHA512
8d5284e70aabded4f7dabf8e015688fe8b6bcc7c28e5473916ae9d3fc5dd429440c9e8e37edf18afb7addf08c554ebb3479e8623da0f078f3eec812130d80eef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a591994a21c6a9a835b2f84bf61d83c

SHA1
b3a6f9dbbe7d72005eb988bbcadc6fa5ebd670e7

SHA256
272e24320d969b283359fa672f12a169cd6fdb578d01db92e566ae67c4827e15

SHA512
e1205390874251b30d9082adf147d546c34131bd040680a03969d2dcd4cddc2afd028fe3d264d134a628a4fab999796ab4c7a95a841ef5dee6f30661396e61f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96597cb8a54ee765da05699092530669

SHA1
1a1a42a07f886ac16e60157bb2da843c58bd26cb

SHA256
c4d46234f28b659eb39ce291702cf09e4675dbf74cc67d97a7e7e313d7ec67e5

SHA512
86d30527ffcf81aafe74295dbeae2cb64fa16af7dec59820cc9fb7aff1cc5f9b292d0ca682ee150464af33ebbad2a91841154b593296047681cbf7c268188dbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f375cafc8dedb62b81eb1443b0c88ac

SHA1
cbff4917423f161da484b4ed1b9ba9ab4b914d27

SHA256
b125f8ae0fdc453e4bcc4658a42313b6be485d15900584741930da6128c21b08

SHA512
cca37cfe02c79d311b7b6b54960a528b81934c3a32a751ac4f07f21fa01ffe325afa0811dedbc7c66438cec7813c3124b0eb0623330cddbd696f86b1ae24d9fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd8b0bc07fbde88d68a1bef080f7bd14

SHA1
1fd6314c15d47e04e7a36f430d64bcc065b7db90

SHA256
4d66e370a93286aa7bb653af7794b2794fbc1429c607dd7f8b1cdcbcac04792f

SHA512
55b98a8ef581aa0b4d62d02aa4d3ea486add4efa68d5c3ac8cd1e708dc5aedd866ad7eddae905f898c45d8e66ba59a1cb57e46e44f0f9cc0e01b9efc64b3bd55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9090237e8f116da9a3fe8f2e6d0a8ea7

SHA1
fa0d0f956920f3749313688db2c8f25d8e8b44c4

SHA256
1cd42e379060475fcbb89b4fe4181971cf3ad3ad96414f6a84ec7edd92ac9767

SHA512
ebac5499dd870e6113fa17642ded9326768eb9a89a09d2f6b8fe98532bee9b15b96db0adeed059fe496df6cddc6287f0011d4317db294c11f78353fc9c00f7bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d1cd5d8603bb07544defa92bad285f7

SHA1
1e85da158e71c1af4933b9e6c58fef4b749a3284

SHA256
0ae76ace5227c5f0194a81cb064e1102a59ef494622e75259d4109f20a62c7e7

SHA512
6752ee7a065fff27775e52c2e37c81b522aab63a304cdd7d580b2d2f0518f603f655d36a98b07db9fd8247a8d1491020be7df2d33ca3faa38135708d47e1c61b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b37bdcd3f8fdc6a8ed6304515a7d97a

SHA1
72ffd76e90f69747969e351e0104cd04b609a5bd

SHA256
c0e9ccfa9ca779d2324bca8033755a2d6b92439b54262dcad531475146c90085

SHA512
790361c57fd958f8c37dae40f7be0f865fd26654d020531774649fc7e82c7b1f58f60da23190b5883ef4446f5207806289587274fb089e9e9c3c635eb88fc03f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60b4c6bee07a516eef1f64118ea7e8b9

SHA1
6f0b736b40939b32628b012806ecc674fc89c189

SHA256
c8f493b8ba9274af960dd4e923a21790371e4480090c7a6548480afc6076f529

SHA512
e616a83cd4613b9e5b4e37d7dd123ebec6cd204fecd895651f71d183409c3d5c97bf1439256b3aed385fe682b4a05079b8efcf4afcd36316cfb958a10d4242c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4a25139ffde823344c6fee13d25ef5ff

SHA1
4ee03e44f34a8fa9973c052070ed072c2adb6270

SHA256
3b50d388ae4e6fdde71fb9bed6ce11e5646c445e775dd1665d708d614eb188af

SHA512
8b790dd53ef4009596cf70bbbfb79153505b1e50cd1f656831d30ac6f278c99b6da17e963a5468e105308a0769450ba693cc893777604cb0563ab6ebee8d68a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

Filesize
5KB

MD5
2ed1a44bdf2654cd5bde31b83b136ad4

SHA1
463b74fd8965487e3c2b080a466f1245dd540efe

SHA256
74e04f5b6fcdf7a27d92fe1957484ccab11dbd025a1e0e733d9f299b8808cc4c

SHA512
9d7be1b57dcf8f3c4995fd38ecff7eb1d2a4d28ba74d7c3f30cb52132bbe5f8003abe8712c9307d6208f64a76399375f9a7fec704cde5a116ea13722aeea9cf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\favicon[1].ico

Filesize
5KB

MD5
8adfaf034b01585b2fcb848ff0b5bc2f

SHA1
c1447300e96c519ffaf2c9bdabceb4200f3c1e38

SHA256
eb11e02318a389cf4b9e06a8ca66694d2d544fbe8bfd28555e2189727675bd8e

SHA512
fb5f199625525a68fc22a58f037909e9c1a4843085ffb2c66b114213b44d280e7b479de1dc44aad607cdfe666a9ee2817b82f6fbfa055043e6c2ea388af5114e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF1E0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_2025-01-26_9c2374e52ce7df3417625cb8420eff85_hijackloader_icedid.exe

Filesize
2.1MB

MD5
3efa0f232ed97c5fc857cf2276daea3d

SHA1
dac0dbd6bfa3e348c1614ba0f6cfc58e2f6a4eac

SHA256
0631570b06688a5405692402d83cfc57fa3f22bf5ffbf085b1b94b7c16a25750

SHA512
dddced0a4162b1b2a5bd1c3de30023bb91dd1a87a579a8c41db73a133bebc7c7ffda10d495291bd91e9cc86a047712c7472e0acdb16400544425a502fbb02910

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
2.6MB

MD5
368bcd0748e481a1a8d1c654eb99695d

SHA1
eb9521a777b97020cf712d66178d55422e014f36

SHA256
8bc614d3d7746ab284bd48588c6bd648119bf4b39ea29394ccc97eb0298959e0

SHA512
f78a4e6f41ad26e54b73d48a74b16f67a10537a9fc71e4470734484070faf71f6549144c4d5224990bf38b66a4298faf55032b1b248919a6fa886966fb5bc4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF240.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
\Windows\SysWOW64\259553714.txt

Filesize
899KB

MD5
a47fdc8ae3de01c03d01a0616598f790

SHA1
fccd5d57bac6cd611da1f54f8ec70ef1fe840f51

SHA256
c5f4c27cdaaf0c04648d6fc6db6106f8cd107ba42bdc40568943903bc4e1bd6a

SHA512
10705b95e8361528573d512272a481f643e58806b9dc9e784cda9dc5a90a9b949913153cea5306508a6c8ec57a20441ba23be6b4fa5a9ac10cbd3a00dd93dc93

Download Submit
\Windows\SysWOW64\Remote Data.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/2148-21-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2148-20-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2148-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2820-49-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2820-46-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2820-42-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download