gh0strat | 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
Size

2.1MB
MD5

9abbbab52c30fb0354096330e4af439a
SHA1

371e920401ffa2f46d3643a3fe86654b2f627198
SHA256

0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb
SHA512

9b949ade92369d47a77891323b3577c09e0a0dc443a218e1a7b0c1d63455a38869a65c5d98b9c253f92ccbd3062e34fb9e06adfc16786970d3b1c75480424855
SSDEEP

24576:k09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+ZY83qV49:k09XJt4HIN2H2tFvduyS//ae

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 9 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2864-8-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2864-12-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2864-7-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2968-18-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2484-33-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2968-29-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2484-28-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2484-37-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2484-71-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2864-8-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2864-12-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2864-7-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2968-18-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2484-33-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2968-29-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2484-28-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2484-37-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2484-71-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatforn.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe
Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

TXPlatforn.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe
Executes dropped EXE 5 IoCs

Processes:

RVN.exeTXPlatforn.exeTXPlatforn.exeHD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe

pid process

2864 RVN.exe
2968 TXPlatforn.exe
2484 TXPlatforn.exe
2488 HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
1132
Loads dropped DLL 3 IoCs

Processes:

0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exeTXPlatforn.exe

pid process

1844 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
2968 TXPlatforn.exe
1844 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatforn.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatforn.exe

pid	process
2864	RVN.exe
2968	TXPlatforn.exe
2484	TXPlatforn.exe
2488	HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
1132

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2864-5-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2864-8-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2864-12-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2864-7-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2968-18-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2484-33-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2968-29-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2484-28-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2484-37-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/2484-71-0x0000000010000000-0x00000000101B6000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

RVN.exe

description ioc process

File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe
File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe

description	ioc	process
File created	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatforn.exe	RVN.exe

Drops file in Program Files directory 4 IoCs

Processes:

0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0d28e0670cbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425970330"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3063B711-3763-11EF-A72C-767D26DA5D32} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a03905000000000200000000001066000000010000200000009e25b957ba9e7c849b238a6443347b7d8cbc4e96f6f3b65ef60543e0ecae61ca000000000e800000000200002000000094a72939d9eb3302de82b49b63775bb704c2ab6ebf98f4984efca0085324d24e20000000481f1f23dc05fccc9051606d638eddd1ad6dc85eae4590a71b68e2f6700e338d40000000a6d6893198daadbae15d3006ee5a2e6f680b355247685dc3cf1af8e628ec96e488c5e09c23a3d2adf716a6d0350c17bae4f4881262caa45610e986b60a857c97	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a039050000000002000000000010660000000100002000000058ad9472ff4b042678c2aba8d6f3e5925daed120f238a00d755ce6723ac97ba1000000000e8000000002000020000000f7d6d7835a0ca8399f9766b6ebc7717b165d4da6932716e29f5e7cff12894e459000000088611a9061018e79fa19cf62484a8aea0354e292aa67df31c5840a86ba26228196b562be9df575b1c924adcb323658a54270cda591c0ad279a7b3afb41ae7d658a1fab2f74d6bd11e4ccab227d493a5ff1298acdd179f9b7f39ed4ecd163d805016196e12cf6428b602a58e4d0f4afc2135f32b1f74b2ff8359e20e8b9d5eafa59a584449ffc5135306490436be14ea240000000fbdff5f528ec9cc1a4fad7759986dd8f28e56e8aa714d1455857f2b97c4bb046b0380d7d2f9f0f7cfcd8ebe8f8e0c8c600409f9eff9eb1727dd7031ee2f0dd92	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2900 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe

pid process

1844 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatforn.exe

pid process

2484 TXPlatforn.exe

pid	process
2900	PING.EXE

pid	process
2484	TXPlatforn.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

RVN.exeTXPlatforn.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2864	RVN.exe
Token: SeLoadDriverPrivilege	2484	TXPlatforn.exe
Token: 33	2484	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2484	TXPlatforn.exe
Token: 33	2484	TXPlatforn.exe
Token: SeIncBasePriorityPrivilege	2484	TXPlatforn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1600 iexplore.exe

pid	process
1600	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exeiexplore.exeIEXPLORE.EXE

pid	process
1844	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
1844	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
1600	iexplore.exe
1600	iexplore.exe
1876	IEXPLORE.EXE
1876	IEXPLORE.EXE
1876	IEXPLORE.EXE
1876	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exeRVN.exeTXPlatforn.execmd.exeHD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exeiexplore.exe

description	pid	process	target process
PID 1844 wrote to memory of 2864	1844	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	RVN.exe
PID 1844 wrote to memory of 2864	1844	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	RVN.exe
PID 1844 wrote to memory of 2864	1844	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	RVN.exe
PID 1844 wrote to memory of 2864	1844	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	RVN.exe
PID 1844 wrote to memory of 2864	1844	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	RVN.exe
PID 1844 wrote to memory of 2864	1844	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	RVN.exe
PID 1844 wrote to memory of 2864	1844	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	RVN.exe
PID 2864 wrote to memory of 2520	2864	RVN.exe	cmd.exe
PID 2864 wrote to memory of 2520	2864	RVN.exe	cmd.exe
PID 2864 wrote to memory of 2520	2864	RVN.exe	cmd.exe
PID 2864 wrote to memory of 2520	2864	RVN.exe	cmd.exe
PID 2968 wrote to memory of 2484	2968	TXPlatforn.exe	TXPlatforn.exe
PID 2968 wrote to memory of 2484	2968	TXPlatforn.exe	TXPlatforn.exe
PID 2968 wrote to memory of 2484	2968	TXPlatforn.exe	TXPlatforn.exe
PID 2968 wrote to memory of 2484	2968	TXPlatforn.exe	TXPlatforn.exe
PID 2968 wrote to memory of 2484	2968	TXPlatforn.exe	TXPlatforn.exe
PID 2968 wrote to memory of 2484	2968	TXPlatforn.exe	TXPlatforn.exe
PID 2968 wrote to memory of 2484	2968	TXPlatforn.exe	TXPlatforn.exe
PID 1844 wrote to memory of 2488	1844	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
PID 1844 wrote to memory of 2488	1844	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
PID 1844 wrote to memory of 2488	1844	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
PID 1844 wrote to memory of 2488	1844	0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
PID 2520 wrote to memory of 2900	2520	cmd.exe	PING.EXE
PID 2520 wrote to memory of 2900	2520	cmd.exe	PING.EXE
PID 2520 wrote to memory of 2900	2520	cmd.exe	PING.EXE
PID 2520 wrote to memory of 2900	2520	cmd.exe	PING.EXE
PID 2488 wrote to memory of 1600	2488	HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	iexplore.exe
PID 2488 wrote to memory of 1600	2488	HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	iexplore.exe
PID 2488 wrote to memory of 1600	2488	HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe	iexplore.exe
PID 1600 wrote to memory of 1876	1600	iexplore.exe	IEXPLORE.EXE
PID 1600 wrote to memory of 1876	1600	iexplore.exe	IEXPLORE.EXE
PID 1600 wrote to memory of 1876	1600	iexplore.exe	IEXPLORE.EXE
PID 1600 wrote to memory of 1876	1600	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
"C:\Users\Admin\AppData\Local\Temp\0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\RVN.exe
C:\Users\Admin\AppData\Local\Temp\\RVN.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul
3⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\PING.EXE
ping -n 2 127.0.0.1
4⤵
- Runs ping.exe
PID:2900

C:\Users\Admin\AppData\Local\Temp\HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
C:\Users\Admin\AppData\Local\Temp\HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://pc.weixin.qq.com/
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -auto
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\TXPlatforn.exe
C:\Windows\SysWOW64\TXPlatforn.exe -acsi
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2484

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_9B8670363F58B4643EB28A4A03EE9887
Filesize
471B

MD5
956087d5d41d4d69e66fce2491803120

SHA1
a10071431be592d2db5b2dbfeda09baa3a04a9cf

SHA256
c625001c067cae573ea2c8e895679888cbe0572ff3b2515c8ec347fd923d8089

SHA512
9cace52dbf8aeebfa712d1608fd1c5b11806f2fec57773fa1f6d220a15a4ae5bc5fa011401f475838b98b6141354cc4f240d6bf230f23b3a3b881574da2fd3ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dccea3518cbcff701503be5ee89a571b

SHA1
a7d180c99bf2310221abd3b49b3bd98c719896a5

SHA256
efc7689ffe2a6ce3057af617460d67943419f5de5050dfe15f1c84664236a1b1

SHA512
22a04d467bbe1033eab8953646f558e2c4b71ac7e3506b6265b0bce46ec3319f912997ebd4791dd7cd7446d5df2ffe547f5b3d45771f7929db870439386482bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b3e4afeeb4e2de67a943e0963c648fcf

SHA1
51f40c5d1ef58c4a761e597dcf6d378d00308b3e

SHA256
9423769a64d3ea4940e1355c22fa36d4c67f492a76ce33fe6f62d64bff88b6de

SHA512
aab2355ba3c99ae4d4173b4c22ab5611febe100e1f64874d4e30352b24f2e80c29ee1e7f20d4bd27fcc57e1a6d609b7af43fc5b185099c1e0d7e81198d3b2e8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b91cefd68b715d4c98be64e0036e2868

SHA1
ddb51d0edd73cc17e8f53c03c8888b0e5f4ee5df

SHA256
a289748c19ada34a703a178bdd4ae2ab9bca25870259e5a1410b553830eeb2cb

SHA512
933dff605f7c6670eb84bdcdece07797a5b3f6130b06f1b47d8126fdb0893d10f9bd326cb34d9d147906429a2948304dd89ce74dbd5886047a84ac091bb31f8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b4cea605571069aebade8e5beba66ede

SHA1
3d7caf4a56a0489467eecf0f9802e30e4afbf5e0

SHA256
e3caee9808d5fb6c69408b0ca4edfc83072cd9df0e9fa54d6b4a67611a79eca7

SHA512
3a9447541cbf52b8fc1f2b962e5c673c4b7be8ee6eb760fd18dd0cbc9a575fbb479decc06b3ebf93f6a575d2245f075b182d2ed930e913dc46b15e5113cb6ae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3b2c4edcd73b041e08833ea513b6d286

SHA1
b094fefd86c800cc4c7685e1399301e8ee3534b0

SHA256
86ebf5447e42ab7e5c94c557def8c7db229cb69816e02b5eb6ae0901a99718b1

SHA512
35935e9f48e1ecdcfb127afbca79bd44622028fe19dfd13f9871bb61c0a0199308befa84aab24c36ecd8cf1c5b031246fbe68fe9dd9b94a2dbd4cc67a0a83a60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
03a95e31a42b689c9cb0467b4bcc4e7d

SHA1
5534a4aa765c8542a07f2ffec320e03399fec6b2

SHA256
7fef416ffeff02e89fdf22bf6560b71c96cc161c91d3ac4b1252fbd3dbff7d73

SHA512
42d010c1083aaf5ff7d14bba675dabb69dd7c90e61a89df8db8c8e66b0e986cd8f0973b1300bb77bd10f6549a1ab7d8c4de416c7077d4b5b0f5bf31147320faf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d782404d1730223aa29f9ed9d1adde33

SHA1
9f9292474f6edfe3118a84ca77a68488bfa7ec7c

SHA256
19f8f9b8983553cf484b45045cec0d820d46b9da39c0b1289ee4f3461d3c146f

SHA512
928cb6c3aeeb070d79b78ce8c60324f691758784f85b13d8d46f08d77887eddd6e7f073e56fdfded8dc399f7a8691f639f6515e4ca976f8991a3c2e18399ebdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
905f4050f662b2f89ee545081aaed0e2

SHA1
e72984acd9d5adedcfad3c812299d818dfd2588d

SHA256
3a288cb8bc1638e9ba7b8e9c9bb5ca97495bd3c11570872fc55220eccde757dc

SHA512
ab10df426adde2eae591c2a3f488f621c618b5af4fe57b16ac5dbc4909571ebb51069142114a6cadc1e4cd4208478a27184c87142c4b26a81598c2f88da2eab9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
22902c2816a779c285c34c2aada8a3cc

SHA1
d4b2c2fe7f62c6ed60ba263d51c0e463259ea614

SHA256
c74b6a505124cb699c80c6716f6c840b3789e2fdf4a14ad8b8dc8d9feb811f4c

SHA512
33f58e076d37920d62f0eaf45764a8e8ba71d3a75ec6d04c7dc4ab088621a57385900dddc3bd63f243281c75cde8b5eaef95b42d86cee0047554414c77b1ef31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d8e98d86d64fcd50bd2fc4a46b34e424

SHA1
4069e89ca279487f0478ce3674fe2dc8875f0476

SHA256
806c180119eda06d936271cec830660ae2c0255149b15120b6a0280483ab660f

SHA512
f32fc6a99c8411a30ebe9a159c1e2a335b6ef5e3ed12071bd436613626b91757408d63558062048760ac47a394a5d303c2a7ea935bad9b661fccaccfa52e2f3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
db5cf8ef4c1ce4f5b715065f5aa0a39b

SHA1
4a15c9b36d8f83882373121afa66c58ec4bd06c3

SHA256
6caba9115c05060e78d3e1241fd7f92ec5fd4c80ba0ced5a5b166ba82487ecd2

SHA512
e775b8da76ae330e697de9baa0bbf5acb5f71796975079cf38ab5aa0aa6eda1f300e3f32f95756bb5fd7e70fa7ea41944b19ce7e1b9705576452b9a63ce222c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d3791708a13fa3a22de9cccc214321f3

SHA1
1ab14edb56ba43a210a4ed833d0b79b95edbe1c6

SHA256
649b08c07d39f5ec388ecf69f0102e09b63e30ab840880d56202debd534932df

SHA512
f71c42b382c35002dd51da3bf23b45bf501d41bc74fa1c6a6a4905ff2f409a22bed79720a0826f91556a3d2edaf497456959ea43000b2391945abc007d01ac34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
59c67c6ca16123f549f5a9d723ef7f2b

SHA1
06349e9f0b88024303c95c1d2dab834d980e7bd5

SHA256
9b2455cca6b1fe63adbb8841af8489b97eec5d15bd5f4a7736eaa23fb1700261

SHA512
b08c53575e397359c6a47bf63d4c4193bbd34c0ed25169cb3bdd95152e6dcb58149a2b9f426528cd42995beb1658b7b61aac6d41661e3e64243737c092ec371d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
40570ceaa7555fd7d6fd0c21b384129e

SHA1
d56694c951b2219b4ba8ec2cbdcefbfd5d92a773

SHA256
4301182d3fac79035591ead4c391a939559e4e1cde4d85fc474c1aa1e38ec2d7

SHA512
bdd962cee6eab580dbdfa0554657885d75474579c72d1301815dbd9ff015caef8877fc3d1fb04542e80461f541343cdb3dd36dbc5f931c4c7cf9478bd9edd31d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
cde44703eb1a64fc6e7dd518b3b77f06

SHA1
d081a8aaf1092dc713abef54d4cec7832642f51f

SHA256
25d3b2e061ba01734615a2b43818a56526193c7ea5c13dfaf5bd2285c56909b6

SHA512
de5e1f375c862c9728548d32c4e69e4a543d09a35fd342f3432a8109f6a4e7bf7c5cf5f406c5b151c30fc96cc65dfbec472b9a65396d915bf2afac6fef9e137a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4cecf22cbc4f69001e7c5b3ff1c087d9

SHA1
4a6d41eb028a2005f0730bfd893acc993a3a2e0c

SHA256
19baa208eac95c091329a7f9b3c359e021276bf3a7edc4a2a7e201b189215d64

SHA512
3744809122e92161f8bc85600c548056f1cf4bbe8c12724fbf28e8602763608e1a3a86f28051847e6503c56c98367d76ad4d03852f17ae72bb1dafc7c8779c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
281ed5ca4d0ad8ea576d230e5af949fc

SHA1
9c5dd2a752387efac706ce4593f7266ca0d29942

SHA256
36a37123c4927871a8af4eac8f6100f3f212469ac01a9974f27cd91eec8863bc

SHA512
2591c761b618e682350ceb89fa471120ad50aabe821a69eb9ad3f36381d00cb42cd8db66a4893a4cb724e61fcaf14df60c34025db0f01c83af5a1a6ed01d7843

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
eaef72ffb7a6b7aa3c9da6b8cc3a3fad

SHA1
f32c25814ea4b736c450318a6b069a93cbf11b39

SHA256
7136e45cc556f2b7343fc9f58f60065b45308067973b90123f2f6545b1b20c0c

SHA512
a67376be0882c57643542b4335300f5956c8ea450c314befbff4f5fa3f4521c37bf9017043851cbf873cbeb5a30ce225cf6fe3ffd1e4f16a130e3e0e90a7ed6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5C83.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
Filesize
644KB

MD5
f425849e05301fd33488dfc5a81f3ef5

SHA1
ff887ef2d9f5134a9afb0223f2363bd02a0425d2

SHA256
67f7a19691a795d39de97cb2e5aa02461b2529b14c3d46e5e41a1df255c54730

SHA512
11b2ee9cd829c472819c281fc6a3d0f78ddf133fa50e63d6ef8ed5161451a0acc3059948b7a8f2f57d9646d34289f0a23f7ec00e8bf8e53cabbe0834d25d37e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.5MB

MD5
4a2aecb824ab51d6ce24f25babe7c0a1

SHA1
9bc679a003d220d86975dbc23a5ce997ac224855

SHA256
019608b79fae2894575c34bfeab3cbc72f6f2d5b6c7ddb6e509003062b829b8a

SHA512
616612df3dbea44c4e2652c5598346dc2c06eef7ace65a6f46eee7cad8aa4fa5c9725ce96ac345ab3efd3120d7864d93a3d06ad3cf2819b8ebfac65bd3ed6dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5C85.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\RVN.exe
Filesize
377KB

MD5
80ade1893dec9cab7f2e63538a464fcc

SHA1
c06614da33a65eddb506db00a124a3fc3f5be02e

SHA256
57a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd

SHA512
fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4

Download Submit
memory/2484-71-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2484-37-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2484-28-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2484-33-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2864-7-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2864-12-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2864-8-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2864-5-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2968-29-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/2968-18-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download