Analysis
-
max time kernel
141s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 04:34
Static task
static1
Behavioral task
behavioral1
Sample
0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
Resource
win7-20240611-en
General
-
Target
0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe
-
Size
2.1MB
-
MD5
9abbbab52c30fb0354096330e4af439a
-
SHA1
371e920401ffa2f46d3643a3fe86654b2f627198
-
SHA256
0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb
-
SHA512
9b949ade92369d47a77891323b3577c09e0a0dc443a218e1a7b0c1d63455a38869a65c5d98b9c253f92ccbd3062e34fb9e06adfc16786970d3b1c75480424855
-
SSDEEP
24576:k09tv9/7JtDElDEExIko2H2HESq2eWJ6MQjySjy+ZY83qV49:k09XJt4HIN2H2tFvduyS//ae
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1516-7-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1516-6-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1516-10-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1636-17-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1636-16-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1636-15-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/1636-27-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2476-28-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2476-30-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2476-36-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit behavioral2/memory/2476-77-0x0000000010000000-0x00000000101B6000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/1516-7-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1516-6-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1516-10-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1636-17-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1636-16-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1636-15-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/1636-27-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2476-28-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2476-30-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2476-36-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat behavioral2/memory/2476-77-0x0000000010000000-0x00000000101B6000-memory.dmp family_gh0strat -
Drops file in Drivers directory 1 IoCs
Processes:
TXPlatforn.exedescription ioc process File created C:\Windows\system32\drivers\QAssist.sys TXPlatforn.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
TXPlatforn.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" TXPlatforn.exe -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
HD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation HD_msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation HD_msedge.exe -
Executes dropped EXE 21 IoCs
Processes:
RVN.exeTXPlatforn.exeHD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exeTXPlatforn.exemsedge.exeRVN.exeTXPlatforn.exeTXPlatforn.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exeHD_msedge.exepid process 1516 RVN.exe 1636 TXPlatforn.exe 208 HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe 2476 TXPlatforn.exe 2180 msedge.exe 4860 RVN.exe 4028 TXPlatforn.exe 5084 TXPlatforn.exe 3684 HD_msedge.exe 2528 HD_msedge.exe 2200 HD_msedge.exe 3220 HD_msedge.exe 4648 HD_msedge.exe 1888 HD_msedge.exe 3408 HD_msedge.exe 2876 HD_msedge.exe 1848 HD_msedge.exe 212 HD_msedge.exe 5092 HD_msedge.exe 4180 HD_msedge.exe 4104 HD_msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/1516-4-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1516-7-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1516-6-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1516-10-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1636-13-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1636-17-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1636-16-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1636-15-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/1636-27-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2476-28-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2476-30-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2476-36-0x0000000010000000-0x00000000101B6000-memory.dmp upx behavioral2/memory/2476-77-0x0000000010000000-0x00000000101B6000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
HD_msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HD_msedge.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
HD_msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName HD_msedge.exe -
Drops file in System32 directory 2 IoCs
Processes:
RVN.exedescription ioc process File created C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe File opened for modification C:\Windows\SysWOW64\TXPlatforn.exe RVN.exe -
Drops file in Program Files directory 7 IoCs
Processes:
0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exemsedge.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe File created C:\Program Files (x86)\Google\Chrome\Application\chrome.exe 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe msedge.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
HD_msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer HD_msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HD_msedge.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exemsedge.exeHD_msedge.exeHD_msedge.exeidentity_helper.exeHD_msedge.exepid process 2296 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe 2296 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe 2180 msedge.exe 2180 msedge.exe 3220 HD_msedge.exe 3220 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 4820 identity_helper.exe 4820 identity_helper.exe 4104 HD_msedge.exe 4104 HD_msedge.exe 4104 HD_msedge.exe 4104 HD_msedge.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
TXPlatforn.exepid process 2476 TXPlatforn.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
RVN.exeTXPlatforn.exeRVN.exedescription pid process Token: SeIncBasePriorityPrivilege 1516 RVN.exe Token: SeLoadDriverPrivilege 2476 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 4860 RVN.exe Token: 33 2476 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2476 TXPlatforn.exe Token: 33 2476 TXPlatforn.exe Token: SeIncBasePriorityPrivilege 2476 TXPlatforn.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
HD_msedge.exepid process 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
HD_msedge.exepid process 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe 3684 HD_msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exemsedge.exepid process 2296 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe 2296 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe 2180 msedge.exe 2180 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exeRVN.exeTXPlatforn.execmd.exeHD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exemsedge.exeTXPlatforn.exeRVN.execmd.exeHD_msedge.exedescription pid process target process PID 2296 wrote to memory of 1516 2296 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe RVN.exe PID 2296 wrote to memory of 1516 2296 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe RVN.exe PID 2296 wrote to memory of 1516 2296 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe RVN.exe PID 1516 wrote to memory of 3928 1516 RVN.exe cmd.exe PID 1516 wrote to memory of 3928 1516 RVN.exe cmd.exe PID 1516 wrote to memory of 3928 1516 RVN.exe cmd.exe PID 1636 wrote to memory of 2476 1636 TXPlatforn.exe TXPlatforn.exe PID 1636 wrote to memory of 2476 1636 TXPlatforn.exe TXPlatforn.exe PID 1636 wrote to memory of 2476 1636 TXPlatforn.exe TXPlatforn.exe PID 2296 wrote to memory of 208 2296 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe PID 2296 wrote to memory of 208 2296 0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe PID 3928 wrote to memory of 1524 3928 cmd.exe PING.EXE PID 3928 wrote to memory of 1524 3928 cmd.exe PING.EXE PID 3928 wrote to memory of 1524 3928 cmd.exe PING.EXE PID 208 wrote to memory of 2180 208 HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe msedge.exe PID 208 wrote to memory of 2180 208 HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe msedge.exe PID 208 wrote to memory of 2180 208 HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe msedge.exe PID 2180 wrote to memory of 4860 2180 msedge.exe RVN.exe PID 2180 wrote to memory of 4860 2180 msedge.exe RVN.exe PID 2180 wrote to memory of 4860 2180 msedge.exe RVN.exe PID 4028 wrote to memory of 5084 4028 TXPlatforn.exe TXPlatforn.exe PID 4028 wrote to memory of 5084 4028 TXPlatforn.exe TXPlatforn.exe PID 4028 wrote to memory of 5084 4028 TXPlatforn.exe TXPlatforn.exe PID 4860 wrote to memory of 4788 4860 RVN.exe cmd.exe PID 4860 wrote to memory of 4788 4860 RVN.exe cmd.exe PID 4860 wrote to memory of 4788 4860 RVN.exe cmd.exe PID 2180 wrote to memory of 3684 2180 msedge.exe HD_msedge.exe PID 2180 wrote to memory of 3684 2180 msedge.exe HD_msedge.exe PID 4788 wrote to memory of 1504 4788 cmd.exe PING.EXE PID 4788 wrote to memory of 1504 4788 cmd.exe PING.EXE PID 4788 wrote to memory of 1504 4788 cmd.exe PING.EXE PID 3684 wrote to memory of 2528 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2528 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe PID 3684 wrote to memory of 2200 3684 HD_msedge.exe HD_msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
HD_msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection HD_msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe"C:\Users\Admin\AppData\Local\Temp\0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exeC:\Users\Admin\AppData\Local\Temp\HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pc.weixin.qq.com/3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeC:\Users\Admin\AppData\Local\Temp\\RVN.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\RVN.exe > nul5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Checks system information in the registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd952e46f8,0x7ffd952e4708,0x7ffd952e47185⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:25⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:35⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:85⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=renderer --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exe" --type=gpu-process --field-trial-handle=2068,11094577433959469496,11627788461948790167,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:25⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -auto1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TXPlatforn.exeC:\Windows\SysWOW64\TXPlatforn.exe -acsi2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\Application\HD_msedge.exeFilesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeFilesize
4.7MB
MD55c0cc33ccd8a4109d8939cf5c7ccc959
SHA1ff517abb56cd51686eaa1027e3bc69fbfc21381f
SHA256b9671f0f01cd272890f2ee5e01f7ed6e94eb8da604ed82ec873b24b95e48d699
SHA5127751eb09637819e6939cd9e70414942dfa2ffed61d57d95b56ebb7e22579bdfb861edfe25ef88e9ff763f1d1212679bb05985239b5974e23d6bf0ce1bec062fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5612a6c4247ef652299b376221c984213
SHA1d306f3b16bde39708aa862aee372345feb559750
SHA2569d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a
SHA51234a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556641592f6e69f5f5fb06f2319384490
SHA16a86be42e2c6d26b7830ad9f4e2627995fd91069
SHA25602d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455
SHA512c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD523bc7281c7e67915655e31d9491d872e
SHA19087558b1ee7963ce0f54d4f8cf9a9933a9ce337
SHA256535a2139340c7ae33330386aad8ef20d9a356ff5456030a85596e69864c0eff0
SHA512018760434309a97a2a3794d31c6acd7b0d4aea71bada862362f92657c24a2decef0f14e25b2eb816b35e51821b7f869abe5ff09b18003a4a97a1b3fc7810f070
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5eee2f42ca0dbbdffd342c419f1224833
SHA1fa341ece4577fb66bb653bf10e7408f86c389c8b
SHA25636f4109b396311d7d9ab0733576dded78a03883ef34b63c4a2dabac5521a40dd
SHA512b786f6704d7fbee1622bd73e3b24693d91a046aa10a4bb3cd5f4a2318c05262016e1f0bccc5bdec041f2fa4e31e4a44b064a4fc9a3d17db078730beb86098117
-
C:\Users\Admin\AppData\Local\Temp\HD_0412aa061e426fb6a078408c966ed232a75e01c4a2febbec454b89b05cee92fb.exeFilesize
644KB
MD5f425849e05301fd33488dfc5a81f3ef5
SHA1ff887ef2d9f5134a9afb0223f2363bd02a0425d2
SHA25667f7a19691a795d39de97cb2e5aa02461b2529b14c3d46e5e41a1df255c54730
SHA51211b2ee9cd829c472819c281fc6a3d0f78ddf133fa50e63d6ef8ed5161451a0acc3059948b7a8f2f57d9646d34289f0a23f7ec00e8bf8e53cabbe0834d25d37e8
-
C:\Users\Admin\AppData\Local\Temp\HD_X.datFilesize
1.5MB
MD54a2aecb824ab51d6ce24f25babe7c0a1
SHA19bc679a003d220d86975dbc23a5ce997ac224855
SHA256019608b79fae2894575c34bfeab3cbc72f6f2d5b6c7ddb6e509003062b829b8a
SHA512616612df3dbea44c4e2652c5598346dc2c06eef7ace65a6f46eee7cad8aa4fa5c9725ce96ac345ab3efd3120d7864d93a3d06ad3cf2819b8ebfac65bd3ed6dbb
-
C:\Users\Admin\AppData\Local\Temp\RVN.exeFilesize
377KB
MD580ade1893dec9cab7f2e63538a464fcc
SHA1c06614da33a65eddb506db00a124a3fc3f5be02e
SHA25657a920389c044e3f5cf93dabff67070b4511e79779b6f874e08f92d8b0d7afbd
SHA512fffd4f3fccb5301b3c7a5b3bd92747f31549fbd9d0803fe5d502d1bb0ef979140988718c2ee1406ed3e755790d275185e120a56cbcb5ed2eadf62b5cdbfc4cc4
-
\??\pipe\LOCAL\crashpad_3684_HZRERXWXQWODXTOKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/212-195-0x0000020AB5E00000-0x0000020AB5E9E000-memory.dmpFilesize
632KB
-
memory/1516-10-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1516-6-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1516-4-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1516-7-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1636-27-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1636-16-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1636-17-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1636-13-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1636-15-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/1848-267-0x000001E0F8AD0000-0x000001E0F8B6E000-memory.dmpFilesize
632KB
-
memory/1848-249-0x000001E0F8AD0000-0x000001E0F8B6E000-memory.dmpFilesize
632KB
-
memory/1848-223-0x000001E0F8AD0000-0x000001E0F8B6E000-memory.dmpFilesize
632KB
-
memory/1888-154-0x000001A812520000-0x000001A8125BE000-memory.dmpFilesize
632KB
-
memory/2200-121-0x00007FFDA1D30000-0x00007FFDA1D31000-memory.dmpFilesize
4KB
-
memory/2200-247-0x000001EF9FE10000-0x000001EF9FEAE000-memory.dmpFilesize
632KB
-
memory/2200-215-0x000001EF9FE10000-0x000001EF9FEAE000-memory.dmpFilesize
632KB
-
memory/2200-224-0x000001EF9FE10000-0x000001EF9FEAE000-memory.dmpFilesize
632KB
-
memory/2476-30-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2476-28-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2476-36-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2476-77-0x0000000010000000-0x00000000101B6000-memory.dmpFilesize
1.7MB
-
memory/2876-180-0x0000024B5CED0000-0x0000024B5CF6E000-memory.dmpFilesize
632KB
-
memory/3408-157-0x0000023A3BCD0000-0x0000023A3BD6E000-memory.dmpFilesize
632KB
-
memory/4180-226-0x0000027E2B100000-0x0000027E2B19E000-memory.dmpFilesize
632KB
-
memory/4180-250-0x0000027E2B100000-0x0000027E2B19E000-memory.dmpFilesize
632KB
-
memory/4648-248-0x000001E5F7AD0000-0x000001E5F7B6E000-memory.dmpFilesize
632KB
-
memory/4648-216-0x000001E5F7AD0000-0x000001E5F7B6E000-memory.dmpFilesize
632KB
-
memory/5092-197-0x00000133F84D0000-0x00000133F856E000-memory.dmpFilesize
632KB