redline | ea8588de894d9657daa047958ca98c5e9549ca25bc09e9df2a9c8ae044daef42

Analysis

max time kernel
123s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
11-03-2021 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
Size

301KB
MD5

4945a14049174b18fc91e04b65dc0dd5
SHA1

28086f5cc0b9f97014575dac95b9de5065977a83
SHA256

ea8588de894d9657daa047958ca98c5e9549ca25bc09e9df2a9c8ae044daef42
SHA512

10e478b6f5d6eb81713f92d8c25a4ee517bd5d37e5962bc16d7b9be652770d844ce537777ec0d023e83069f2de43195cfd08ca1992853d1f7bc6bb35ece3656f

Score

10^/10

redline smokeloader backdoor discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3568-23-0x00000000049E0000-0x0000000004A0D000-memory.dmp	family_redline
behavioral2/memory/3568-25-0x0000000004AA0000-0x0000000004ACC000-memory.dmp	family_redline
behavioral2/memory/1772-66-0x0000000004980000-0x00000000049BE000-memory.dmp	family_redline
behavioral2/memory/1772-73-0x0000000007190000-0x00000000071CC000-memory.dmp	family_redline
behavioral2/memory/2104-91-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/2104-93-0x000000000041F37A-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2396 created 3128 2396 WerFault.exe Explorer.EXE
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 6 IoCs

Processes:

8F65.tmp.exe9254.tmp.exe9737.tmp.exe1837264067.exe1832078390.exe1837264067.exe

pid process

3568 8F65.tmp.exe
3256 9254.tmp.exe
1772 9737.tmp.exe
4468 1837264067.exe
672 1832078390.exe
2104 1837264067.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid process

3128 Explorer.EXE
Loads dropped DLL 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe

pid process

3484 SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 2396 created 3128	2396	WerFault.exe	Explorer.EXE

pid	process
3568	8F65.tmp.exe
3256	9254.tmp.exe
1772	9737.tmp.exe
4468	1837264067.exe
672	1832078390.exe
2104	1837264067.exe

pid	process
3484	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1837264067.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	1837264067.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	1837264067.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1837264067.exe = "0"	1837264067.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1837264067.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1837264067.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1837264067.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

1837264067.exe

pid	process
4468	1837264067.exe
4468	1837264067.exe
4468	1837264067.exe
4468	1837264067.exe
4468	1837264067.exe
4468	1837264067.exe
4468	1837264067.exe
4468	1837264067.exe
4468	1837264067.exe
4468	1837264067.exe
4468	1837264067.exe
4468	1837264067.exe
4468	1837264067.exe
4468	1837264067.exe
4468	1837264067.exe
4468	1837264067.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe1837264067.exe

description	pid	process	target process
PID 4692 set thread context of 3484	4692	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
PID 4468 set thread context of 2104	4468	1837264067.exe	1837264067.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1060 672 WerFault.exe 1832078390.exe
2396 3128 WerFault.exe Explorer.EXE
3972 4468 WerFault.exe 1837264067.exe

pid	pid_target	process	target process
1060	672	WerFault.exe	1832078390.exe
2396	3128	WerFault.exe	Explorer.EXE
3972	4468	WerFault.exe	1837264067.exe

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeSecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

220 timeout.exe

pid	process
220	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies registry class 29 IoCs

Processes:

explorer.exeSearchUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132483821478966568"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50703004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000995fe29e3116d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e4070a004100720067006a006200650078000a005600610067007200650061007200670020006e00700070007200660066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ffffffff74ae2078e323294282c1e41cb67d5b9c000000000000000000000000a5767c5b62add60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e4070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000a6fbb6b755add60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Explorer.EXE

pid	process
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe

pid process

3484 SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe

pid	process
3484	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

9254.tmp.exe1837264067.exeWerFault.exeExplorer.EXEpowershell.exeWerFault.exeexplorer.exeWerFault.exe8F65.tmp.exe9737.tmp.exe

description	pid	process
Token: SeDebugPrivilege	3256	9254.tmp.exe
Token: SeDebugPrivilege	4468	1837264067.exe
Token: SeRestorePrivilege	1060	WerFault.exe
Token: SeBackupPrivilege	1060	WerFault.exe
Token: SeDebugPrivilege	1060	WerFault.exe
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2396	WerFault.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeDebugPrivilege	3972	WerFault.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe
Token: SeDebugPrivilege	3568	8F65.tmp.exe
Token: SeDebugPrivilege	1772	9737.tmp.exe
Token: SeShutdownPrivilege	4508	explorer.exe
Token: SeCreatePagefilePrivilege	4508	explorer.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

explorer.exe

pid	process
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

explorer.exe

pid	process
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe
4508	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ShellExperienceHost.exeSearchUI.exe

pid process

4956 ShellExperienceHost.exe
4716 SearchUI.exe
4956 ShellExperienceHost.exe

pid	process
4956	ShellExperienceHost.exe
4716	SearchUI.exe
4956	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exeExplorer.EXE9254.tmp.exe1837264067.execmd.exe

description	pid	process	target process
PID 4692 wrote to memory of 3484	4692	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
PID 4692 wrote to memory of 3484	4692	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
PID 4692 wrote to memory of 3484	4692	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
PID 4692 wrote to memory of 3484	4692	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
PID 4692 wrote to memory of 3484	4692	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
PID 4692 wrote to memory of 3484	4692	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe	SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
PID 3128 wrote to memory of 3568	3128	Explorer.EXE	8F65.tmp.exe
PID 3128 wrote to memory of 3568	3128	Explorer.EXE	8F65.tmp.exe
PID 3128 wrote to memory of 3568	3128	Explorer.EXE	8F65.tmp.exe
PID 3128 wrote to memory of 3256	3128	Explorer.EXE	9254.tmp.exe
PID 3128 wrote to memory of 3256	3128	Explorer.EXE	9254.tmp.exe
PID 3128 wrote to memory of 3256	3128	Explorer.EXE	9254.tmp.exe
PID 3128 wrote to memory of 1772	3128	Explorer.EXE	9737.tmp.exe
PID 3128 wrote to memory of 1772	3128	Explorer.EXE	9737.tmp.exe
PID 3128 wrote to memory of 1772	3128	Explorer.EXE	9737.tmp.exe
PID 3256 wrote to memory of 4468	3256	9254.tmp.exe	1837264067.exe
PID 3256 wrote to memory of 4468	3256	9254.tmp.exe	1837264067.exe
PID 3256 wrote to memory of 4468	3256	9254.tmp.exe	1837264067.exe
PID 3256 wrote to memory of 672	3256	9254.tmp.exe	1832078390.exe
PID 3256 wrote to memory of 672	3256	9254.tmp.exe	1832078390.exe
PID 3256 wrote to memory of 672	3256	9254.tmp.exe	1832078390.exe
PID 4468 wrote to memory of 1636	4468	1837264067.exe	powershell.exe
PID 4468 wrote to memory of 1636	4468	1837264067.exe	powershell.exe
PID 4468 wrote to memory of 1636	4468	1837264067.exe	powershell.exe
PID 4468 wrote to memory of 1896	4468	1837264067.exe	cmd.exe
PID 4468 wrote to memory of 1896	4468	1837264067.exe	cmd.exe
PID 4468 wrote to memory of 1896	4468	1837264067.exe	cmd.exe
PID 1896 wrote to memory of 220	1896	cmd.exe	timeout.exe
PID 1896 wrote to memory of 220	1896	cmd.exe	timeout.exe
PID 1896 wrote to memory of 220	1896	cmd.exe	timeout.exe
PID 4468 wrote to memory of 2104	4468	1837264067.exe	1837264067.exe
PID 4468 wrote to memory of 2104	4468	1837264067.exe	1837264067.exe
PID 4468 wrote to memory of 2104	4468	1837264067.exe	1837264067.exe
PID 4468 wrote to memory of 2104	4468	1837264067.exe	1837264067.exe
PID 4468 wrote to memory of 2104	4468	1837264067.exe	1837264067.exe
PID 4468 wrote to memory of 2104	4468	1837264067.exe	1837264067.exe
PID 4468 wrote to memory of 2104	4468	1837264067.exe	1837264067.exe
PID 4468 wrote to memory of 2104	4468	1837264067.exe	1837264067.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

1837264067.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1837264067.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1837264067.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.8119.17745.exe"
3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3484

C:\Users\Admin\AppData\Local\Temp\8F65.tmp.exe
C:\Users\Admin\AppData\Local\Temp\8F65.tmp.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Users\Admin\AppData\Local\Temp\9254.tmp.exe
C:\Users\Admin\AppData\Local\Temp\9254.tmp.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Local\Temp\1837264067.exe
"C:\Users\Admin\AppData\Local\Temp\1837264067.exe"
3⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1837264067.exe" -Force
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:220

C:\Users\Admin\AppData\Local\Temp\1837264067.exe
"C:\Users\Admin\AppData\Local\Temp\1837264067.exe"
4⤵
- Executes dropped EXE
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 1956
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Users\Admin\AppData\Local\Temp\1832078390.exe
"C:\Users\Admin\AppData\Local\Temp\1832078390.exe"
3⤵
- Executes dropped EXE
PID:672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 268
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Users\Admin\AppData\Local\Temp\9737.tmp.exe
C:\Users\Admin\AppData\Local\Temp\9737.tmp.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3128 -s 7752
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4508

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4956

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1832078390.exe
MD5
58f807333c6bf89503690d4ac187a596

SHA1
6835874207df9383886662a5f0378e0d760c1a94

SHA256
18b2fb824c91d5901e2b6a2515b62de3b7b541353c5b2c79709505bc477b7b1a

SHA512
0eba783fdebe3c6ec2fa58cc196c23f407eddcc617d0a2904fb484efd148fba1c1aed7e3533b0c9927e192aab508ae36e5e2d4d3519b3a677cb15ca64ad71cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1832078390.exe
MD5
58f807333c6bf89503690d4ac187a596

SHA1
6835874207df9383886662a5f0378e0d760c1a94

SHA256
18b2fb824c91d5901e2b6a2515b62de3b7b541353c5b2c79709505bc477b7b1a

SHA512
0eba783fdebe3c6ec2fa58cc196c23f407eddcc617d0a2904fb484efd148fba1c1aed7e3533b0c9927e192aab508ae36e5e2d4d3519b3a677cb15ca64ad71cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1837264067.exe
MD5
5ad4c3484acd2449fe561d869e45cfe9

SHA1
2da16a5ba99d9606e7bc9632579b805b4c388b3a

SHA256
15b2e5a4550cad8f72dcfa21b8c1836d58ae51b8cdbec9c705b9270525aa6fdc

SHA512
bc7ccabde11c24c20e9f76b42a0b19d7a6b7bdd132dec3b52b49004c1f438ed58a07a637e543735113419da50daf43b3220a1ed7c7c671f95e1dde952fc2b2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1837264067.exe
MD5
5ad4c3484acd2449fe561d869e45cfe9

SHA1
2da16a5ba99d9606e7bc9632579b805b4c388b3a

SHA256
15b2e5a4550cad8f72dcfa21b8c1836d58ae51b8cdbec9c705b9270525aa6fdc

SHA512
bc7ccabde11c24c20e9f76b42a0b19d7a6b7bdd132dec3b52b49004c1f438ed58a07a637e543735113419da50daf43b3220a1ed7c7c671f95e1dde952fc2b2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1837264067.exe
MD5
5ad4c3484acd2449fe561d869e45cfe9

SHA1
2da16a5ba99d9606e7bc9632579b805b4c388b3a

SHA256
15b2e5a4550cad8f72dcfa21b8c1836d58ae51b8cdbec9c705b9270525aa6fdc

SHA512
bc7ccabde11c24c20e9f76b42a0b19d7a6b7bdd132dec3b52b49004c1f438ed58a07a637e543735113419da50daf43b3220a1ed7c7c671f95e1dde952fc2b2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F65.tmp.exe
MD5
75108940b5bcb39969c6ceb388a7d757

SHA1
f27f37c1228d2d851c027a38c53bfb3ffdff2181

SHA256
5cd66e5ff2736faf6c50137d8147d1b89bbb83589ad21febadb4fe79b9d62cfe

SHA512
69ea0c9b27307f9f340ff238d85011c0ea761166456fd1f73940b56355d191118398b1f442fc99bc10c9fbadcbd3078402d40782db83b007cee6a372368b9015

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F65.tmp.exe
MD5
75108940b5bcb39969c6ceb388a7d757

SHA1
f27f37c1228d2d851c027a38c53bfb3ffdff2181

SHA256
5cd66e5ff2736faf6c50137d8147d1b89bbb83589ad21febadb4fe79b9d62cfe

SHA512
69ea0c9b27307f9f340ff238d85011c0ea761166456fd1f73940b56355d191118398b1f442fc99bc10c9fbadcbd3078402d40782db83b007cee6a372368b9015

Download Submit
C:\Users\Admin\AppData\Local\Temp\9254.tmp.exe
MD5
9128e7db75549f010032613d3d794ee0

SHA1
8b7bd9777cc59f14c7ecda1689079ba741a10eb7

SHA256
9ba985c9a8b39d7b33a59463467baea0f35ce5c1dd1647354708fd1e08894f22

SHA512
df1c4e8f8403894a9bba503195e834f22711e54d0950cdac2a8d990c9c8eff71fb4cae24303eb3dd93f188987cda9b4b0f9f9174be5dc7adee94b2a2e949a686

Download Submit
C:\Users\Admin\AppData\Local\Temp\9254.tmp.exe
MD5
9128e7db75549f010032613d3d794ee0

SHA1
8b7bd9777cc59f14c7ecda1689079ba741a10eb7

SHA256
9ba985c9a8b39d7b33a59463467baea0f35ce5c1dd1647354708fd1e08894f22

SHA512
df1c4e8f8403894a9bba503195e834f22711e54d0950cdac2a8d990c9c8eff71fb4cae24303eb3dd93f188987cda9b4b0f9f9174be5dc7adee94b2a2e949a686

Download Submit
C:\Users\Admin\AppData\Local\Temp\9737.tmp.exe
MD5
cccbcd98e1f50d10a6a736aa8b17fe78

SHA1
9683954602105f4eca9fa074e311e7c18a165c07

SHA256
1c89593029c82f452bb75b026043b8f2e71e3db25f39863b519087750787f6d5

SHA512
1f53b910497a6973a5c128b741378a01f65c107e9f32993d0d2c3380c17148e86086488626067ff52b3e1e62b574f520900de0bfe190b008bd22b60667d4e67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9737.tmp.exe
MD5
cccbcd98e1f50d10a6a736aa8b17fe78

SHA1
9683954602105f4eca9fa074e311e7c18a165c07

SHA256
1c89593029c82f452bb75b026043b8f2e71e3db25f39863b519087750787f6d5

SHA512
1f53b910497a6973a5c128b741378a01f65c107e9f32993d0d2c3380c17148e86086488626067ff52b3e1e62b574f520900de0bfe190b008bd22b60667d4e67c

Download Submit
\Users\Admin\AppData\Local\Temp\4DD3.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/220-84-0x0000000000000000-mapping.dmp

Download
memory/672-50-0x0000000000000000-mapping.dmp

Download
memory/1060-53-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1060-54-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1636-85-0x0000000008170000-0x0000000008171000-memory.dmp

Filesize
4KB

Download
memory/1636-58-0x0000000000000000-mapping.dmp

Download
memory/1636-119-0x0000000009A90000-0x0000000009A91000-memory.dmp

Filesize
4KB

Download
memory/1636-117-0x0000000009AA0000-0x0000000009AA1000-memory.dmp

Filesize
4KB

Download
memory/1636-116-0x00000000071C3000-0x00000000071C4000-memory.dmp

Filesize
4KB

Download
memory/1636-115-0x0000000009AF0000-0x0000000009AF1000-memory.dmp

Filesize
4KB

Download
memory/1636-113-0x000000007EAA0000-0x000000007EAA1000-memory.dmp

Filesize
4KB

Download
memory/1636-114-0x0000000009950000-0x0000000009951000-memory.dmp

Filesize
4KB

Download
memory/1636-111-0x00000000097E0000-0x00000000097E1000-memory.dmp

Filesize
4KB

Download
memory/1636-104-0x0000000009820000-0x0000000009853000-memory.dmp

Filesize
204KB

Download
memory/1636-86-0x0000000008540000-0x0000000008541000-memory.dmp

Filesize
4KB

Download
memory/1636-87-0x0000000008A40000-0x0000000008A41000-memory.dmp

Filesize
4KB

Download
memory/1636-83-0x0000000008100000-0x0000000008101000-memory.dmp

Filesize
4KB

Download
memory/1636-82-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/1636-81-0x00000000076A0000-0x00000000076A1000-memory.dmp

Filesize
4KB

Download
memory/1636-72-0x00000000071C2000-0x00000000071C3000-memory.dmp

Filesize
4KB

Download
memory/1636-67-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/1636-63-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/1636-61-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/1636-60-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1772-64-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/1772-26-0x0000000000000000-mapping.dmp

Download
memory/1772-80-0x0000000007304000-0x0000000007306000-memory.dmp

Filesize
8KB

Download
memory/1772-79-0x0000000007303000-0x0000000007304000-memory.dmp

Filesize
4KB

Download
memory/1772-78-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/1772-69-0x0000000007302000-0x0000000007303000-memory.dmp

Filesize
4KB

Download
memory/1772-77-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1772-73-0x0000000007190000-0x00000000071CC000-memory.dmp

Filesize
240KB

Download
memory/1772-76-0x0000000002D30000-0x0000000002D86000-memory.dmp

Filesize
344KB

Download
memory/1772-66-0x0000000004980000-0x00000000049BE000-memory.dmp

Filesize
248KB

Download
memory/1772-65-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1772-62-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/1896-59-0x0000000000000000-mapping.dmp

Download
memory/2104-93-0x000000000041F37A-mapping.dmp

Download
memory/2104-91-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2104-112-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/2104-96-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2396-70-0x00000217A0780000-0x00000217A0781000-memory.dmp

Filesize
4KB

Download
memory/2396-71-0x00000217A0780000-0x00000217A0781000-memory.dmp

Filesize
4KB

Download
memory/3128-8-0x0000000000B00000-0x0000000000B17000-memory.dmp

Filesize
92KB

Download
memory/3256-30-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/3256-17-0x0000000002310000-0x000000000231A000-memory.dmp

Filesize
40KB

Download
memory/3256-34-0x0000000004B34000-0x0000000004B36000-memory.dmp

Filesize
8KB

Download
memory/3256-18-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/3256-31-0x0000000004B32000-0x0000000004B33000-memory.dmp

Filesize
4KB

Download
memory/3256-19-0x00000000023B0000-0x00000000023B9000-memory.dmp

Filesize
36KB

Download
memory/3256-33-0x0000000004B33000-0x0000000004B34000-memory.dmp

Filesize
4KB

Download
memory/3256-12-0x0000000000000000-mapping.dmp

Download
memory/3256-15-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/3256-16-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/3484-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3484-4-0x0000000000402A38-mapping.dmp

Download
memory/3568-9-0x0000000000000000-mapping.dmp

Download
memory/3568-133-0x0000000008FF0000-0x0000000008FF1000-memory.dmp

Filesize
4KB

Download
memory/3568-90-0x0000000007E40000-0x0000000007E41000-memory.dmp

Filesize
4KB

Download
memory/3568-21-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/3568-32-0x0000000007364000-0x0000000007366000-memory.dmp

Filesize
8KB

Download
memory/3568-22-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/3568-35-0x0000000003050000-0x000000000308C000-memory.dmp

Filesize
240KB

Download
memory/3568-23-0x00000000049E0000-0x0000000004A0D000-memory.dmp

Filesize
180KB

Download
memory/3568-92-0x00000000084D0000-0x00000000084D1000-memory.dmp

Filesize
4KB

Download
memory/3568-27-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3568-39-0x0000000007363000-0x0000000007364000-memory.dmp

Filesize
4KB

Download
memory/3568-134-0x00000000091D0000-0x00000000091D1000-memory.dmp

Filesize
4KB

Download
memory/3568-36-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3568-20-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/3568-37-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/3568-95-0x00000000084F0000-0x00000000084F1000-memory.dmp

Filesize
4KB

Download
memory/3568-38-0x0000000007362000-0x0000000007363000-memory.dmp

Filesize
4KB

Download
memory/3568-141-0x0000000009CB0000-0x0000000009CB1000-memory.dmp

Filesize
4KB

Download
memory/3568-89-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/3568-102-0x00000000087E0000-0x00000000087E1000-memory.dmp

Filesize
4KB

Download
memory/3568-25-0x0000000004AA0000-0x0000000004ACC000-memory.dmp

Filesize
176KB

Download
memory/3972-101-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/4468-40-0x0000000000000000-mapping.dmp

Download
memory/4468-48-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/4468-56-0x00000000081A0000-0x00000000081A1000-memory.dmp

Filesize
4KB

Download
memory/4468-57-0x0000000008240000-0x00000000082D7000-memory.dmp

Filesize
604KB

Download
memory/4468-43-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4468-49-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/4468-44-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/4468-47-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/4692-5-0x0000000000030000-0x000000000003D000-memory.dmp

Filesize
52KB

Download
memory/4692-2-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download