redline | 4b74a532f2a5da62ae4298b75c9dc13ec959810a66c34aaefdf6b58c067396dd

Analysis

max time kernel
123s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
11-03-2021 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe
Size

302KB
MD5

de938a6e9d26fe6406522ad5114c3ebf
SHA1

e1f0533aaa45c2a3dc8072821dbe83438f9c1741
SHA256

4b74a532f2a5da62ae4298b75c9dc13ec959810a66c34aaefdf6b58c067396dd
SHA512

888c5276b2ca14de95d6c87a6d50bd75b9a3fb2c5b9fafd0e07c7086eeeb484dcb72e80119c750a43c2af738ff401dcd3f1e2bd88191afff65f0c52bb27bd874

Score

10^/10

redline smokeloader backdoor discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2696-26-0x0000000004950000-0x000000000497D000-memory.dmp	family_redline
behavioral2/memory/2696-31-0x0000000004AB0000-0x0000000004ADC000-memory.dmp	family_redline
behavioral2/memory/2116-62-0x0000000007160000-0x000000000719E000-memory.dmp	family_redline
behavioral2/memory/2116-64-0x00000000071E0000-0x000000000721C000-memory.dmp	family_redline
behavioral2/memory/4540-112-0x0000000000400000-0x0000000000426000-memory.dmp	family_redline
behavioral2/memory/4540-113-0x000000000041F37A-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1056 created 3128 1056 WerFault.exe Explorer.EXE
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 6 IoCs

Processes:

B404.tmp.exeB760.tmp.exeBC14.tmp.exe1837264067.exe1832078390.exe1837264067.exe

pid process

2696 B404.tmp.exe
4068 B760.tmp.exe
2116 BC14.tmp.exe
3184 1837264067.exe
3136 1832078390.exe
4540 1837264067.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Deletes itself 1 IoCs

Processes:

Explorer.EXE

pid process

3128 Explorer.EXE
Loads dropped DLL 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe

pid process

2484 SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	pid	process	target process
PID 1056 created 3128	1056	WerFault.exe	Explorer.EXE

pid	process
2696	B404.tmp.exe
4068	B760.tmp.exe
2116	BC14.tmp.exe
3184	1837264067.exe
3136	1832078390.exe
4540	1837264067.exe

pid	process
2484	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1837264067.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	1837264067.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	1837264067.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1837264067.exe = "0"	1837264067.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1837264067.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1837264067.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1837264067.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

1837264067.exe

pid	process
3184	1837264067.exe
3184	1837264067.exe
3184	1837264067.exe
3184	1837264067.exe
3184	1837264067.exe
3184	1837264067.exe
3184	1837264067.exe
3184	1837264067.exe
3184	1837264067.exe
3184	1837264067.exe
3184	1837264067.exe
3184	1837264067.exe
3184	1837264067.exe
3184	1837264067.exe
3184	1837264067.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe1837264067.exe

description	pid	process	target process
PID 492 set thread context of 2484	492	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe
PID 3184 set thread context of 4540	3184	1837264067.exe	1837264067.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2516 3136 WerFault.exe 1832078390.exe
1056 3128 WerFault.exe Explorer.EXE

pid	pid_target	process	target process
2516	3136	WerFault.exe	1832078390.exe
1056	3128	WerFault.exe	Explorer.EXE

Checks SCSI registry key(s) 3 TTPs 15 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exeSecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4440 timeout.exe

pid	process
4440	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies registry class 29 IoCs

Processes:

explorer.exeSearchUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e50703004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000f319d89d3116d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50703004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000005ccfaa9d3116d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e4070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000a6fbb6b755add60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132483821478966568"	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Explorer.EXE

pid	process
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE
3128	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe

pid process

2484 SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe

pid	process
2484	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

B760.tmp.exe1837264067.exeWerFault.exeExplorer.EXEWerFault.exeexplorer.exeB404.tmp.exeBC14.tmp.exe

description	pid	process
Token: SeDebugPrivilege	4068	B760.tmp.exe
Token: SeDebugPrivilege	3184	1837264067.exe
Token: SeRestorePrivilege	2516	WerFault.exe
Token: SeBackupPrivilege	2516	WerFault.exe
Token: SeDebugPrivilege	2516	WerFault.exe
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeShutdownPrivilege	3128	Explorer.EXE
Token: SeCreatePagefilePrivilege	3128	Explorer.EXE
Token: SeDebugPrivilege	1056	WerFault.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeDebugPrivilege	2696	B404.tmp.exe
Token: SeDebugPrivilege	2116	BC14.tmp.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe
Token: SeShutdownPrivilege	296	explorer.exe
Token: SeCreatePagefilePrivilege	296	explorer.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

explorer.exe

pid	process
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

explorer.exe

pid	process
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe
296	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ShellExperienceHost.exeSearchUI.exe

pid process

3164 ShellExperienceHost.exe
3248 SearchUI.exe
3164 ShellExperienceHost.exe

pid	process
3164	ShellExperienceHost.exe
3248	SearchUI.exe
3164	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exeExplorer.EXEB760.tmp.exe1837264067.execmd.exe

description	pid	process	target process
PID 492 wrote to memory of 2484	492	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe
PID 492 wrote to memory of 2484	492	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe
PID 492 wrote to memory of 2484	492	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe
PID 492 wrote to memory of 2484	492	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe
PID 492 wrote to memory of 2484	492	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe
PID 492 wrote to memory of 2484	492	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe	SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe
PID 3128 wrote to memory of 2696	3128	Explorer.EXE	B404.tmp.exe
PID 3128 wrote to memory of 2696	3128	Explorer.EXE	B404.tmp.exe
PID 3128 wrote to memory of 2696	3128	Explorer.EXE	B404.tmp.exe
PID 3128 wrote to memory of 4068	3128	Explorer.EXE	B760.tmp.exe
PID 3128 wrote to memory of 4068	3128	Explorer.EXE	B760.tmp.exe
PID 3128 wrote to memory of 4068	3128	Explorer.EXE	B760.tmp.exe
PID 3128 wrote to memory of 2116	3128	Explorer.EXE	BC14.tmp.exe
PID 3128 wrote to memory of 2116	3128	Explorer.EXE	BC14.tmp.exe
PID 3128 wrote to memory of 2116	3128	Explorer.EXE	BC14.tmp.exe
PID 4068 wrote to memory of 3184	4068	B760.tmp.exe	1837264067.exe
PID 4068 wrote to memory of 3184	4068	B760.tmp.exe	1837264067.exe
PID 4068 wrote to memory of 3184	4068	B760.tmp.exe	1837264067.exe
PID 4068 wrote to memory of 3136	4068	B760.tmp.exe	1832078390.exe
PID 4068 wrote to memory of 3136	4068	B760.tmp.exe	1832078390.exe
PID 4068 wrote to memory of 3136	4068	B760.tmp.exe	1832078390.exe
PID 3184 wrote to memory of 4320	3184	1837264067.exe	powershell.exe
PID 3184 wrote to memory of 4320	3184	1837264067.exe	powershell.exe
PID 3184 wrote to memory of 4320	3184	1837264067.exe	powershell.exe
PID 3184 wrote to memory of 4364	3184	1837264067.exe	cmd.exe
PID 3184 wrote to memory of 4364	3184	1837264067.exe	cmd.exe
PID 3184 wrote to memory of 4364	3184	1837264067.exe	cmd.exe
PID 4364 wrote to memory of 4440	4364	cmd.exe	timeout.exe
PID 4364 wrote to memory of 4440	4364	cmd.exe	timeout.exe
PID 4364 wrote to memory of 4440	4364	cmd.exe	timeout.exe
PID 3184 wrote to memory of 4540	3184	1837264067.exe	1837264067.exe
PID 3184 wrote to memory of 4540	3184	1837264067.exe	1837264067.exe
PID 3184 wrote to memory of 4540	3184	1837264067.exe	1837264067.exe
PID 3184 wrote to memory of 4540	3184	1837264067.exe	1837264067.exe
PID 3184 wrote to memory of 4540	3184	1837264067.exe	1837264067.exe
PID 3184 wrote to memory of 4540	3184	1837264067.exe	1837264067.exe
PID 3184 wrote to memory of 4540	3184	1837264067.exe	1837264067.exe
PID 3184 wrote to memory of 4540	3184	1837264067.exe	1837264067.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

1837264067.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 1837264067.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1837264067.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:492

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.15067.7286.exe"
3⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2484

C:\Users\Admin\AppData\Local\Temp\B404.tmp.exe
C:\Users\Admin\AppData\Local\Temp\B404.tmp.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Users\Admin\AppData\Local\Temp\B760.tmp.exe
C:\Users\Admin\AppData\Local\Temp\B760.tmp.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Local\Temp\1837264067.exe
"C:\Users\Admin\AppData\Local\Temp\1837264067.exe"
3⤵
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1837264067.exe" -Force
4⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:4440

C:\Users\Admin\AppData\Local\Temp\1837264067.exe
"C:\Users\Admin\AppData\Local\Temp\1837264067.exe"
4⤵
- Executes dropped EXE
PID:4540

C:\Users\Admin\AppData\Local\Temp\1832078390.exe
"C:\Users\Admin\AppData\Local\Temp\1832078390.exe"
3⤵
- Executes dropped EXE
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 268
4⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Users\Admin\AppData\Local\Temp\BC14.tmp.exe
C:\Users\Admin\AppData\Local\Temp\BC14.tmp.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3128 -s 7680
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:296

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3164

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1832078390.exe
MD5
58f807333c6bf89503690d4ac187a596

SHA1
6835874207df9383886662a5f0378e0d760c1a94

SHA256
18b2fb824c91d5901e2b6a2515b62de3b7b541353c5b2c79709505bc477b7b1a

SHA512
0eba783fdebe3c6ec2fa58cc196c23f407eddcc617d0a2904fb484efd148fba1c1aed7e3533b0c9927e192aab508ae36e5e2d4d3519b3a677cb15ca64ad71cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1832078390.exe
MD5
58f807333c6bf89503690d4ac187a596

SHA1
6835874207df9383886662a5f0378e0d760c1a94

SHA256
18b2fb824c91d5901e2b6a2515b62de3b7b541353c5b2c79709505bc477b7b1a

SHA512
0eba783fdebe3c6ec2fa58cc196c23f407eddcc617d0a2904fb484efd148fba1c1aed7e3533b0c9927e192aab508ae36e5e2d4d3519b3a677cb15ca64ad71cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1837264067.exe
MD5
5ad4c3484acd2449fe561d869e45cfe9

SHA1
2da16a5ba99d9606e7bc9632579b805b4c388b3a

SHA256
15b2e5a4550cad8f72dcfa21b8c1836d58ae51b8cdbec9c705b9270525aa6fdc

SHA512
bc7ccabde11c24c20e9f76b42a0b19d7a6b7bdd132dec3b52b49004c1f438ed58a07a637e543735113419da50daf43b3220a1ed7c7c671f95e1dde952fc2b2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1837264067.exe
MD5
5ad4c3484acd2449fe561d869e45cfe9

SHA1
2da16a5ba99d9606e7bc9632579b805b4c388b3a

SHA256
15b2e5a4550cad8f72dcfa21b8c1836d58ae51b8cdbec9c705b9270525aa6fdc

SHA512
bc7ccabde11c24c20e9f76b42a0b19d7a6b7bdd132dec3b52b49004c1f438ed58a07a637e543735113419da50daf43b3220a1ed7c7c671f95e1dde952fc2b2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1837264067.exe
MD5
5ad4c3484acd2449fe561d869e45cfe9

SHA1
2da16a5ba99d9606e7bc9632579b805b4c388b3a

SHA256
15b2e5a4550cad8f72dcfa21b8c1836d58ae51b8cdbec9c705b9270525aa6fdc

SHA512
bc7ccabde11c24c20e9f76b42a0b19d7a6b7bdd132dec3b52b49004c1f438ed58a07a637e543735113419da50daf43b3220a1ed7c7c671f95e1dde952fc2b2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\B404.tmp.exe
MD5
75108940b5bcb39969c6ceb388a7d757

SHA1
f27f37c1228d2d851c027a38c53bfb3ffdff2181

SHA256
5cd66e5ff2736faf6c50137d8147d1b89bbb83589ad21febadb4fe79b9d62cfe

SHA512
69ea0c9b27307f9f340ff238d85011c0ea761166456fd1f73940b56355d191118398b1f442fc99bc10c9fbadcbd3078402d40782db83b007cee6a372368b9015

Download Submit
C:\Users\Admin\AppData\Local\Temp\B404.tmp.exe
MD5
75108940b5bcb39969c6ceb388a7d757

SHA1
f27f37c1228d2d851c027a38c53bfb3ffdff2181

SHA256
5cd66e5ff2736faf6c50137d8147d1b89bbb83589ad21febadb4fe79b9d62cfe

SHA512
69ea0c9b27307f9f340ff238d85011c0ea761166456fd1f73940b56355d191118398b1f442fc99bc10c9fbadcbd3078402d40782db83b007cee6a372368b9015

Download Submit
C:\Users\Admin\AppData\Local\Temp\B760.tmp.exe
MD5
9128e7db75549f010032613d3d794ee0

SHA1
8b7bd9777cc59f14c7ecda1689079ba741a10eb7

SHA256
9ba985c9a8b39d7b33a59463467baea0f35ce5c1dd1647354708fd1e08894f22

SHA512
df1c4e8f8403894a9bba503195e834f22711e54d0950cdac2a8d990c9c8eff71fb4cae24303eb3dd93f188987cda9b4b0f9f9174be5dc7adee94b2a2e949a686

Download Submit
C:\Users\Admin\AppData\Local\Temp\B760.tmp.exe
MD5
9128e7db75549f010032613d3d794ee0

SHA1
8b7bd9777cc59f14c7ecda1689079ba741a10eb7

SHA256
9ba985c9a8b39d7b33a59463467baea0f35ce5c1dd1647354708fd1e08894f22

SHA512
df1c4e8f8403894a9bba503195e834f22711e54d0950cdac2a8d990c9c8eff71fb4cae24303eb3dd93f188987cda9b4b0f9f9174be5dc7adee94b2a2e949a686

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC14.tmp.exe
MD5
cccbcd98e1f50d10a6a736aa8b17fe78

SHA1
9683954602105f4eca9fa074e311e7c18a165c07

SHA256
1c89593029c82f452bb75b026043b8f2e71e3db25f39863b519087750787f6d5

SHA512
1f53b910497a6973a5c128b741378a01f65c107e9f32993d0d2c3380c17148e86086488626067ff52b3e1e62b574f520900de0bfe190b008bd22b60667d4e67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BC14.tmp.exe
MD5
cccbcd98e1f50d10a6a736aa8b17fe78

SHA1
9683954602105f4eca9fa074e311e7c18a165c07

SHA256
1c89593029c82f452bb75b026043b8f2e71e3db25f39863b519087750787f6d5

SHA512
1f53b910497a6973a5c128b741378a01f65c107e9f32993d0d2c3380c17148e86086488626067ff52b3e1e62b574f520900de0bfe190b008bd22b60667d4e67c

Download Submit
\Users\Admin\AppData\Local\Temp\4DD3.tmp
MD5
50741b3f2d7debf5d2bed63d88404029

SHA1
56210388a627b926162b36967045be06ffb1aad3

SHA256
f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

SHA512
fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

Download Submit
memory/492-5-0x00000000001C0000-0x00000000001CD000-memory.dmp

Filesize
52KB

Download
memory/492-2-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/1056-56-0x0000027182660000-0x0000027182661000-memory.dmp

Filesize
4KB

Download
memory/1056-57-0x0000027182660000-0x0000027182661000-memory.dmp

Filesize
4KB

Download
memory/2116-64-0x00000000071E0000-0x000000000721C000-memory.dmp

Filesize
240KB

Download
memory/2116-62-0x0000000007160000-0x000000000719E000-memory.dmp

Filesize
248KB

Download
memory/2116-61-0x00000000732A0000-0x000000007398E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-60-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/2116-59-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/2116-66-0x00000000030B0000-0x0000000003106000-memory.dmp

Filesize
344KB

Download
memory/2116-68-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/2116-71-0x0000000007314000-0x0000000007316000-memory.dmp

Filesize
8KB

Download
memory/2116-28-0x0000000000000000-mapping.dmp

Download
memory/2116-67-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2116-70-0x0000000007313000-0x0000000007314000-memory.dmp

Filesize
4KB

Download
memory/2116-69-0x0000000007312000-0x0000000007313000-memory.dmp

Filesize
4KB

Download
memory/2484-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2484-4-0x0000000000402A38-mapping.dmp

Download
memory/2516-53-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/2516-54-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/2696-32-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/2696-77-0x00000000087E0000-0x00000000087E1000-memory.dmp

Filesize
4KB

Download
memory/2696-89-0x000000000AC50000-0x000000000AC51000-memory.dmp

Filesize
4KB

Download
memory/2696-41-0x0000000007344000-0x0000000007346000-memory.dmp

Filesize
8KB

Download
memory/2696-88-0x000000000ABB0000-0x000000000ABB1000-memory.dmp

Filesize
4KB

Download
memory/2696-35-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-87-0x00000000098C0000-0x00000000098C1000-memory.dmp

Filesize
4KB

Download
memory/2696-39-0x0000000007343000-0x0000000007344000-memory.dmp

Filesize
4KB

Download
memory/2696-36-0x0000000007340000-0x0000000007341000-memory.dmp

Filesize
4KB

Download
memory/2696-85-0x00000000091D0000-0x00000000091D1000-memory.dmp

Filesize
4KB

Download
memory/2696-84-0x0000000008FF0000-0x0000000008FF1000-memory.dmp

Filesize
4KB

Download
memory/2696-37-0x0000000007342000-0x0000000007343000-memory.dmp

Filesize
4KB

Download
memory/2696-34-0x0000000002F20000-0x0000000002F5C000-memory.dmp

Filesize
240KB

Download
memory/2696-76-0x0000000008670000-0x0000000008671000-memory.dmp

Filesize
4KB

Download
memory/2696-75-0x0000000008530000-0x0000000008531000-memory.dmp

Filesize
4KB

Download
memory/2696-31-0x0000000004AB0000-0x0000000004ADC000-memory.dmp

Filesize
176KB

Download
memory/2696-26-0x0000000004950000-0x000000000497D000-memory.dmp

Filesize
180KB

Download
memory/2696-25-0x00000000732A0000-0x000000007398E000-memory.dmp

Filesize
6.9MB

Download
memory/2696-24-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/2696-23-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/2696-74-0x00000000084D0000-0x00000000084D1000-memory.dmp

Filesize
4KB

Download
memory/2696-73-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/2696-72-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/2696-9-0x0000000000000000-mapping.dmp

Download
memory/3128-8-0x00000000011C0000-0x00000000011D7000-memory.dmp

Filesize
92KB

Download
memory/3136-49-0x0000000000000000-mapping.dmp

Download
memory/3184-52-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3184-97-0x00000000021E0000-0x0000000002277000-memory.dmp

Filesize
604KB

Download
memory/3184-38-0x0000000000000000-mapping.dmp

Download
memory/3184-43-0x00000000732A0000-0x000000007398E000-memory.dmp

Filesize
6.9MB

Download
memory/3184-44-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3184-47-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/3184-48-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/4068-12-0x0000000000000000-mapping.dmp

Download
memory/4068-33-0x0000000004B44000-0x0000000004B46000-memory.dmp

Filesize
8KB

Download
memory/4068-22-0x0000000004B43000-0x0000000004B44000-memory.dmp

Filesize
4KB

Download
memory/4068-18-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/4068-20-0x0000000004B42000-0x0000000004B43000-memory.dmp

Filesize
4KB

Download
memory/4068-21-0x00000000023A0000-0x00000000023A9000-memory.dmp

Filesize
36KB

Download
memory/4068-19-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/4068-15-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/4068-16-0x00000000732A0000-0x000000007398E000-memory.dmp

Filesize
6.9MB

Download
memory/4068-17-0x0000000002000000-0x000000000200A000-memory.dmp

Filesize
40KB

Download
memory/4320-98-0x0000000000000000-mapping.dmp

Download
memory/4320-109-0x0000000004352000-0x0000000004353000-memory.dmp

Filesize
4KB

Download
memory/4320-101-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/4320-130-0x0000000008DA0000-0x0000000008DA1000-memory.dmp

Filesize
4KB

Download
memory/4320-102-0x0000000006D20000-0x0000000006D21000-memory.dmp

Filesize
4KB

Download
memory/4320-104-0x0000000006C10000-0x0000000006C11000-memory.dmp

Filesize
4KB

Download
memory/4320-105-0x0000000006CB0000-0x0000000006CB1000-memory.dmp

Filesize
4KB

Download
memory/4320-107-0x00000000075D0000-0x00000000075D1000-memory.dmp

Filesize
4KB

Download
memory/4320-108-0x0000000004350000-0x0000000004351000-memory.dmp

Filesize
4KB

Download
memory/4320-100-0x00000000732A0000-0x000000007398E000-memory.dmp

Filesize
6.9MB

Download
memory/4320-110-0x0000000007410000-0x0000000007411000-memory.dmp

Filesize
4KB

Download
memory/4320-111-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/4320-136-0x0000000008EC0000-0x0000000008EC1000-memory.dmp

Filesize
4KB

Download
memory/4320-131-0x0000000008F20000-0x0000000008F21000-memory.dmp

Filesize
4KB

Download
memory/4320-134-0x0000000008ED0000-0x0000000008ED1000-memory.dmp

Filesize
4KB

Download
memory/4320-132-0x000000007E4B0000-0x000000007E4B1000-memory.dmp

Filesize
4KB

Download
memory/4320-133-0x0000000004353000-0x0000000004354000-memory.dmp

Filesize
4KB

Download
memory/4320-122-0x0000000008A10000-0x0000000008A43000-memory.dmp

Filesize
204KB

Download
memory/4320-129-0x00000000089F0000-0x00000000089F1000-memory.dmp

Filesize
4KB

Download
memory/4364-99-0x0000000000000000-mapping.dmp

Download
memory/4440-103-0x0000000000000000-mapping.dmp

Download
memory/4540-120-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/4540-113-0x000000000041F37A-mapping.dmp

Download
memory/4540-115-0x00000000732A0000-0x000000007398E000-memory.dmp

Filesize
6.9MB

Download
memory/4540-112-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4540-142-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download