redline | 9234d9cc843e2d90cf272e76714371573ad4769d5e7e0de122120e45fec9cdea

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7v20201028
submitted
13-03-2021 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

331064627d4361c3f3e3ba15d4d75afc.exe
Size

1.1MB
MD5

331064627d4361c3f3e3ba15d4d75afc
SHA1

090fa5f883dcd45de13f2a7896748925e26630ee
SHA256

9234d9cc843e2d90cf272e76714371573ad4769d5e7e0de122120e45fec9cdea
SHA512

aa87f34aa129eef8dc3eabbf9c097161779c6580add5f694e0c779d3f9e9ba369765e05c3ab1816765bbad43cf78ac04cb5af8db9838742710b0b4aa17481df0

Score

10^/10

redline discovery evasion infostealer spyware stealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1184-21-0x0000000000190000-0x00000000001B6000-memory.dmp	family_redline
behavioral1/memory/1184-27-0x0000000000190000-0x00000000001B6000-memory.dmp	family_redline

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 12 IoCs

Processes:

Saluta.comSaluta.comRegAsm.exefile.exefile.exelibmfxsw32.exelibmfxsw32.exelibmfxsw32.exelibmfxsw32.exelibmfxsw32.exelibmfxsw32.exelibmfxsw32.exe

pid	process
1696	Saluta.com
876	Saluta.com
1184	RegAsm.exe
1600	file.exe
1788	file.exe
1684	libmfxsw32.exe
876	libmfxsw32.exe
1552	libmfxsw32.exe
1832	libmfxsw32.exe
1616	libmfxsw32.exe
1628	libmfxsw32.exe
1332	libmfxsw32.exe

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exelibmfxsw32.exelibmfxsw32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	libmfxsw32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	libmfxsw32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	libmfxsw32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	libmfxsw32.exe

Loads dropped DLL 5 IoCs

Processes:

cmd.exeSaluta.comRegAsm.exefile.exe

pid process

1776 cmd.exe
876 Saluta.com
1184 RegAsm.exe
1184 RegAsm.exe
1600 file.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

1776 icacls.exe
1840 icacls.exe
2020 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1776	cmd.exe
876	Saluta.com
1184	RegAsm.exe
1184	RegAsm.exe
1600	file.exe

pid	process
1776	icacls.exe
1840	icacls.exe
2020	icacls.exe

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exelibmfxsw32.exelibmfxsw32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	file.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	libmfxsw32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	libmfxsw32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	libmfxsw32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	libmfxsw32.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Saluta.comfile.exelibmfxsw32.exelibmfxsw32.exe

description	pid	process	target process
PID 876 set thread context of 1184	876	Saluta.com	RegAsm.exe
PID 1600 set thread context of 1788	1600	file.exe	file.exe
PID 876 set thread context of 1552	876	libmfxsw32.exe	libmfxsw32.exe
PID 1684 set thread context of 1332	1684	libmfxsw32.exe	libmfxsw32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RegAsm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

280 PING.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

RegAsm.exelibmfxsw32.exe

pid process

1184 RegAsm.exe
1684 libmfxsw32.exe
1684 libmfxsw32.exe
1684 libmfxsw32.exe
1684 libmfxsw32.exe
1684 libmfxsw32.exe
1684 libmfxsw32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exelibmfxsw32.exe

description pid process

Token: SeDebugPrivilege 1184 RegAsm.exe
Token: SeDebugPrivilege 1684 libmfxsw32.exe

pid	process
280	PING.EXE

pid	process
1184	RegAsm.exe
1684	libmfxsw32.exe
1684	libmfxsw32.exe
1684	libmfxsw32.exe
1684	libmfxsw32.exe
1684	libmfxsw32.exe
1684	libmfxsw32.exe

description	pid	process
Token: SeDebugPrivilege	1184	RegAsm.exe
Token: SeDebugPrivilege	1684	libmfxsw32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

331064627d4361c3f3e3ba15d4d75afc.execmd.execmd.exeSaluta.comSaluta.comRegAsm.exefile.exefile.execmd.exe

description	pid	process	target process
PID 800 wrote to memory of 1176	800	331064627d4361c3f3e3ba15d4d75afc.exe	cmd.exe
PID 800 wrote to memory of 1176	800	331064627d4361c3f3e3ba15d4d75afc.exe	cmd.exe
PID 800 wrote to memory of 1176	800	331064627d4361c3f3e3ba15d4d75afc.exe	cmd.exe
PID 800 wrote to memory of 1176	800	331064627d4361c3f3e3ba15d4d75afc.exe	cmd.exe
PID 800 wrote to memory of 1980	800	331064627d4361c3f3e3ba15d4d75afc.exe	cmd.exe
PID 800 wrote to memory of 1980	800	331064627d4361c3f3e3ba15d4d75afc.exe	cmd.exe
PID 800 wrote to memory of 1980	800	331064627d4361c3f3e3ba15d4d75afc.exe	cmd.exe
PID 800 wrote to memory of 1980	800	331064627d4361c3f3e3ba15d4d75afc.exe	cmd.exe
PID 1980 wrote to memory of 1776	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 1776	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 1776	1980	cmd.exe	cmd.exe
PID 1980 wrote to memory of 1776	1980	cmd.exe	cmd.exe
PID 1776 wrote to memory of 1580	1776	cmd.exe	findstr.exe
PID 1776 wrote to memory of 1580	1776	cmd.exe	findstr.exe
PID 1776 wrote to memory of 1580	1776	cmd.exe	findstr.exe
PID 1776 wrote to memory of 1580	1776	cmd.exe	findstr.exe
PID 1776 wrote to memory of 1696	1776	cmd.exe	Saluta.com
PID 1776 wrote to memory of 1696	1776	cmd.exe	Saluta.com
PID 1776 wrote to memory of 1696	1776	cmd.exe	Saluta.com
PID 1776 wrote to memory of 1696	1776	cmd.exe	Saluta.com
PID 1776 wrote to memory of 280	1776	cmd.exe	PING.EXE
PID 1776 wrote to memory of 280	1776	cmd.exe	PING.EXE
PID 1776 wrote to memory of 280	1776	cmd.exe	PING.EXE
PID 1776 wrote to memory of 280	1776	cmd.exe	PING.EXE
PID 1696 wrote to memory of 876	1696	Saluta.com	Saluta.com
PID 1696 wrote to memory of 876	1696	Saluta.com	Saluta.com
PID 1696 wrote to memory of 876	1696	Saluta.com	Saluta.com
PID 1696 wrote to memory of 876	1696	Saluta.com	Saluta.com
PID 876 wrote to memory of 1184	876	Saluta.com	RegAsm.exe
PID 876 wrote to memory of 1184	876	Saluta.com	RegAsm.exe
PID 876 wrote to memory of 1184	876	Saluta.com	RegAsm.exe
PID 876 wrote to memory of 1184	876	Saluta.com	RegAsm.exe
PID 876 wrote to memory of 1184	876	Saluta.com	RegAsm.exe
PID 876 wrote to memory of 1184	876	Saluta.com	RegAsm.exe
PID 876 wrote to memory of 1184	876	Saluta.com	RegAsm.exe
PID 876 wrote to memory of 1184	876	Saluta.com	RegAsm.exe
PID 876 wrote to memory of 1184	876	Saluta.com	RegAsm.exe
PID 1184 wrote to memory of 1600	1184	RegAsm.exe	file.exe
PID 1184 wrote to memory of 1600	1184	RegAsm.exe	file.exe
PID 1184 wrote to memory of 1600	1184	RegAsm.exe	file.exe
PID 1184 wrote to memory of 1600	1184	RegAsm.exe	file.exe
PID 1600 wrote to memory of 1788	1600	file.exe	file.exe
PID 1600 wrote to memory of 1788	1600	file.exe	file.exe
PID 1600 wrote to memory of 1788	1600	file.exe	file.exe
PID 1600 wrote to memory of 1788	1600	file.exe	file.exe
PID 1600 wrote to memory of 1788	1600	file.exe	file.exe
PID 1600 wrote to memory of 1788	1600	file.exe	file.exe
PID 1600 wrote to memory of 1788	1600	file.exe	file.exe
PID 1600 wrote to memory of 1788	1600	file.exe	file.exe
PID 1600 wrote to memory of 1788	1600	file.exe	file.exe
PID 1600 wrote to memory of 1788	1600	file.exe	file.exe
PID 1600 wrote to memory of 1788	1600	file.exe	file.exe
PID 1788 wrote to memory of 1392	1788	file.exe	cmd.exe
PID 1788 wrote to memory of 1392	1788	file.exe	cmd.exe
PID 1788 wrote to memory of 1392	1788	file.exe	cmd.exe
PID 1788 wrote to memory of 1392	1788	file.exe	cmd.exe
PID 1392 wrote to memory of 1776	1392	cmd.exe	icacls.exe
PID 1392 wrote to memory of 1776	1392	cmd.exe	icacls.exe
PID 1392 wrote to memory of 1776	1392	cmd.exe	icacls.exe
PID 1392 wrote to memory of 1776	1392	cmd.exe	icacls.exe
PID 1392 wrote to memory of 1840	1392	cmd.exe	icacls.exe
PID 1392 wrote to memory of 1840	1392	cmd.exe	icacls.exe
PID 1392 wrote to memory of 1840	1392	cmd.exe	icacls.exe
PID 1392 wrote to memory of 1840	1392	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\331064627d4361c3f3e3ba15d4d75afc.exe
"C:\Users\Admin\AppData\Local\Temp\331064627d4361c3f3e3ba15d4d75afc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Ehim
2⤵
PID:1176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Osi.adt
2⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^QAXGiYkwfmvZsAkSwFzQElmpDQyAvOxQLytcnqBrEKginUwgVONcJiyFqOrsSKFByFhjcQxwtdjTWaLIOREIqYuEZnxKXplTyMeSGPSyzMszVkJHexDwuWBumJjWcKrU$" Far.vsdx
4⤵
PID:1580

C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.com
Saluta.com Ascolta.mpg
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.com
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.com Ascolta.mpg
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:876

C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exe
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\file.exe
"{path}"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
9⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
10⤵
- Modifies file permissions
PID:1776

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
10⤵
- Modifies file permissions
PID:1840

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
10⤵
- Modifies file permissions
PID:2020

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:280

C:\Windows\system32\taskeng.exe
taskeng.exe {794646B2-CE5F-4A27-A9F2-AA986AC247E0} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]
1⤵
PID:1076

C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
PID:876

C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
"{path}"
3⤵
- Executes dropped EXE
PID:1552

C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
"{path}"
3⤵
- Executes dropped EXE
PID:1832

C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
"{path}"
3⤵
- Executes dropped EXE
PID:1616

C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
"{path}"
3⤵
- Executes dropped EXE
PID:1628

C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
"{path}"
3⤵
- Executes dropped EXE
PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\file.exe
MD5
774073dc394ceefedf0533ba910726ad

SHA1
16e27e1658f25607ebd0f675ce6c6ffa7fa1f922

SHA256
f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311

SHA512
87f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe
MD5
774073dc394ceefedf0533ba910726ad

SHA1
16e27e1658f25607ebd0f675ce6c6ffa7fa1f922

SHA256
f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311

SHA512
87f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.exe
MD5
774073dc394ceefedf0533ba910726ad

SHA1
16e27e1658f25607ebd0f675ce6c6ffa7fa1f922

SHA256
f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311

SHA512
87f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893

Download Submit
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
MD5
774073dc394ceefedf0533ba910726ad

SHA1
16e27e1658f25607ebd0f675ce6c6ffa7fa1f922

SHA256
f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311

SHA512
87f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893

Download Submit
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
MD5
774073dc394ceefedf0533ba910726ad

SHA1
16e27e1658f25607ebd0f675ce6c6ffa7fa1f922

SHA256
f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311

SHA512
87f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893

Download Submit
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
MD5
774073dc394ceefedf0533ba910726ad

SHA1
16e27e1658f25607ebd0f675ce6c6ffa7fa1f922

SHA256
f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311

SHA512
87f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893

Download Submit
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
MD5
774073dc394ceefedf0533ba910726ad

SHA1
16e27e1658f25607ebd0f675ce6c6ffa7fa1f922

SHA256
f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311

SHA512
87f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893

Download Submit
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
MD5
774073dc394ceefedf0533ba910726ad

SHA1
16e27e1658f25607ebd0f675ce6c6ffa7fa1f922

SHA256
f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311

SHA512
87f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893

Download Submit
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
MD5
774073dc394ceefedf0533ba910726ad

SHA1
16e27e1658f25607ebd0f675ce6c6ffa7fa1f922

SHA256
f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311

SHA512
87f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893

Download Submit
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe
MD5
774073dc394ceefedf0533ba910726ad

SHA1
16e27e1658f25607ebd0f675ce6c6ffa7fa1f922

SHA256
f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311

SHA512
87f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893

Download Submit
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Ascolta.mpg
MD5
38c0f4e15a4b9b62fc28204d8a432dea

SHA1
0144690c5c90a8f15837a739963217c204197b23

SHA256
0f72f7c429443ec823edaa8013f3fd80011519da12f7ea140f1957f63243a9bd

SHA512
e8809d11fcfb1ff304dc67073c66e17eca0317bc963f1d5227bff7a561d9cb0b67f7e66721032e8e4a6f0fea357a666c756cb42d968cc3e442e84493e1231163

Download Submit
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Far.vsdx
MD5
7b0207f05263d514fc4f7a2b177b6051

SHA1
ab7d24200270ab0969deccf9816079225a6c2e5f

SHA256
d7853ca5404edb72f4da3558f70cee027f979bce93b1fa3138a56b2a94dccfa5

SHA512
6a84a5681cdd28c63458bcd89f7bcaabbda31d52d04253d017ce99c235aa3d35fa540d5357241d30d23d0606515e078a2416a01d8a354d746ee67e0484ccf428

Download Submit
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Osi.adt
MD5
e4cd8cf31700ef541395d936e4be3fc2

SHA1
3ed11b6dbe745beac72040b4d3855dc5fad39feb

SHA256
1c92f6179538905efea7b41b80915f0238db7b7275de0aa291a12dd2fe74efa9

SHA512
33f577aca3cd94749daf6f682ca07e3ff63e041cf1bf5c576785cbe7c8796c0a18d173b154ba1e24cd7156a934e1d2f4440c7f7283c2325a7566245b7d896de0

Download Submit
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Tuo.accde
MD5
854ad49e5b08a3324b9dbeb070d7fe2e

SHA1
ead483aa1b1d9a82a9a9dc22d284cb8239f8bd15

SHA256
17c5db44d5857692a705f91adca500f700daab0f3f1896098c327a3c5eb97db6

SHA512
a576e282eef72ea42eae46f5631305505f4046a7e85a62c06e83e6a2978f20f6f2c104c5278013c6d09cb965c9d5d9a6ee283fa7c87ece73c82539378c9407ae

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe
MD5
774073dc394ceefedf0533ba910726ad

SHA1
16e27e1658f25607ebd0f675ce6c6ffa7fa1f922

SHA256
f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311

SHA512
87f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893

Download Submit
\Users\Admin\AppData\Local\Temp\file.exe
MD5
774073dc394ceefedf0533ba910726ad

SHA1
16e27e1658f25607ebd0f675ce6c6ffa7fa1f922

SHA256
f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311

SHA512
87f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893

Download Submit
\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.com
MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/280-12-0x0000000000000000-mapping.dmp

Download
memory/800-2-0x0000000076C21000-0x0000000076C23000-memory.dmp

Filesize
8KB

Download
memory/876-53-0x0000000000000000-mapping.dmp

Download
memory/876-20-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/876-65-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/876-66-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/876-57-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/876-15-0x0000000000000000-mapping.dmp

Download
memory/1176-3-0x0000000000000000-mapping.dmp

Download
memory/1184-21-0x0000000000190000-0x00000000001B6000-memory.dmp

Filesize
152KB

Download
memory/1184-27-0x0000000000190000-0x00000000001B6000-memory.dmp

Filesize
152KB

Download
memory/1184-29-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/1184-26-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1332-80-0x000000000042800A-mapping.dmp

Download
memory/1392-47-0x0000000000000000-mapping.dmp

Download
memory/1552-73-0x000000000042800A-mapping.dmp

Download
memory/1552-83-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1580-7-0x0000000000000000-mapping.dmp

Download
memory/1600-38-0x0000000000770000-0x0000000000772000-memory.dmp

Filesize
8KB

Download
memory/1600-34-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1600-41-0x0000000008020000-0x000000000810F000-memory.dmp

Filesize
956KB

Download
memory/1600-31-0x0000000000000000-mapping.dmp

Download
memory/1600-39-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/1600-35-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/1600-40-0x00000000082B0000-0x00000000083A2000-memory.dmp

Filesize
968KB

Download
memory/1600-37-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/1684-58-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/1684-52-0x0000000000000000-mapping.dmp

Download
memory/1684-55-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/1684-64-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/1696-10-0x0000000000000000-mapping.dmp

Download
memory/1776-49-0x0000000000000000-mapping.dmp

Download
memory/1776-6-0x0000000000000000-mapping.dmp

Download
memory/1788-44-0x000000000042800A-mapping.dmp

Download
memory/1788-48-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1788-43-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/1840-50-0x0000000000000000-mapping.dmp

Download
memory/1980-4-0x0000000000000000-mapping.dmp

Download
memory/2020-51-0x0000000000000000-mapping.dmp

Download