Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-03-2021 08:49
Static task
static1
Behavioral task
behavioral1
Sample
331064627d4361c3f3e3ba15d4d75afc.exe
Resource
win7v20201028
General
-
Target
331064627d4361c3f3e3ba15d4d75afc.exe
-
Size
1.1MB
-
MD5
331064627d4361c3f3e3ba15d4d75afc
-
SHA1
090fa5f883dcd45de13f2a7896748925e26630ee
-
SHA256
9234d9cc843e2d90cf272e76714371573ad4769d5e7e0de122120e45fec9cdea
-
SHA512
aa87f34aa129eef8dc3eabbf9c097161779c6580add5f694e0c779d3f9e9ba369765e05c3ab1816765bbad43cf78ac04cb5af8db9838742710b0b4aa17481df0
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1184-21-0x0000000000190000-0x00000000001B6000-memory.dmp family_redline behavioral1/memory/1184-27-0x0000000000190000-0x00000000001B6000-memory.dmp family_redline -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Executes dropped EXE 12 IoCs
Processes:
Saluta.comSaluta.comRegAsm.exefile.exefile.exelibmfxsw32.exelibmfxsw32.exelibmfxsw32.exelibmfxsw32.exelibmfxsw32.exelibmfxsw32.exelibmfxsw32.exepid process 1696 Saluta.com 876 Saluta.com 1184 RegAsm.exe 1600 file.exe 1788 file.exe 1684 libmfxsw32.exe 876 libmfxsw32.exe 1552 libmfxsw32.exe 1832 libmfxsw32.exe 1616 libmfxsw32.exe 1628 libmfxsw32.exe 1332 libmfxsw32.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
file.exelibmfxsw32.exelibmfxsw32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion libmfxsw32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion libmfxsw32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion libmfxsw32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion libmfxsw32.exe -
Loads dropped DLL 5 IoCs
Processes:
cmd.exeSaluta.comRegAsm.exefile.exepid process 1776 cmd.exe 876 Saluta.com 1184 RegAsm.exe 1184 RegAsm.exe 1600 file.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exeicacls.exepid process 1776 icacls.exe 1840 icacls.exe 2020 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
file.exelibmfxsw32.exelibmfxsw32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum file.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum libmfxsw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 libmfxsw32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum libmfxsw32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 libmfxsw32.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Saluta.comfile.exelibmfxsw32.exelibmfxsw32.exedescription pid process target process PID 876 set thread context of 1184 876 Saluta.com RegAsm.exe PID 1600 set thread context of 1788 1600 file.exe file.exe PID 876 set thread context of 1552 876 libmfxsw32.exe libmfxsw32.exe PID 1684 set thread context of 1332 1684 libmfxsw32.exe libmfxsw32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
RegAsm.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 RegAsm.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
RegAsm.exelibmfxsw32.exepid process 1184 RegAsm.exe 1684 libmfxsw32.exe 1684 libmfxsw32.exe 1684 libmfxsw32.exe 1684 libmfxsw32.exe 1684 libmfxsw32.exe 1684 libmfxsw32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.exelibmfxsw32.exedescription pid process Token: SeDebugPrivilege 1184 RegAsm.exe Token: SeDebugPrivilege 1684 libmfxsw32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
331064627d4361c3f3e3ba15d4d75afc.execmd.execmd.exeSaluta.comSaluta.comRegAsm.exefile.exefile.execmd.exedescription pid process target process PID 800 wrote to memory of 1176 800 331064627d4361c3f3e3ba15d4d75afc.exe cmd.exe PID 800 wrote to memory of 1176 800 331064627d4361c3f3e3ba15d4d75afc.exe cmd.exe PID 800 wrote to memory of 1176 800 331064627d4361c3f3e3ba15d4d75afc.exe cmd.exe PID 800 wrote to memory of 1176 800 331064627d4361c3f3e3ba15d4d75afc.exe cmd.exe PID 800 wrote to memory of 1980 800 331064627d4361c3f3e3ba15d4d75afc.exe cmd.exe PID 800 wrote to memory of 1980 800 331064627d4361c3f3e3ba15d4d75afc.exe cmd.exe PID 800 wrote to memory of 1980 800 331064627d4361c3f3e3ba15d4d75afc.exe cmd.exe PID 800 wrote to memory of 1980 800 331064627d4361c3f3e3ba15d4d75afc.exe cmd.exe PID 1980 wrote to memory of 1776 1980 cmd.exe cmd.exe PID 1980 wrote to memory of 1776 1980 cmd.exe cmd.exe PID 1980 wrote to memory of 1776 1980 cmd.exe cmd.exe PID 1980 wrote to memory of 1776 1980 cmd.exe cmd.exe PID 1776 wrote to memory of 1580 1776 cmd.exe findstr.exe PID 1776 wrote to memory of 1580 1776 cmd.exe findstr.exe PID 1776 wrote to memory of 1580 1776 cmd.exe findstr.exe PID 1776 wrote to memory of 1580 1776 cmd.exe findstr.exe PID 1776 wrote to memory of 1696 1776 cmd.exe Saluta.com PID 1776 wrote to memory of 1696 1776 cmd.exe Saluta.com PID 1776 wrote to memory of 1696 1776 cmd.exe Saluta.com PID 1776 wrote to memory of 1696 1776 cmd.exe Saluta.com PID 1776 wrote to memory of 280 1776 cmd.exe PING.EXE PID 1776 wrote to memory of 280 1776 cmd.exe PING.EXE PID 1776 wrote to memory of 280 1776 cmd.exe PING.EXE PID 1776 wrote to memory of 280 1776 cmd.exe PING.EXE PID 1696 wrote to memory of 876 1696 Saluta.com Saluta.com PID 1696 wrote to memory of 876 1696 Saluta.com Saluta.com PID 1696 wrote to memory of 876 1696 Saluta.com Saluta.com PID 1696 wrote to memory of 876 1696 Saluta.com Saluta.com PID 876 wrote to memory of 1184 876 Saluta.com RegAsm.exe PID 876 wrote to memory of 1184 876 Saluta.com RegAsm.exe PID 876 wrote to memory of 1184 876 Saluta.com RegAsm.exe PID 876 wrote to memory of 1184 876 Saluta.com RegAsm.exe PID 876 wrote to memory of 1184 876 Saluta.com RegAsm.exe PID 876 wrote to memory of 1184 876 Saluta.com RegAsm.exe PID 876 wrote to memory of 1184 876 Saluta.com RegAsm.exe PID 876 wrote to memory of 1184 876 Saluta.com RegAsm.exe PID 876 wrote to memory of 1184 876 Saluta.com RegAsm.exe PID 1184 wrote to memory of 1600 1184 RegAsm.exe file.exe PID 1184 wrote to memory of 1600 1184 RegAsm.exe file.exe PID 1184 wrote to memory of 1600 1184 RegAsm.exe file.exe PID 1184 wrote to memory of 1600 1184 RegAsm.exe file.exe PID 1600 wrote to memory of 1788 1600 file.exe file.exe PID 1600 wrote to memory of 1788 1600 file.exe file.exe PID 1600 wrote to memory of 1788 1600 file.exe file.exe PID 1600 wrote to memory of 1788 1600 file.exe file.exe PID 1600 wrote to memory of 1788 1600 file.exe file.exe PID 1600 wrote to memory of 1788 1600 file.exe file.exe PID 1600 wrote to memory of 1788 1600 file.exe file.exe PID 1600 wrote to memory of 1788 1600 file.exe file.exe PID 1600 wrote to memory of 1788 1600 file.exe file.exe PID 1600 wrote to memory of 1788 1600 file.exe file.exe PID 1600 wrote to memory of 1788 1600 file.exe file.exe PID 1788 wrote to memory of 1392 1788 file.exe cmd.exe PID 1788 wrote to memory of 1392 1788 file.exe cmd.exe PID 1788 wrote to memory of 1392 1788 file.exe cmd.exe PID 1788 wrote to memory of 1392 1788 file.exe cmd.exe PID 1392 wrote to memory of 1776 1392 cmd.exe icacls.exe PID 1392 wrote to memory of 1776 1392 cmd.exe icacls.exe PID 1392 wrote to memory of 1776 1392 cmd.exe icacls.exe PID 1392 wrote to memory of 1776 1392 cmd.exe icacls.exe PID 1392 wrote to memory of 1840 1392 cmd.exe icacls.exe PID 1392 wrote to memory of 1840 1392 cmd.exe icacls.exe PID 1392 wrote to memory of 1840 1392 cmd.exe icacls.exe PID 1392 wrote to memory of 1840 1392 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\331064627d4361c3f3e3ba15d4d75afc.exe"C:\Users\Admin\AppData\Local\Temp\331064627d4361c3f3e3ba15d4d75afc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Ehim2⤵PID:1176
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Osi.adt2⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^QAXGiYkwfmvZsAkSwFzQElmpDQyAvOxQLytcnqBrEKginUwgVONcJiyFqOrsSKFByFhjcQxwtdjTWaLIOREIqYuEZnxKXplTyMeSGPSyzMszVkJHexDwuWBumJjWcKrU$" Far.vsdx4⤵PID:1580
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.comSaluta.com Ascolta.mpg4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.comC:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.com Ascolta.mpg5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exeC:\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\file.exe"{path}"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"9⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"10⤵
- Modifies file permissions
PID:1776 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"10⤵
- Modifies file permissions
PID:1840 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"10⤵
- Modifies file permissions
PID:2020 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:280
-
C:\Windows\system32\taskeng.exetaskeng.exe {794646B2-CE5F-4A27-A9F2-AA986AC247E0} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]1⤵PID:1076
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
PID:876 -
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe"{path}"3⤵
- Executes dropped EXE
PID:1552 -
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684 -
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe"{path}"3⤵
- Executes dropped EXE
PID:1832 -
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe"{path}"3⤵
- Executes dropped EXE
PID:1616 -
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe"{path}"3⤵
- Executes dropped EXE
PID:1628 -
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe"{path}"3⤵
- Executes dropped EXE
PID:1332
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
1Virtualization/Sandbox Evasion
2Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Local\Temp\file.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Ascolta.mpgMD5
38c0f4e15a4b9b62fc28204d8a432dea
SHA10144690c5c90a8f15837a739963217c204197b23
SHA2560f72f7c429443ec823edaa8013f3fd80011519da12f7ea140f1957f63243a9bd
SHA512e8809d11fcfb1ff304dc67073c66e17eca0317bc963f1d5227bff7a561d9cb0b67f7e66721032e8e4a6f0fea357a666c756cb42d968cc3e442e84493e1231163
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Far.vsdxMD5
7b0207f05263d514fc4f7a2b177b6051
SHA1ab7d24200270ab0969deccf9816079225a6c2e5f
SHA256d7853ca5404edb72f4da3558f70cee027f979bce93b1fa3138a56b2a94dccfa5
SHA5126a84a5681cdd28c63458bcd89f7bcaabbda31d52d04253d017ce99c235aa3d35fa540d5357241d30d23d0606515e078a2416a01d8a354d746ee67e0484ccf428
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Osi.adtMD5
e4cd8cf31700ef541395d936e4be3fc2
SHA13ed11b6dbe745beac72040b4d3855dc5fad39feb
SHA2561c92f6179538905efea7b41b80915f0238db7b7275de0aa291a12dd2fe74efa9
SHA51233f577aca3cd94749daf6f682ca07e3ff63e041cf1bf5c576785cbe7c8796c0a18d173b154ba1e24cd7156a934e1d2f4440c7f7283c2325a7566245b7d896de0
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\YBwKzggQmBX\Tuo.accdeMD5
854ad49e5b08a3324b9dbeb070d7fe2e
SHA1ead483aa1b1d9a82a9a9dc22d284cb8239f8bd15
SHA25617c5db44d5857692a705f91adca500f700daab0f3f1896098c327a3c5eb97db6
SHA512a576e282eef72ea42eae46f5631305505f4046a7e85a62c06e83e6a2978f20f6f2c104c5278013c6d09cb965c9d5d9a6ee283fa7c87ece73c82539378c9407ae
-
\Users\Admin\AppData\Local\Temp\file.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
\Users\Admin\AppData\Local\Temp\file.exeMD5
774073dc394ceefedf0533ba910726ad
SHA116e27e1658f25607ebd0f675ce6c6ffa7fa1f922
SHA256f026ff658618ceb23f31259d3bb29c9583d6517b960e72fbf1177476c56fb311
SHA51287f49445d951af81cb6ad3c2ce8a518221818b755beded73c37d4b9f4893b47199e940d7502dbdad9878c6ef86c579e0596f7f2ee137f5a42805433157d1f893
-
\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Roaming\YBwKzggQmBX\RegAsm.exeMD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
\Users\Admin\AppData\Roaming\YBwKzggQmBX\Saluta.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
memory/280-12-0x0000000000000000-mapping.dmp
-
memory/800-2-0x0000000076C21000-0x0000000076C23000-memory.dmpFilesize
8KB
-
memory/876-53-0x0000000000000000-mapping.dmp
-
memory/876-20-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/876-65-0x00000000048B0000-0x00000000048B1000-memory.dmpFilesize
4KB
-
memory/876-66-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/876-57-0x00000000746D0000-0x0000000074DBE000-memory.dmpFilesize
6.9MB
-
memory/876-15-0x0000000000000000-mapping.dmp
-
memory/1176-3-0x0000000000000000-mapping.dmp
-
memory/1184-21-0x0000000000190000-0x00000000001B6000-memory.dmpFilesize
152KB
-
memory/1184-27-0x0000000000190000-0x00000000001B6000-memory.dmpFilesize
152KB
-
memory/1184-29-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/1184-26-0x00000000744B0000-0x0000000074B9E000-memory.dmpFilesize
6.9MB
-
memory/1332-80-0x000000000042800A-mapping.dmp
-
memory/1392-47-0x0000000000000000-mapping.dmp
-
memory/1552-73-0x000000000042800A-mapping.dmp
-
memory/1552-83-0x0000000000400000-0x00000000004EA000-memory.dmpFilesize
936KB
-
memory/1580-7-0x0000000000000000-mapping.dmp
-
memory/1600-38-0x0000000000770000-0x0000000000772000-memory.dmpFilesize
8KB
-
memory/1600-34-0x00000000744B0000-0x0000000074B9E000-memory.dmpFilesize
6.9MB
-
memory/1600-41-0x0000000008020000-0x000000000810F000-memory.dmpFilesize
956KB
-
memory/1600-31-0x0000000000000000-mapping.dmp
-
memory/1600-39-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/1600-35-0x0000000001150000-0x0000000001151000-memory.dmpFilesize
4KB
-
memory/1600-40-0x00000000082B0000-0x00000000083A2000-memory.dmpFilesize
968KB
-
memory/1600-37-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/1684-58-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1684-52-0x0000000000000000-mapping.dmp
-
memory/1684-55-0x00000000746D0000-0x0000000074DBE000-memory.dmpFilesize
6.9MB
-
memory/1684-64-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/1696-10-0x0000000000000000-mapping.dmp
-
memory/1776-49-0x0000000000000000-mapping.dmp
-
memory/1776-6-0x0000000000000000-mapping.dmp
-
memory/1788-44-0x000000000042800A-mapping.dmp
-
memory/1788-48-0x0000000000400000-0x00000000004EA000-memory.dmpFilesize
936KB
-
memory/1788-43-0x0000000000400000-0x00000000004EA000-memory.dmpFilesize
936KB
-
memory/1840-50-0x0000000000000000-mapping.dmp
-
memory/1980-4-0x0000000000000000-mapping.dmp
-
memory/2020-51-0x0000000000000000-mapping.dmp