Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-09-2021 21:55
Static task
static1
Behavioral task
behavioral1
Sample
e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe
Resource
win10v20210408
General
-
Target
e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe
-
Size
286KB
-
MD5
68ea7b6eb8bd48a2606c8cf073867a83
-
SHA1
ec78be2637220d1b6572a9db7b6cd8284fd1b2a4
-
SHA256
e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a
-
SHA512
040c0c67c858059bf801a7a4b8f6b82fe89ce053b0654d098f3ecefba3f0a82539251e508c888dc54d6e16b8174089891d997a5d03df1cdc5bf41f58804496ac
Malware Config
Extracted
smokeloader
2020
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
Extracted
redline
700$
65.21.231.57:60751
Extracted
redline
178.132.3.103:80
Extracted
raccoon
f6d7183c9e82d2a9b81e6c0608450aa66cefb51f
-
url4cnc
https://t.me/justoprostohello
Extracted
redline
2k superstar
185.244.180.224:39957
Extracted
raccoon
d4d8e30c16491ca1c11f7aa675764335342faedf
-
url4cnc
https://t.me/hcdrom1
Extracted
raccoon
5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4
-
url4cnc
https://t.me/agrybirdsgamerept
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
resource yara_rule behavioral1/memory/3748-132-0x0000000000540000-0x0000000000562000-memory.dmp family_redline behavioral1/memory/3748-137-0x000000000055C5CA-mapping.dmp family_redline behavioral1/memory/2060-146-0x0000000002170000-0x000000000218F000-memory.dmp family_redline behavioral1/memory/2060-153-0x0000000002490000-0x00000000024AE000-memory.dmp family_redline behavioral1/memory/3424-186-0x00000000048B0000-0x00000000048CF000-memory.dmp family_redline behavioral1/memory/3424-188-0x0000000004B60000-0x0000000004B7E000-memory.dmp family_redline -
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
-
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
pid Process 2060 D9F0.exe 2656 DDB9.exe 3956 EE54.exe 3188 F7DB.exe 3424 FF1F.exe 648 7DB.exe 3600 129A.exe 2692 1829.exe 4524 j130t6D6Pk.exe 4192 sihost.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 129A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 129A.exe -
Deletes itself 1 IoCs
pid Process 2428 Process not Found -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7DB.vbs 7DB.exe -
Loads dropped DLL 6 IoCs
pid Process 3188 F7DB.exe 3188 F7DB.exe 3188 F7DB.exe 3188 F7DB.exe 3188 F7DB.exe 3188 F7DB.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\7DB = "\"C:\\Users\\Admin\\AppData\\Roaming\\7DB.exe\"" 7DB.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 129A.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3600 129A.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 632 set thread context of 804 632 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe 68 PID 2656 set thread context of 3748 2656 DDB9.exe 75 -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4692 schtasks.exe 4236 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4588 timeout.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Process not Found Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Process not Found -
Modifies registry key 1 TTPs 1 IoCs
pid Process 4716 reg.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 804 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe 804 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2428 Process not Found -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 616 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 804 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeDebugPrivilege 2116 powershell.exe Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeDebugPrivilege 2060 D9F0.exe Token: SeDebugPrivilege 3748 RegSvcs.exe Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeDebugPrivilege 3424 FF1F.exe Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeDebugPrivilege 648 7DB.exe Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found Token: SeCreatePagefilePrivilege 2428 Process not Found Token: SeShutdownPrivilege 2428 Process not Found -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found 2428 Process not Found -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2428 Process not Found 2428 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 632 wrote to memory of 804 632 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe 68 PID 632 wrote to memory of 804 632 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe 68 PID 632 wrote to memory of 804 632 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe 68 PID 632 wrote to memory of 804 632 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe 68 PID 632 wrote to memory of 804 632 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe 68 PID 632 wrote to memory of 804 632 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe 68 PID 2428 wrote to memory of 2060 2428 Process not Found 71 PID 2428 wrote to memory of 2060 2428 Process not Found 71 PID 2428 wrote to memory of 2060 2428 Process not Found 71 PID 2428 wrote to memory of 2656 2428 Process not Found 73 PID 2428 wrote to memory of 2656 2428 Process not Found 73 PID 2428 wrote to memory of 2656 2428 Process not Found 73 PID 2428 wrote to memory of 3956 2428 Process not Found 74 PID 2428 wrote to memory of 3956 2428 Process not Found 74 PID 2428 wrote to memory of 3956 2428 Process not Found 74 PID 2656 wrote to memory of 3748 2656 DDB9.exe 75 PID 2656 wrote to memory of 3748 2656 DDB9.exe 75 PID 2656 wrote to memory of 3748 2656 DDB9.exe 75 PID 2656 wrote to memory of 3748 2656 DDB9.exe 75 PID 2656 wrote to memory of 3748 2656 DDB9.exe 75 PID 2428 wrote to memory of 3188 2428 Process not Found 77 PID 2428 wrote to memory of 3188 2428 Process not Found 77 PID 2428 wrote to memory of 3188 2428 Process not Found 77 PID 2428 wrote to memory of 3424 2428 Process not Found 78 PID 2428 wrote to memory of 3424 2428 Process not Found 78 PID 2428 wrote to memory of 3424 2428 Process not Found 78 PID 2428 wrote to memory of 648 2428 Process not Found 81 PID 2428 wrote to memory of 648 2428 Process not Found 81 PID 2428 wrote to memory of 3600 2428 Process not Found 83 PID 2428 wrote to memory of 3600 2428 Process not Found 83 PID 2428 wrote to memory of 3600 2428 Process not Found 83 PID 2428 wrote to memory of 2692 2428 Process not Found 84 PID 2428 wrote to memory of 2692 2428 Process not Found 84 PID 2428 wrote to memory of 2692 2428 Process not Found 84 PID 3956 wrote to memory of 2116 3956 EE54.exe 85 PID 3956 wrote to memory of 2116 3956 EE54.exe 85 PID 3956 wrote to memory of 2116 3956 EE54.exe 85 PID 2116 wrote to memory of 4316 2116 powershell.exe 87 PID 2116 wrote to memory of 4316 2116 powershell.exe 87 PID 2116 wrote to memory of 4316 2116 powershell.exe 87 PID 4316 wrote to memory of 4420 4316 csc.exe 88 PID 4316 wrote to memory of 4420 4316 csc.exe 88 PID 4316 wrote to memory of 4420 4316 csc.exe 88 PID 3188 wrote to memory of 4524 3188 F7DB.exe 89 PID 3188 wrote to memory of 4524 3188 F7DB.exe 89 PID 3188 wrote to memory of 4524 3188 F7DB.exe 89 PID 3188 wrote to memory of 4548 3188 F7DB.exe 91 PID 3188 wrote to memory of 4548 3188 F7DB.exe 91 PID 3188 wrote to memory of 4548 3188 F7DB.exe 91 PID 4548 wrote to memory of 4588 4548 cmd.exe 92 PID 4548 wrote to memory of 4588 4548 cmd.exe 92 PID 4548 wrote to memory of 4588 4548 cmd.exe 92 PID 4524 wrote to memory of 4692 4524 j130t6D6Pk.exe 93 PID 4524 wrote to memory of 4692 4524 j130t6D6Pk.exe 93 PID 4524 wrote to memory of 4692 4524 j130t6D6Pk.exe 93 PID 2116 wrote to memory of 4776 2116 powershell.exe 95 PID 2116 wrote to memory of 4776 2116 powershell.exe 95 PID 2116 wrote to memory of 4776 2116 powershell.exe 95 PID 2116 wrote to memory of 3716 2116 powershell.exe 100 PID 2116 wrote to memory of 3716 2116 powershell.exe 100 PID 2116 wrote to memory of 3716 2116 powershell.exe 100 PID 2116 wrote to memory of 4528 2116 powershell.exe 102 PID 2116 wrote to memory of 4528 2116 powershell.exe 102 PID 2116 wrote to memory of 4528 2116 powershell.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe"C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe"C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:804
-
-
C:\Users\Admin\AppData\Local\Temp\D9F0.exeC:\Users\Admin\AppData\Local\Temp\D9F0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
C:\Users\Admin\AppData\Local\Temp\DDB9.exeC:\Users\Admin\AppData\Local\Temp\DDB9.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
-
C:\Users\Admin\AppData\Local\Temp\EE54.exeC:\Users\Admin\AppData\Local\Temp\EE54.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1ez5qfc3\1ez5qfc3.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES425E.tmp" "c:\Users\Admin\AppData\Local\Temp\1ez5qfc3\CSCFB9CD46ACCC74A099EECC47747E335D2.TMP"4⤵PID:4420
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵PID:4776
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵PID:3716
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵PID:4528
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:1836
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:4716
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:4588
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵PID:4572
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:3692
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵PID:4892
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵PID:4936
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵PID:5028
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:5052
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵PID:5080
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵PID:5096
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵PID:5112
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:4900
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:5004
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:4432
-
-
-
C:\Users\Admin\AppData\Local\Temp\F7DB.exeC:\Users\Admin\AppData\Local\Temp\F7DB.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\j130t6D6Pk.exe"C:\Users\Admin\AppData\Local\Temp\j130t6D6Pk.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"3⤵
- Creates scheduled task(s)
PID:4692
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\F7DB.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:4588
-
-
-
C:\Users\Admin\AppData\Local\Temp\FF1F.exeC:\Users\Admin\AppData\Local\Temp\FF1F.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
C:\Users\Admin\AppData\Local\Temp\7DB.exeC:\Users\Admin\AppData\Local\Temp\7DB.exe1⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:648
-
C:\Users\Admin\AppData\Local\Temp\129A.exeC:\Users\Admin\AppData\Local\Temp\129A.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3600
-
C:\Users\Admin\AppData\Local\Temp\1829.exeC:\Users\Admin\AppData\Local\Temp\1829.exe1⤵
- Executes dropped EXE
PID:2692
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe1⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
PID:4236
-